APT / Nation-State Intrusion Investigation Assessment
Assessment template for advanced persistent threat investigations covering TTP profiling, volatile evidence preservation, dwell-time hunting, assume-breach identity reset, and intelligence sharing.
Triage
0/4Confirm that the investigation window has been defined with clear T-start (earliest known indicator) and T-end boundaries. The timeframe should include a safety buffer of at least 48 hours before the first detected IOC to account for pre-compromise reconnaissance.
Verify that the initially compromised system, account, or entry point has been identified and documented. Patient zero determination should be supported by corroborating evidence from multiple log sources such as EDR, authentication logs, and email gateway records.
Ensure the incident has been assigned a severity level based on observed impact, affected asset criticality, and potential data exposure. The classification should follow the organization's incident severity matrix and be reflected in all communications and ticket metadata.
Confirm that observed techniques have been enumerated against MITRE ATT&CK tactics and 3-5 candidate threat groups have been identified based on tradecraft match. Attribution confidence is documented with supporting evidence.
Containment
0/3Confirm that all systems identified as compromised have been isolated from the network. Isolation should be verified through network-level controls (VLAN segmentation, firewall rules, or EDR network quarantine) rather than simply disabling accounts on the host.
Verify that all accounts known or suspected to be compromised have been disabled or had their credentials forcibly rotated. This includes service accounts, shared accounts, and any accounts with elevated privileges that the attacker may have accessed.
Assess whether the containment boundary is comprehensive enough to cover all known attacker footholds. Review lateral movement evidence, C2 communication logs, and authentication patterns to confirm no alternate access paths remain outside the containment perimeter.
Preservation
0/4Confirm that volatile memory (RAM) has been captured from all key compromised systems before any reboot or remediation action. Memory dumps should be acquired using forensically-sound tools and stored with proper chain of custody documentation.
Verify that all critical log sources have been snapshotted or exported to a tamper-proof location. This includes SIEM data, Windows Event Logs, authentication logs, email gateway logs, and cloud audit trails that fall within the investigation timeframe.
Ensure that a formal chain of custody record exists for every piece of evidence collected. Each record must include the evidence hash, collector identity, collection timestamp, storage location, and any transfers between custodians.
Confirm memory captures and active-network-connection snapshots have been taken on suspected-compromised hosts before any containment action. APT tooling often lives in memory; rushed containment destroys evidence that is hard to recreate.
Collection
0/2Confirm that endpoint detection and response telemetry has been collected from all in-scope systems for the investigation timeframe. Telemetry should include process execution trees, file modifications, network connections, and registry changes.
Validate that evidence has been gathered from every relevant log source including EDR, SIEM, cloud audit logs, email gateway, proxy, DNS, VPN, and authentication systems. Cross-reference the log source inventory against the incident scope to identify any gaps.
Analysis
0/3Verify that all lateral movement activity has been identified and mapped across the environment. Analysis should cover RDP sessions, SMB connections, WMI/PSRemoting, pass-the-hash/pass-the-ticket activity, and any anomalous authentication patterns between systems.
Confirm that the root cause of the incident has been identified, including the initial attack vector, any exploited vulnerabilities, and the conditions that allowed the compromise to succeed. The root cause should be documented with supporting evidence from forensic analysis.
Confirm that the investigation window has been extended to the full retention of each log source. Retention gaps shorter than suspected dwell are documented with a recovery plan (backup, SIEM cold storage, provider escalation).
Eradication
0/4Confirm that all attacker-deployed malware, scripts, remote access tools, and utilities have been identified and removed from every affected system. Removal should be validated through post-remediation scans and manual verification of common persistence locations.
Verify that all attacker persistence mechanisms have been identified and removed. This includes scheduled tasks, registry run keys, startup folder entries, WMI subscriptions, service installations, DLL hijacks, and any modified Group Policy Objects.
Ensure that all credentials known or suspected to be compromised have been reset, including user passwords, service account passwords, API keys, certificates, and Kerberos tickets. The KRBTGT account should be reset twice if domain compromise is suspected.
Verify that a full identity reset has been executed: double krbtgt rotation, service-account rotation, domain-admin and Entra ID global-admin reset, organization-wide refresh-token revocation, and rebuild of confirmed-compromised systems.
Recovery
0/2Confirm that compromised systems have been rebuilt from known-clean images or installation media rather than simply cleaned in place. The rebuild process should include verifying the integrity of the baseline image and applying all current security patches before reconnecting to the network.
Verify that business services have been restored in a controlled, phased manner with validation at each step. Service restoration should include functional testing, security monitoring confirmation, and a defined rollback plan if anomalous activity is detected post-restoration.
Post-Incident Review
0/3Confirm that a formal lessons-learned review has been conducted with all participating teams. The review should document what worked well, what failed, timeline gaps, tooling shortcomings, and specific improvement actions with assigned owners and deadlines.
Verify that detection rules, SIEM correlations, and EDR policies have been updated based on the TTPs observed during the incident. New detections should cover the initial access vector, lateral movement techniques, and any persistence mechanisms used by the attacker.
Confirm that redacted IoCs, TTPs, and detection content have been shared through appropriate channels (ISAC, national CSIRT, vendor partners). Classification review has been done to ensure no internal identifiers leak.