Malware Incident Response Skill

Structured workflow for responding to suspected malware incidents using the PICERL model.

Inputs

• CASE_ID - SOAR case ID for the incident
• ALERT_GROUP_IDENTIFIERS - Alert group identifiers from SOAR
• INITIAL_INDICATORS - Details from initial alerts:
  • File hashes
  • IPs/domains
  • Affected hosts
  • Affected users

Required Outputs

After completing each phase, you MUST report these outputs:

Identification Phase

Containment Phase

Eradication Phase

Recovery Phase

PICERL Phases

Phase 2: Identification

Step 2.1: Initial Triage

Use /triage-alert with CASE_ID for initial assessment.

secops-soar.get_case_full_details(case_id=CASE_ID)

Use /check-duplicates.

Step 2.2: Malware Triage

If file hash is primary indicator:

Use /triage-malware:

/triage-malware FILE_HASH=abc123 CASE_ID=1234

This provides:

• GTI classification
• Behavioral indicators
• Network IOCs
• Affected hosts/users

Step 2.3: IOC Enrichment

For other key IOCs (IPs, domains, URLs):

Use /enrich-ioc for each.

Step 2.4: Initial Scope Assessment

Compile:

• AFFECTED_ENDPOINTS - Hosts with malware
• AFFECTED_USERS - Users who executed/accessed
• MALICIOUS_IOCs - Network indicators

Use /document-in-case with findings.

Phase 3: Containment

Step 3.1: Endpoint Isolation

For each endpoint in AFFECTED_ENDPOINTS:

Use /confirm-action:

"Isolate endpoint [HOSTNAME] from network?"

If confirmed, execute isolation via EDR.

Step 3.2: Network IOC Containment

For each IOC in MALICIOUS_IOCs:

Use /confirm-action:

"Block [IOC_TYPE] [VALUE] at firewall/proxy?"

If confirmed, implement blocks.

Step 3.3: User Account Containment

If compromised user involved:

Trigger /respond-compromised-account

Step 3.4: Verify Containment

Monitor for continued activity:

secops-mcp.search_security_events(
    text="Activity from contained IOCs or endpoints",
    hours_back=1
)

Use /document-in-case with containment status.

Phase 4: Eradication

Step 4.1: Identify Persistence

From /triage-malware results and GTI behavior summary, identify:

• Scheduled tasks
• Services installed
• Registry modifications
• Dropped files
• WMI subscriptions

Step 4.2: Remove Malware & Persistence

(Requires EDR/endpoint tools)

Execute removal plan:

1. Terminate malicious processes
2. Delete malware files
3. Remove persistence mechanisms
4. Clear malicious registry keys

Step 4.3: Scan for Residual Infection

(Requires EDR/AV tools)

Perform thorough scans post-eradication.

Use /document-in-case with eradication results.

Phase 5: Recovery

Step 5.1: Determine Recovery Strategy

Based on severity and admin rights involved:

Step 5.2: Execute Recovery

(Involves IT Ops/System Admins)

• Rebuild from known-good image OR clean existing
• Apply all patches before reconnecting
• Perform vulnerability scan
• Restore data from clean backups if needed

Step 5.3: Monitor Recovered Systems

Closely monitor for 24-72 hours post-recovery:

• Watch for re-infection indicators
• Monitor for unusual behavior
• Verify normal operations

Step 5.4: Lift Containment

Gradually remove isolation once confidence is high.

Use /document-in-case with recovery status.

Phase 6: Lessons Learned

Use /generate-report with:

• Malware classification
• Entry vector
• Spread/impact
• Response timeline
• Recovery actions
• Recommendations

Conduct review:

• How did malware enter?
• Was detection timely?
• Were containment actions effective?
• What detections should be added?

Critical Warnings

• DO NOT skip endpoint isolation for confirmed infections
• MUST identify malware strain/behavior
• DO NOT restore without verifying eradication
• ALWAYS verify scan results before reconnecting

Malware Response Quick Reference