Blue Team Playbook

Blue Team Playbook

This is a comprehensive playbook for incident responce.
Including checklists for identifying and remediating malware.

- Windy Garlic

 

 

 

IDENTIFY MALWARE 
PROCESS EXPLORER 
 
Step 1: Look at running processes by running Process 
Explorer (GUI) and identify potential indicators of 
compromise: 
• Items with no icon 
• Items with no description or company name 
• Unsigned Microsoft images (First add Verified 
Signer column under View tab->Select Columns, 
then go to Options tab and choose Verify Image 
Signatures) 
• Check all running process hashes in Virus Total 
(Go to Options tab and select Check 
VirusTotal.com) 
• Suspicious files are in Windows directories or 
user profile 
• Purple items that are packed or compressed 
Items with open TCP/IP endpoints 

 
Step 2: Signature File Check: 
( See Sigcheck) 

 
Step 3: Strings Check: 
• Right click on suspicious process in Process 
Explorer and on pop up window choose Strings tab 
and review for suspicious URLs. Repeat for Image 
and Memory radio buttons. 
• Look for strange URLs in strings 

 
Step 4: DLL View: 
• Pop open with Ctrl+D 
• Look for suspicious DLLs or services 
• Look for no description or no company name 
88 

• Look at VirusTotal Results column 

 

Step 5: Stop and Remove Malware: 
• Right click and select Suspend for any identified 
suspicious processes 
• Right click and select Terminate Previous 
Suspended processes 

 
Step 6: Clean up where malicious files Auto start on 
reboot. 
• Launch Autoruns 
• Under Options, Check the boxes Verify Code 
Signatures and Hide Microsoft entries 
• Look for suspicious process file from earlier 
steps on the everything tab and uncheck. Safer to 
uncheck than delete, in case of error. 
• Press FS, to refresh Autoruns, and confirm 
malicious file has not recreated the malicious 
entry into the previous unchecked auto start 
location. 

 
Step 7: Process Monitor 
• If malicious activity is still persistent, run 
Process Monitor. 
• Look for newly started process that start soon 
after terminated from previous steps. 
Step 8: Repeat as needed to find all malicious files 
and process and/or combine with other tools and 
suites 

CHECKLIST FOR EVERY SUSPECT MACHINE 

1 Network Connections - 

• netstat -nob 

2 Auto run tasks - 

task scheduler, startup folder for user, startup folder for -=ALL USERS=-, registry, WMI, verified tasks, etc. 

OR use Autoruns (sysinternals) 

Autoruns - 

• check login tab and Scheduled tasks 

• yellow is suspicious, it means can't be located 

• pink unverified 

• check explorer and service tabs 

• check drivers tab to look for suspicious drivers 

3 Removable media - 

• USB, CD, network drives 

• Check common folders  

4 Email - 

• Email clients / Email server 

• Check web history 

5 Recent files/folders(That align with the time of attack) - 

• ‘datemodified:today’ 

6 Processes - 

Task manager, process explorer, process monitor Process explorer - 

• check if process has a publisher and its verified 

• check where the process is running from 

• check parent process 

• check virus total 

• check web 

• check TCP/IP tab for connections 

• check strings, look for IP's commands and IOC's 

7 Logs - 

Event Viewer 

• How many systems are still unknown, clear, suspicious, or infected? 

• Networking device(s) changes. (Switches, Routers, 

• Firewalls, IPS, NAC, Wi-Fi, etc.). 

• Active Directory OU isolation of suspected systems. 

• Active Directory - User account restrictions and resets. 

• Active Directory policies to prohibit threats from 

• running and/or access. 

• Firewall blocks. 

• DNS blocks (null route malware site(s). 

• Web filtering blocks. 

  
  

  
  

  REMEDIATION TASKS 

   Administrative AD Password Changes. 

   Local Administrative Password Changes. 

   User AD Password Changes. 

   Local User Password Changes. 

   Service Account Password Changes. 

   Push Antivirus updates for detected malware. 

   Try multiple antivirus tools. 

   What Active Directory GPO polices are set (Logs,Restrictions, etc.)? 

   What is the network architecture and how would Malware traverse? 

   Are there additional IDS/IPS segments that need 

   coverage to prevent/detect outbreak? 

   3rd Party Applications missing patches (Adobe, Java, etc.)? 

  Open/Closed 

  Monitor client email for vendor or other business 

  continuity items of interest. 

  Monitor RDP sessions on external accessible RDP client system.

  Are there any applications in use that are facilitating the attack? If so, are there alternatives? 

  Is there a baseline system to review for changes? 

  Monitor user name variations. 

  Managing and monitoring tasks. 

  Review border router logs. 

  Review VPN (remote access) logs. 

  Citrix / VMWare or similar logs. 

  Review accounting server(s) logs and trends of users. 

  AD server logs. 

  Review Anti-Virus (Malicious Code Services) logs. 

  Review email abuse notifications and logs. 

  Review DNS logs. 

  Review account and policy abuse logs. 

  Review host firewall logs. 

  • 
    

  
  

  
  

Key Questions to Answer  

 

• What was the initial attack vector? (i.e., How did the adversary gain initial access to the network?)  

 

• How is the adversary accessing the environment? 

 

• Is the adversary exploiting vulnerabilities to achieve access or privilege?  

 

• How is the adversary maintaining command and control?  

 

• Does the actor have persistence on the network or device?  

 

• What is the method of persistence (e.g., malware backdoor, webshell, legitimate credentials, remote tools, etc.)?  

 

• What accounts have been compromised and what privilege level (e.g., domain admin, local admin, user account, etc.)?  

 

• What method is being used for reconnaissance? (Discovering the reconnaissance method may provide an opportunity for detection and to determine possible intent.)  

 

• Is lateral movement suspected or known? How is lateral movement conducted (e.g., RDP, network shares, malware, etc.)?  

 

• Has data been exfiltrated and, if so, what kind and via what mechanism?