AgentSkillsCN

triage-malware

对疑似恶意文件的哈希值进行分类处置。当您调查恶意软件告警或可疑文件时,可使用此技能。系统将分析 GTI 文件报告,评估行为指标,识别受影响的主机,丰富网络 IOC 信息,并推荐相应的遏制措施。

SKILL.md
--- frontmatter
name: triage-malware
description: "Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions."
required_roles:
  chronicle: roles/chronicle.viewer
  soar: roles/chronicle.editor
  gti: GTI Enterprise
personas: [tier2-analyst, tier3-analyst, incident-responder]

Malware Triage Skill

Perform initial analysis and context gathering for a suspected malicious file hash identified during an investigation or alert.

Inputs

  • FILE_HASH - MD5, SHA1, or SHA256 hash of the suspected file
  • CASE_ID - SOAR case ID for documentation
  • ALERT_GROUP_IDENTIFIERS - Alert group identifiers from the case
  • (Optional) TIME_FRAME_HOURS - Lookback period (default: 72)

Workflow

Step 1: Get Case Context

code
secops-soar.get_case_full_details(case_id=CASE_ID)

Step 2: GTI File Report

code
gti-mcp.get_file_report(hash=FILE_HASH)

Record:

  • Detection ratio (e.g., 45/70 engines)
  • Malware family classification
  • First/last seen dates
  • Associated threat actors or campaigns

Step 3: GTI Behavior Summary

code
gti-mcp.get_file_behavior_summary(hash=FILE_HASH)

Extract behavioral indicators:

  • Network: Contacted IPs/domains → NETWORK_IOCs_GTI
  • File system: Dropped files, modified files
  • Registry: Modified keys
  • MITRE TTPs: Observed techniques from sandbox

Step 4: SIEM Execution Check

Search for file execution events:

code
secops-mcp.search_security_events(
    text='target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"',
    hours_back=TIME_FRAME_HOURS
)

Look for: PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION

Identify:

  • AFFECTED_HOSTS - Machines where file was seen
  • AFFECTED_USERS - Users who executed/accessed the file

Step 5: SIEM Network Activity

Search for network connections from processes with this hash:

code
secops-mcp.search_security_events(
    text='principal.process.file.sha256 = "FILE_HASH"',
    hours_back=TIME_FRAME_HOURS
)

Extract: NETWORK_IOCs_SIEM (contacted IPs/domains)

Step 6: Enrich Network IOCs

Combine NETWORK_IOCs_GTI + NETWORK_IOCs_SIEMALL_NETWORK_IOCs

For each network IOC, use /enrich-ioc:

  • Check GTI reputation
  • Check SIEM presence
  • Check IOC match status

Step 7: Check Related Cases

Use /find-relevant-case with:

code
SEARCH_TERMS = AFFECTED_HOSTS + AFFECTED_USERS + ALL_NETWORK_IOCs

Step 8: Synthesize & Document

Use /document-in-soar with assessment:

code
Malware Triage for Hash FILE_HASH:
- GTI Classification: [family, detection ratio]
- Behavior: [network, files, registry]
- Affected Hosts: [list]
- Network IOCs: [with enrichment]
- Related Cases: [list]

Assessment: [severity level]

Recommendation:
- [ ] Isolate affected hosts
- [ ] Block network IOCs
- [ ] Escalate to IR
- [ ] Monitor only

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
MALWARE_CLASSIFICATIONGTI verdict and malware family (e.g., "Emotet - Banking Trojan")
BEHAVIORAL_IOCSNetwork IOCs from sandbox analysis (contacted IPs/domains)
AFFECTED_HOSTSHosts where this malware was executed or detected
AFFECTED_USERSUsers who executed or accessed the malware
TRIAGE_VERDICTOverall verdict: malicious, suspicious, or clean

Severity Assessment Matrix

FactorLowMediumHighCritical
GTI Detection< 5 engines5-20 engines20-50 engines> 50 engines
ExecutionNot executedDownloaded onlyExecutedActive C2
SpreadSingle host2-5 hosts5-20 hosts> 20 hosts
Network IOCsNone observedBenignSuspiciousKnown malicious
Data at RiskNoneLow valuePII/credentialsCritical systems

Recommended Actions by Severity

Critical/High:

  1. Immediately isolate affected hosts
  2. Block network IOCs at firewall
  3. Escalate to Incident Response
  4. Preserve forensic evidence

Medium:

  1. Monitor affected hosts closely
  2. Block known malicious IOCs
  3. Schedule endpoint scan
  4. Escalate to Tier 2

Low:

  1. Document findings
  2. Monitor for recurrence
  3. Close with detailed notes