Malware Incident Response Skill
Structured workflow for responding to suspected malware incidents using the PICERL model.
Inputs
- •
CASE_ID- SOAR case ID for the incident - •
ALERT_GROUP_IDENTIFIERS- Alert group identifiers from SOAR - •
INITIAL_INDICATORS- Details from initial alerts:- •File hashes
- •IPs/domains
- •Affected hosts
- •Affected users
Required Outputs
After completing each phase, you MUST report these outputs:
Identification Phase
| Output | Description |
|---|---|
AFFECTED_HOSTS | Hosts with confirmed malware |
MALWARE_SAMPLES | File hashes requiring triage/analysis |
MALWARE_IOCS | Network indicators (IPs, domains, URLs) |
AFFECTED_USERS | Users who executed/accessed malware |
Containment Phase
| Output | Description |
|---|---|
ISOLATED_HOSTS | Hosts successfully isolated from network |
BLOCKED_IOCS | IOCs blocked at firewall/proxy |
Eradication Phase
| Output | Description |
|---|---|
CLEANED_HOSTS | Hosts with malware removed |
REMOVED_PERSISTENCE | Persistence mechanisms removed |
Recovery Phase
| Output | Description |
|---|---|
RESTORED_HOSTS | Hosts restored to operational state |
VALIDATION_STATUS | Post-recovery scan results |
PICERL Phases
Phase 2: Identification
Step 2.1: Initial Triage
Use /triage-alert with CASE_ID for initial assessment.
secops-soar.get_case_full_details(case_id=CASE_ID)
Use /check-duplicates.
Step 2.2: Malware Triage
If file hash is primary indicator:
Use /triage-malware:
/triage-malware FILE_HASH=abc123 CASE_ID=1234
This provides:
- •GTI classification
- •Behavioral indicators
- •Network IOCs
- •Affected hosts/users
Step 2.3: IOC Enrichment
For other key IOCs (IPs, domains, URLs):
Use /enrich-ioc for each.
Step 2.4: Initial Scope Assessment
Compile:
- •
AFFECTED_ENDPOINTS- Hosts with malware - •
AFFECTED_USERS- Users who executed/accessed - •
MALICIOUS_IOCs- Network indicators
Use /document-in-soar with findings.
Phase 3: Containment
Step 3.1: Endpoint Isolation
For each endpoint in AFFECTED_ENDPOINTS:
Use /confirm-action:
"Isolate endpoint [HOSTNAME] from network?"
If confirmed, execute isolation via EDR.
Step 3.2: Network IOC Containment
For each IOC in MALICIOUS_IOCs:
Use /confirm-action:
"Block [IOC_TYPE] [VALUE] at firewall/proxy?"
If confirmed, implement blocks.
Step 3.3: User Account Containment
If compromised user involved:
Trigger /respond-compromised-account
Step 3.4: Verify Containment
Monitor for continued activity:
secops-mcp.search_security_events(
text="Activity from contained IOCs or endpoints",
hours_back=1
)
Use /document-in-soar with containment status.
Phase 4: Eradication
Step 4.1: Identify Persistence
From /triage-malware results and GTI behavior summary, identify:
- •Scheduled tasks
- •Services installed
- •Registry modifications
- •Dropped files
- •WMI subscriptions
Step 4.2: Remove Malware & Persistence
(Requires EDR/endpoint tools)
Execute removal plan:
- •Terminate malicious processes
- •Delete malware files
- •Remove persistence mechanisms
- •Clear malicious registry keys
Step 4.3: Scan for Residual Infection
(Requires EDR/AV tools)
Perform thorough scans post-eradication.
Use /document-in-soar with eradication results.
Phase 5: Recovery
Step 5.1: Determine Recovery Strategy
Based on severity and admin rights involved:
| Factor | Rebuild | Clean |
|---|---|---|
| Admin rights compromised | ✅ | ❌ |
| Unknown malware | ✅ | ❌ |
| Known commodity malware | Consider | ✅ |
| High confidence eradication | Consider | ✅ |
Step 5.2: Execute Recovery
(Involves IT Ops/System Admins)
- •Rebuild from known-good image OR clean existing
- •Apply all patches before reconnecting
- •Perform vulnerability scan
- •Restore data from clean backups if needed
Step 5.3: Monitor Recovered Systems
Closely monitor for 24-72 hours post-recovery:
- •Watch for re-infection indicators
- •Monitor for unusual behavior
- •Verify normal operations
Step 5.4: Lift Containment
Gradually remove isolation once confidence is high.
Use /document-in-soar with recovery status.
Phase 6: Lessons Learned
Use /generate-report with:
- •Malware classification
- •Entry vector
- •Spread/impact
- •Response timeline
- •Recovery actions
- •Recommendations
Conduct review:
- •How did malware enter?
- •Was detection timely?
- •Were containment actions effective?
- •What detections should be added?
Critical Warnings
- •DO NOT skip endpoint isolation for confirmed infections
- •MUST identify malware strain/behavior
- •DO NOT restore without verifying eradication
- •ALWAYS verify scan results before reconnecting
Malware Response Quick Reference
| Phase | Key Question | Action |
|---|---|---|
| Identification | What is it? | /triage-malware |
| Identification | Where is it? | SIEM search |
| Containment | Stop the spread | Isolate endpoints |
| Containment | Block C2 | Block network IOCs |
| Eradication | Remove it | EDR remediation |
| Recovery | Restore ops | Rebuild or clean |