conducting-malware-incident-response

# Conducting Malware Incident Response

## When to Use

- EDR or antivirus detects malware execution on one or more endpoints
- A user reports suspicious system behavior indicative of malware infection
- Threat intelligence indicates a malware campaign targeting the organization's industry
- Network monitoring detects beaconing traffic consistent with known malware C2 patterns
- A file detonation in a sandbox returns a malicious verdict

**Do not use** for analyzing malware samples in a research context; use dedicated malware analysis procedures for reverse engineering.

## Prerequisites

- EDR platform with process tree visibility and host isolation capability
- Malware sandbox environment (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis)
- Access to threat intelligence platforms for malware family identification (VirusTotal, MalwareBazaar)
- Forensic imaging tools for evidence preservation (FTK Imager, KAPE)
- Clean system images or gold images for endpoint rebuild
- MITRE ATT&CK framework reference for technique mapping

## Workflow

### Step 1: Detect and Confirm Malware Presence

Validate the malware alert and gather initial indicators:

- Review EDR alert details: detection name, file path, hash (SHA-256), process tree
- Check if the detection is a known malware family or generic heuristic detection
- Query the file hash against VirusTotal, MalwareBazaar, and internal threat intelligence
- Examine the process execution chain to determine how the malware was delivered

```
Detection Summary:
File:        C:\Users\jsmith\AppData\Local\Temp\update.exe
SHA-256:     a1b2c3d4e5f6...
Detection:   CrowdStrike: Malware/Qakbot | VirusTotal: 58/72 engines
Parent:      WINWORD.EXE → cmd.exe → powershell.exe → update.exe
Delivery:    Email attachment (Invoice-Nov2025.docm)
Network:     HTTPS POST to 185.220.101[.]42:443 every 60s
Persistence: Scheduled Task "WindowsUpdate" → update.exe
```

### Step 2: Scope the Infection

Determine how many systems are affected and the malware's propagation method:

- Use EDR to search for the malware hash, filename, and behavioral indicators across all endpoints
- Check for network-based spreading (SMB, WMI, PsExec, exploitation)
- Query email gateway logs for all recipients of the delivery email
- Search for C2 communications to the identified infrastructure from other internal hosts
- Check for persistence mechanisms on all identified infected hosts

### Step 3: Contain Infected Systems

Execute containment per the active breach containment procedures:

- Network-isolate infected endpoints via EDR containment
- Block malware C2 infrastructure at firewall and DNS
- Block the malware hash in EDR prevention policy organization-wide
- Quarantine the delivery email from all mailboxes (if email-delivered)
- Disable compromised user accounts if credential theft is suspected

### Step 4: Analyze the Malware

Perform sufficient analysis to support complete eradication:

- Submit the sample to a sandbox for dynamic analysis (behavioral report, dropped files, network IOCs)
- Identify all persistence mechanisms: registry keys, scheduled tasks, services, WMI subscriptions, startup folders
- Document all file system artifacts: dropped files, modified files, created directories
- Extract network IOCs: C2 domains, IPs, URLs, user agents, JA3/JA3S hashes
- Map observed behaviors to MITRE ATT&CK techniques

```
Malware Analysis Summary - Qakbot Variant
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Initial Access:   T1566.001 - Spearphishing Attachment (.docm)
Execution:        T1059.001 - PowerShell (encoded downloader)
Persistence:      T1053.005 - Scheduled Task
Defense Evasion:  T1055.012 - Process Hollowing (explorer.exe)
C2:               T1071.001 - HTTPS with custom headers
Collection:       T1005 - Data from Local System (browser credentials)
Exfiltration:     T1041 - Exfiltration Over C2 Channel

Artifacts:
- C:\Users\*\AppData\Local\Temp\update.exe (dropper)
- C:\ProgramData\Microsoft\{GUID}\config.dll (payload)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{random} (backup persistence)
- Scheduled Task: "WindowsUpdate" (primary persistence)
```

### Step 5: Eradicate the Malware

Remove all malware artifacts from every infected system:

- Terminate malicious processes and injected threads
- Delete malware files from all identified paths
- Remove persistence mechanisms (scheduled tasks, registry keys, services, WMI subscriptions)
- Clear browser credential stores if credential harvesting was confirmed
- Run a full EDR scan to verify no artifacts remain
- If eradication confidence is low, reimage the system from a known-clean gold image

### Step 6: Recover and Validate

Restore systems to production and verify clean status:

- Reconnect contained systems to the network in stages
- Monitor for 72 hours for any recurrence of malware indicators
- Force password resets for all users on infected endpoints
- Verify that C2 traffic has completely ceased across the environment
- Update detection rules based on newly discovered IOCs from the investigation
- Distribute IOCs to threat intelligence sharing partners (ISAC, MISP)

## Key Concepts

| Term | Definition |
|------|------------|
| **Malware Family** | Classification of malware variants sharing code, infrastructure, or behavior patterns (e.g., Qakbot, Emotet, Cobalt Strike) |
| **Process Hollowing** | Technique where malware creates a legitimate process in a suspended state, replaces its memory with malicious code, then resumes execution |
| **Beacon** | Periodic network communication from malware to its C2 server, typically with a set interval and jitter for detection evasion |
| **Dropper** | Initial malware component that downloads or unpacks the primary payload; often delivered via phishing |
| **Persistence Mechanism** | Method used by malware to survive system reboots (registry run keys, scheduled tasks, services, WMI event subscriptions) |
| **IOC (Indicator of Compromise)** | Observable artifact such as file hash, IP address, domain, or registry key that indicates malware presence |

## Tools & Systems

- **CrowdStrike Falcon / Microsoft Defender for Endpoint**: EDR platforms for detection, containment, and threat hunting
- **ANY.RUN / Joe Sandbox**: Interactive malware sandboxes for dynamic behavioral analysis
- **VirusTotal / MalwareBazaar**: Malware intelligence platforms for sample identification and IOC enrichment
- **KAPE (Kroll Artifact Parser and Extractor)**: Forensic triage tool for rapid artifact collection from infected endpoints
- **YARA**: Pattern-matching engine for creating custom malware detection rules based on observed indicators

## Common Scenarios

### Scenario: Emotet Loader Leading to Cobalt Strike Deployment

**Context**: EDR detects a macro-enabled document that spawns PowerShell, downloads an Emotet DLL, which subsequently loads a Cobalt Strike beacon. Three hosts are infected within 45 minutes.

**Approach**:
1. Immediately isolate all three hosts and block C2 IPs at the perimeter
2. Search email gateway for all recipients of the original phishing email and quarantine it
3. Sweep all endpoints for the Emotet DLL hash and Cobalt Strike beacon indicators
4. Analyze the Cobalt Strike beacon configuration to extract watermark, C2 profile, and staging URLs
5. Check for credential harvesting (Mimikatz/LSASS dump) and lateral movement artifacts
6. Eradicate all malware artifacts and reset credentials for affected users

**Pitfalls**:
- Focusing only on Emotet and missing the Cobalt Strike second-stage payload
- Failing to extract and block the Cobalt Strike Malleable C2 profile indicators
- Not checking for additional persistence beyond the initial detection (Emotet often installs multiple backup persistence mechanisms)

## Output Format

```
MALWARE INCIDENT RESPONSE REPORT
=================================
Incident:         INC-2025-1547
Malware Family:   Qakbot (variant: Obama265)
Delivery Vector:  Spearphishing attachment (Invoice-Nov2025.docm)
First Detection:  2025-11-15T14:23:17Z
Scope:            4 endpoints confirmed infected

INFECTION TIMELINE
14:18 UTC - Phishing email received by jsmith@corp.example.com
14:19 UTC - Macro executed in WINWORD.EXE
14:20 UTC - PowerShell downloads update.exe from staging server
14:21 UTC - update.exe establishes persistence (Scheduled Task)
14:23 UTC - C2 beacon initiated to 185.220.101[.]42
14:35 UTC - Lateral spread to WKSTN-087 via stolen credentials
14:42 UTC - EDR detection fires, SOC alerted

IOCs EXTRACTED
File Hashes:  [SHA-256 list]
C2 Domains:   [domain list]
C2 IPs:       [IP list]
File Paths:   [artifact paths]

ERADICATION STATUS
[x] All malware artifacts removed from 4 hosts
[x] Persistence mechanisms deleted
[x] C2 infrastructure blocked
[x] Compromised credentials reset
[x] Email quarantined from all mailboxes

RECOMMENDATIONS
1. Deploy YARA rule for Qakbot variant detection
2. Block macro execution in documents from external senders
3. Implement application whitelisting on finance workstations
```