sop_malware_critical_controls.md

Standard Operating Procedure for compromise (malware) suspicion use case on Windows boxes

All main steps of the SOP may not be always required: as soon as there is a detection, security analysts may want to stop there and have the sample analyzed (or do the analysis on their own). But depending on the context, one may want to go through the end of the SOP anyhow after a detection, or not.

1) Quick antimalware check

Leverage the already-installed AV

• Force the update of the locally installed AV
• Start a full scan with locally installed AV.

Run an additional quick antimalware scan

• Run a third-party lightweight antimalware
  • My recommendation: ESET Online Scanner or WithSecure Online Scanner

2) Additional full antimalware check

Portable antimalware scan

Run a full and portable antimalware scan

• My recommendation: Microsoft Safety Scanner or ESET Online Scanner or Sophos virus removal tool

If no detection

Run an offline antimalware scan

• My recommendation: Windows Defender Offline or ESET SysRescue Live

If detection

Handle the sample

• Try not to delete the file, and grab the sample;
• Send the sample to the support of the AV solution that was not detecting it;
• Add the IOC (file hash) to your TIP.

3) IOC scanner

Run a scanner with embedded IOC list

• My recommendation: Thor Lite
• Don't forget to extract your own IOC that are stored and updated within your TIP (either MISP or OpenCTI), and add them to Thor Lite

If detection

Handle the sample

• Try not to delete the file, and grab the sample;
• Send the sample to the support of the AV solution that was not detecting it;
• Add the IOC (file hash) to your TIP.

4) Live analysis tools

SysInternals Suite

Download

• Download link

Retrieve needed tools

• My recommendations: Process Explorer, Autoruns, TCPView
  • you may also want to leverage Process Monitor, but be aware it will consume quite some resources on the machine being analyzed, and the trace is likely to take time to analyze (hours if not days)

Live check

• Run the recommended SysInternals tools (as local admin);
• Check for suspicious activity:
  • check all images of running processes and DLL:
    • unsigned binaries;
    • abnormal execution paths;
    • query VirusTotal (see Process Explorer options) for all binaries (exe/dll);
  • check all network activity (destination IP);
  • check for suspicious persistance items (using Autoruns);
  • check for suspicious filesystem activity.

If detection

• Grab the sample and send it to the support of the AV vendor that was not detecting it;
• Add the IOC (file hash) to your TIP.

If no detection

Run an anti-rootkit

• My recommendation: GMER

5) Live memory (RAM) analysis

Memory dump creation

• Do a full memory dump with the tool of your choosing

Memory dump analysis

• Run an analysis of the memory dump
  • My recommendation: Volatility

Be aware that this analysis step may require hours if not days, and is quite non-predictable in terms of required time!

END