CtrlK
BlogDocsLog inGet started
Tessl Logo

triage-malware

Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions.

96

Quality

96%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Malware Triage Skill

Perform initial analysis and context gathering for a suspected malicious file hash identified during an investigation or alert.

Inputs

  • FILE_HASH - MD5, SHA1, or SHA256 hash of the suspected file
  • CASE_ID - SOAR case ID for documentation
  • ALERT_GROUP_IDENTIFIERS - Alert group identifiers from the case
  • (Optional) TIME_FRAME_HOURS - Lookback period (default: 72)

Workflow

Step 1: Get Case Context

secops-soar.get_case_full_details(case_id=CASE_ID)

Step 2: GTI File Report

gti-mcp.get_file_report(hash=FILE_HASH)

Record:

  • Detection ratio (e.g., 45/70 engines)
  • Malware family classification
  • First/last seen dates
  • Associated threat actors or campaigns

Step 3: GTI Behavior Summary

gti-mcp.get_file_behavior_summary(hash=FILE_HASH)

Extract behavioral indicators:

  • Network: Contacted IPs/domains → NETWORK_IOCs_GTI
  • File system: Dropped files, modified files
  • Registry: Modified keys
  • MITRE TTPs: Observed techniques from sandbox

Step 4: SIEM Execution Check

Search for file execution events:

secops-mcp.search_security_events(
    text='target.file.sha256 = "FILE_HASH" OR target.file.md5 = "FILE_HASH"',
    hours_back=TIME_FRAME_HOURS
)

Look for: PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION

Identify:

  • AFFECTED_HOSTS - Machines where file was seen
  • AFFECTED_USERS - Users who executed/accessed the file

Step 5: SIEM Network Activity

Search for network connections from processes with this hash:

secops-mcp.search_security_events(
    text='principal.process.file.sha256 = "FILE_HASH"',
    hours_back=TIME_FRAME_HOURS
)

Extract: NETWORK_IOCs_SIEM (contacted IPs/domains)

Step 6: Enrich Network IOCs

Combine NETWORK_IOCs_GTI + NETWORK_IOCs_SIEMALL_NETWORK_IOCs

For each network IOC, use /enrich-ioc:

  • Check GTI reputation
  • Check SIEM presence
  • Check IOC match status

Step 7: Check Related Cases

Use /find-relevant-case with:

SEARCH_TERMS = AFFECTED_HOSTS + AFFECTED_USERS + ALL_NETWORK_IOCs

Step 8: Synthesize & Document

Use /document-in-case with assessment:

Malware Triage for Hash FILE_HASH:
- GTI Classification: [family, detection ratio]
- Behavior: [network, files, registry]
- Affected Hosts: [list]
- Network IOCs: [with enrichment]
- Related Cases: [list]

Assessment: [severity level]

Recommendation:
- [ ] Isolate affected hosts
- [ ] Block network IOCs
- [ ] Escalate to IR
- [ ] Monitor only

Required Outputs

After completing this skill, you MUST report these outputs:

OutputDescription
MALWARE_CLASSIFICATIONGTI verdict and malware family (e.g., "Emotet - Banking Trojan")
BEHAVIORAL_IOCSNetwork IOCs from sandbox analysis (contacted IPs/domains)
AFFECTED_HOSTSHosts where this malware was executed or detected
AFFECTED_USERSUsers who executed or accessed the malware
TRIAGE_VERDICTOverall verdict: malicious, suspicious, or clean

Severity Assessment Matrix

FactorLowMediumHighCritical
GTI Detection< 5 engines5-20 engines20-50 engines> 50 engines
ExecutionNot executedDownloaded onlyExecutedActive C2
SpreadSingle host2-5 hosts5-20 hosts> 20 hosts
Network IOCsNone observedBenignSuspiciousKnown malicious
Data at RiskNoneLow valuePII/credentialsCritical systems

Recommended Actions by Severity

Critical/High:

  1. Immediately isolate affected hosts
  2. Block network IOCs at firewall
  3. Escalate to Incident Response
  4. Preserve forensic evidence

Medium:

  1. Monitor affected hosts closely
  2. Block known malicious IOCs
  3. Schedule endpoint scan
  4. Escalate to Tier 2

Low:

  1. Document findings
  2. Monitor for recurrence
  3. Close with detailed notes
Repository
dandye/ai-runbooks
Commit

4d132c7

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill