Blue Team Playbook

Blue Team Playbook

This is a comprehensive playbook for incident responce.
Including checklists for identifying and remediating malware.

- Windy Garlic




Step 1: Look at running processes by running Process 
Explorer (GUI) and identify potential indicators of 
• Items with no icon 
• Items with no description or company name 
• Unsigned Microsoft images (First add Verified 
Signer column under View tab->Select Columns, 
then go to Options tab and choose Verify Image 
• Check all running process hashes in Virus Total 
(Go to Options tab and select Check 
• Suspicious files are in Windows directories or 
user profile 
• Purple items that are packed or compressed 
Items with open TCP/IP endpoints 

Step 2: Signature File Check: 
( See Sigcheck) 

Step 3: Strings Check: 
• Right click on suspicious process in Process 
Explorer and on pop up window choose Strings tab 
and review for suspicious URLs. Repeat for Image 
and Memory radio buttons. 
• Look for strange URLs in strings 

Step 4: DLL View: 
 Pop open with Ctrl+D 
• Look for suspicious DLLs or services 
• Look for no description or no company name 

• Look at VirusTotal Results column 


Step 5: Stop and Remove Malware: 
 Right click and select Suspend for any identified 
suspicious processes 
• Right click and select Terminate Previous 
Suspended processes 

Step 6: Clean up where malicious files Auto start on 
• Launch Autoruns 
• Under Options, Check the boxes Verify Code 
Signatures and Hide Microsoft entries 
• Look for suspicious process file from earlier 
steps on the everything tab and uncheck. Safer to 
uncheck than delete, in case of error. 
• Press FS, to refresh Autoruns, and confirm 
malicious file has not recreated the malicious 
entry into the previous unchecked auto start 

Step 7: Process Monitor 
• If malicious activity is still persistent, run 
Process Monitor. 
• Look for newly started process that start soon 
after terminated from previous steps. 
Step 8: Repeat as needed to find all malicious files 
and process and/or combine with other tools and 


1 Network Connections - 

  • netstat -nob 

2 Auto run tasks - 

task scheduler, startup folder for user, startup folder for -=ALL USERS=-, registry, WMI, verified tasks, etc. 

OR use Autoruns (sysinternals) 

Autoruns - 

  • check login tab and Scheduled tasks 

  • yellow is suspicious, it means can't be located 

  • pink unverified 

  • check explorer and service tabs 

  • check drivers tab to look for suspicious drivers 

3 Removable media - 

  • USB, CD, network drives 

  • Check common folders  

4 Email - 

  • Email clients / Email server 

  • Check web history 

5 Recent files/folders(That align with the time of attack) - 

  • datemodified:today 

6 Processes - 

Task manager, process explorer, process monitor Process explorer - 

  • check if process has a publisher and its verified 

  • check where the process is running from 

  • check parent process 

  • check virus total 

  • check web 

  • check TCP/IP tab for connections 

  • check strings, look for IP's commands and IOC's 

7 Logs - 

Event Viewer 

  • How many systems are still unknown, clear, suspicious, or infected? 

  • Networking device(s) changes. (Switches, Routers, 

  • Firewalls, IPS, NAC, Wi-Fi, etc.). 

  • Active Directory OU isolation of suspected systems. 

  • Active Directory - User account restrictions and resets. 

  • Active Directory policies to prohibit threats from 

  • running and/or access. 

  • Firewall blocks. 

  • DNS blocks (null route malware site(s). 

  • Web filtering blocks. 


     Administrative AD Password Changes. 

     Local Administrative Password Changes. 

     User AD Password Changes. 

     Local User Password Changes. 

     Service Account Password Changes. 

     Push Antivirus updates for detected malware. 

     Try multiple antivirus tools. 

     What Active Directory GPO polices are set (Logs,Restrictions, etc.)? 

     What is the network architecture and how would Malware traverse? 

     Are there additional IDS/IPS segments that need 

     coverage to prevent/detect outbreak? 

     3rd Party Applications missing patches (Adobe, Java, etc.)? 


    Monitor client email for vendor or other business 

    continuity items of interest. 

    Monitor RDP sessions on external accessible RDP client system.

    Are there any applications in use that are facilitating the attack? If so, are there alternatives? 

    Is there a baseline system to review for changes? 

    Monitor user name variations. 

    Managing and monitoring tasks. 

    Review border router logs. 

    Review VPN (remote access) logs. 

    Citrix / VMWare or similar logs. 

    Review accounting server(s) logs and trends of users. 

    AD server logs. 

    Review Anti-Virus (Malicious Code Services) logs. 

    Review email abuse notifications and logs. 

    Review DNS logs. 

    Review account and policy abuse logs. 

    Review host firewall logs. 

Key Questions to Answer  


• What was the initial attack vector? (i.e., How did the adversary gain initial access to the network?)  


• How is the adversary accessing the environment? 


• Is the adversary exploiting vulnerabilities to achieve access or privilege?  


• How is the adversary maintaining command and control?  


• Does the actor have persistence on the network or device?  


• What is the method of persistence (e.g., malware backdoor, webshell, legitimate credentials, remote tools, etc.)?  


 What accounts have been compromised and what privilege level (e.g., domain admin, local admin, user account, etc.)?  


• What method is being used for reconnaissance? (Discovering the reconnaissance method may provide an opportunity for detection and to determine possible intent.)  


• Is lateral movement suspected or known? How is lateral movement conducted (e.g., RDP, network shares, malware, etc.)?  


• Has data been exfiltrated and, if so, what kind and via what mechanism?

Initial Access 
Move ment 
Common Techn ueS 
Phishing [T 15661, Drive-by 
Compromise [TI 1891, Exploit 
Public Facing Application [LME, 
External Remote Services 
Command and Script Interpreters 
[T 10591, Exploitation for Client 
Acccwnt Manipulation 
Scheduled Task/JOb [T 10531, Valid 
Acccwnts [T 10781 
Exploitation Of Remote Services 
[T 12101, Remote Session Hijacking 
[T 1563], Software Deployment 
Brute Force [LIMO], Modify 
Authentication Process [L155Q, 
Application Layer Protcrol ['T10711, 
Protocol Tunneling [T 15721 
Exfiltration Over C2 Channel 
[TI 0411, Exfiltration Over 
Alternative Protocol [T 10481 
and Event Sources 
Email, web proxy, server 
application logs, IDS/IPS 
Host event logs, Windows 
event logs, Sysmon, anti• 
malware, EDR, PowerSheII 
Host event logs, 
Authentication logs, Registry 
Internal network logs, host 
event logs, Application Logs 
Authentication Logs, 
Domain Controller Logs, 
network traffic monitoring 
Firewall, Web Proxy, DNS, 
Network Traffic, Cloud 
activity logs, IDS/IPS 
Firewall, Web Proxy, DNS, 
Network Traffic, Cloud 
activity logs, IDS/IPS 
Phishing, redirect, and payload 
servers (domains and IP 
addresses), delivery mechanisms 
(lures, macros, downloaders, 
droppers, etc.), compromised 
credentials, web shells 
Invocation Of command or scripting 
interpreter, exploitation, API calls, 
malware, payloads 
Scheduled Tasks, registry keys, 
autoruns, etc. 
Mismatch Of users and 
applications/credentials, workstation 
to workstation communication, 
beaconing from hosts not intended 
to be internet accessible, etc. 
LSASS reads, command or scripting 
interpreters accessing LSASS, etc. 
C2 dornains, IP addresses 
Domains, URLs, IP addresses, 
IDS/IPS signatures