Table Of Contents

• INCIDENT RESPONSE CHECKLIST
  • IDENTIFICATION TASKS
  • CONTAINMENT TASKS
  • REMEDIATION TASKS
  • OTHER / LESSONS LEARNED TASKS
  • MALWARE ATTRIBUTES CHECKLIST

---

INCIDENT RESPONSE CHECKLIST

• Note: This section is intended to be an incident response guide. Some tasks may not be relevant, required or appropriate. Please consider your environment before implementing each step or other steps as needed.

IDENTIFICATION TASKS

• Acquire a copy of Malicious file(s) for analysis?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Malicious effects on systems list. Acquire an itemized list of all known changes on computer systems, files, settings, registry, services add/modified/deleted or stop/started.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Which A/V or malware tools can detect and remove malicious threat?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Where does malware/attacker exit the network?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Malicious internal/external sites/connections still active?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Malware listening on any ports?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Malware method of original infection, and/or weakness?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Packet capture of Malware trying to infect others?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Any packet capture of malware trying to communicate out of network and ID method of ports, IPs, DNS, etc?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Malware pose threat to any sensitive data (Files, credentials, Intellectual Property, PII, etc)?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• What are the DNS entries on an infected system?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Is it possible to detect the first infected system(s)?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Has the first systems hard drive been preserved?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Do any scripts need to be ran on live infected systems?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Is there a desktop management tool? If so, what reports are available to inventory all systems and statuses?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• List of all infected systems?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Identify any patching missing with current and/or previous vulnerability scan.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Look for systems that have stopped reporting into Malware servers for updates, or which ones have stopped going to AV vendors for updates.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Look for systems that have stopped going to Update server or directly to Microsoft for updates.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed

CONTAINMENT TASKS

• How many systems are still unknown, clear, suspicious, or infected?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Networking device(s) changes. (Switches, Routers, Firewalls, IPS, NAC, Wi-Fi, etc.).
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Active Directory OU isolation of suspected systems.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Active Directory - User account restrictions and resets.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Active Directory policies to prohibit threats from running and/or access.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Firewall blocks.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• DNS blocks (null route malware site(s)).
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Web filtering blocks.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed

REMEDIATION TASKS

• Administrative AD Password Changes.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Local Administrative Password Changes.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• User AD Password Changes.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Local User Password Changes.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Service Account Password Changes.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Push Antivirus updates for detected malware.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Try multiple antivirus tools.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• What Active Directory GPO policies are set (Logs, Restrictions, etc.)?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• What is the network architecture and how would Malware traverse?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Are there additional IDS/IPS segments that need coverage to prevent/detect outbreak?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• 3rd Party Applications missing patches (Adobe, Java, etc.)?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Monitor client email for vendor or other business continuity items of interest.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Monitor RDP sessions on external accessible RDP client system.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Are there any applications in use that are facilitating the attack? If so, are there alternatives?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Is there a baseline system to review for changes?
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Monitor user name variations.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Managing and monitoring tasks.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review border router logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review VPN (remote access) logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Citrix / VMWare or similar logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review accounting server(s) logs and trends of users.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review AD server logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review Anti-Virus (Malicious Code Services) logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review email abuse notifications and logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review DNS logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review account and policy abuse logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Review host firewall logs.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed

OTHER / LESSONS LEARNED TASKS

• Rebuild all systems in life cycle rebuild plan.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Synchronize time services across of systems.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Create incident data repository.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Consider host based IPS.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• Consider Network Access Control (NAC).
  • Priority: H/M/L | Effort: H/M/L | Open/Closed
• 3rd Party internal/external security and perimeter security tools and assessment services.
  • Priority: H/M/L | Effort: H/M/L | Open/Closed

MALWARE ATTRIBUTES CHECKLIST

Malware Presence on the System:

• Runs in memory only.
  • Yes | No | Unknown | N/A
• Runs out of registry.
  • Yes | No | Unknown | N/A
• Artifacts on disk.
  • Yes | No | Unknown | N/A
• Disk file presence hidden, stored in unallocated, free/slack space or encrypted.
  • Yes | No | Unknown | N/A
• Has no icon.
  • Yes | No | Unknown | N/A
• Has no description or company name.
  • Yes | No | Unknown | N/A
• Unsigned Microsoft images.
  • Yes | No | Unknown | N/A
• Are packed and likely encrypted.
  • Yes | No | Unknown | N/A
• Suspicious DLLs or services.
  • Yes | No | Unknown | N/A
• Backups and swaps itself in and out in place of real file.
  • Yes | No | Unknown | N/A
• Stays alive working in file pairs.
  • Yes | No | Unknown | N/A
• Found in embedded devices, industrial controls and IOT.
  • Yes | No | Unknown | N/A

Malware Activities

• Downloads new code/functionality.
  • Yes | No | Unknown | N/A
• Leverages pivot system(s) and network path(s) to exit the victim network including VPN/Dial-Up, HTTP/HTTPS, and other standard or non-standard services and ports.
  • Yes | No | Unknown | N/A
• Ability to leverage mobile devices and other removable media.
  • Yes | No | Unknown | N/A
• Ability to detect and utilize authenticated web proxies.
  • Yes | No | Unknown | N/A
• Morphs on victim client system.
  • Yes | No | Unknown | N/A
• Contains red herring (misleading/distracting) features depending on the environment it detects.
  • Yes | No | Unknown | N/A
• Ability to traverse all known operating systems.
  • Yes | No | Unknown | N/A
• Ability to move into embedded devices
  • Yes | No | Unknown | N/A

Malware Capabilities

• Ability to conduct most Windows based Active Directory commands.
  • Yes | No | Unknown | N/A
• Ability to upload and download files/payloads.
  • Yes | No | Unknown | N/A
• Can use built-in services or purpose built malware for needed services.
  • Yes | No | Unknown | N/A
• Has several persistent features, making the malware highly resilient to A/V defenses.
  • Yes | No | Unknown | N/A
• Ability to brute force.
  • Yes | No | Unknown | N/A
• Ability to DoS/DDoS tools.
  • Yes | No | Unknown | N/A
• Ability to steal and/or pass the hash.
  • Yes | No | Unknown | N/A
• Ability to conduct credential harvesting.
  • Yes | No | Unknown | N/A
• Privilege escalation capability.
  • Yes | No | Unknown | N/A
• Ransomware or like capability.
  • Yes | No | Unknown | N/A
• Self-Destruct mode, including destructive methods.
  • Yes | No | Unknown | N/A
• Anti memory forensics.
  • Yes | No | Unknown | N/A
• Is sandbox aware and virtual machine aware.
  • Yes | No | Unknown | N/A
• Apply software patch to prevent other malware infection
  • Yes | No | Unknown | N/A
• C2 techniques: DNS, HTTP, HTTPS, stegonagraphy, cloud, TOR, online code, etc.
  • Yes | No | Unknown | N/A
• One time install/detonation
  • Yes | No | Unknown | N/A
• Communicates in no predictable patterns including short and long-term sleep techniques.
  • Yes | No | Unknown | N/A
• Makes use of compromised CA, in order to hide communications.
  • Yes | No | Unknown | N/A
• Time zone and IP Geo aware.
  • Yes | No | Unknown | N/A
• Makes use of well-established commercial compromised web sites for C2, i.e. Dropbox, Gmail, etc.
  • Yes | No | Unknown | N/A