RP0008: Windows host compromise
Summary
| ID | RP0008 |
|---|---|
| Brief Description | Live Analysis on a suspicious Windows system |
| Author | @SEC |
| Creation Date | 2023/05/20 |
| Modification Date | 2023/05/20 |
| References |
Workflow
Description of the workflow in the Markdown format. You can put here anything you want, i.e. specific conditions/requirements or details on the order of Response Actions execution. Here newlines will be saved.
Playbook Actions
Preparation
Prepare Golden Images
Deploy Edr Solution
Check Monitoring Toolset
Check Analysis Toolset
Define Teams and Roles
Define Escalation Path
Make Sure All Hosts Get Setting On Same Ntp
Prepare Acquisition Profiles
Prepare Network Activity Profiles
Prepare Process Activity Profiles
Prepare Golden Image Comparsion Tool
Identification
Make A Volatile Memory Capture
Conduct Memory Analysis
Compromised active directory account
[Unimplemented] RP_0010_identify_persistence_mechanisms
Build Super Timeline
Prepare Iocs List
Scan With Iocs And Rules
[Unimplemented] RP_0011_make_sure_all_footholds_have_been_identified
Containment
Make Sure There Are Backups
Isolate Asset
Patch Vulnerability
Inspect Network Shares
[Unimplemented] RP_0000_find_how_the_attacker_got_into_system
[Unimplemented] RA_0000_make_sure_that_the_perimeter_well_scoped_up_and_contain
Eradication
Reinstall Host From Golden Image
[Unimplemented] RP_0012_compromised_accounts
Remove File
Deleting a file from Windows with Powershell
Deleting a file from Windows via SOLDR
Remove Persistence Mechanisms
Apply Prevention Mode For Iocs
Recovery
Lessons Learned
Develop Incident Report
[Unimplemented] RP_0013_improve_intrusion_management_processes
Update Acquisition Profiles
Update Network Profiles
Update Process Profiles