๐ฃ Phishing Investigation Assessment
Assessment template for phishing incidents focused on identifying campaign scope, quarantining malicious messages, and auditing compromised mailboxes. Includes phishing-specific checkpoints for email quarantine, campaign analysis, and inbox rule auditing alongside universal investigation checkpoints.
Triage
0/3Confirm that the investigation window has been defined with clear T-start (earliest known indicator) and T-end boundaries. The timeframe should include a safety buffer of at least 48 hours before the first detected IOC to account for pre-compromise reconnaissance.
Verify that the initially compromised system, account, or entry point has been identified and documented. Patient zero determination should be supported by corroborating evidence from multiple log sources such as EDR, authentication logs, and email gateway records.
Ensure the incident has been assigned a severity level based on observed impact, affected asset criticality, and potential data exposure. The classification should follow the organization's incident severity matrix and be reflected in all communications and ticket metadata.
Containment
0/4Confirm that all systems identified as compromised have been isolated from the network. Isolation should be verified through network-level controls (VLAN segmentation, firewall rules, or EDR network quarantine) rather than simply disabling accounts on the host.
Verify that all accounts known or suspected to be compromised have been disabled or had their credentials forcibly rotated. This includes service accounts, shared accounts, and any accounts with elevated privileges that the attacker may have accessed.
Assess whether the containment boundary is comprehensive enough to cover all known attacker footholds. Review lateral movement evidence, C2 communication logs, and authentication patterns to confirm no alternate access paths remain outside the containment perimeter.
Confirm that all instances of the malicious email have been identified and quarantined across all mailboxes in the organization. The search should cover the sender address, subject line, attachment hashes, and embedded URLs to catch variations of the same campaign.
Preservation
0/3Confirm that volatile memory (RAM) has been captured from all key compromised systems before any reboot or remediation action. Memory dumps should be acquired using forensically-sound tools and stored with proper chain of custody documentation.
Verify that all critical log sources have been snapshotted or exported to a tamper-proof location. This includes SIEM data, Windows Event Logs, authentication logs, email gateway logs, and cloud audit trails that fall within the investigation timeframe.
Ensure that a formal chain of custody record exists for every piece of evidence collected. Each record must include the evidence hash, collector identity, collection timestamp, storage location, and any transfers between custodians.
Collection
0/2Confirm that endpoint detection and response telemetry has been collected from all in-scope systems for the investigation timeframe. Telemetry should include process execution trees, file modifications, network connections, and registry changes.
Validate that evidence has been gathered from every relevant log source including EDR, SIEM, cloud audit logs, email gateway, proxy, DNS, VPN, and authentication systems. Cross-reference the log source inventory against the incident scope to identify any gaps.
Analysis
0/4Verify that all lateral movement activity has been identified and mapped across the environment. Analysis should cover RDP sessions, SMB connections, WMI/PSRemoting, pass-the-hash/pass-the-ticket activity, and any anomalous authentication patterns between systems.
Confirm that the root cause of the incident has been identified, including the initial attack vector, any exploited vulnerabilities, and the conditions that allowed the compromise to succeed. The root cause should be documented with supporting evidence from forensic analysis.
Verify that the full scope of the phishing campaign has been determined, including the total number of recipients, who opened or clicked, and who submitted credentials or executed payloads. Analysis should extend to identifying whether the campaign targeted specific departments or roles.
Confirm that mailbox rules for all compromised accounts have been audited for attacker-created forwarding or deletion rules. Check for rules that auto-forward to external addresses, move security alerts to deleted items, or hide responses from IT and security teams.
Eradication
0/3Confirm that all attacker-deployed malware, scripts, remote access tools, and utilities have been identified and removed from every affected system. Removal should be validated through post-remediation scans and manual verification of common persistence locations.
Verify that all attacker persistence mechanisms have been identified and removed. This includes scheduled tasks, registry run keys, startup folder entries, WMI subscriptions, service installations, DLL hijacks, and any modified Group Policy Objects.
Ensure that all credentials known or suspected to be compromised have been reset, including user passwords, service account passwords, API keys, certificates, and Kerberos tickets. The KRBTGT account should be reset twice if domain compromise is suspected.
Recovery
0/2Confirm that compromised systems have been rebuilt from known-clean images or installation media rather than simply cleaned in place. The rebuild process should include verifying the integrity of the baseline image and applying all current security patches before reconnecting to the network.
Verify that business services have been restored in a controlled, phased manner with validation at each step. Service restoration should include functional testing, security monitoring confirmation, and a defined rollback plan if anomalous activity is detected post-restoration.
Post-Incident Review
0/2Confirm that a formal lessons-learned review has been conducted with all participating teams. The review should document what worked well, what failed, timeline gaps, tooling shortcomings, and specific improvement actions with assigned owners and deadlines.
Verify that detection rules, SIEM correlations, and EDR policies have been updated based on the TTPs observed during the incident. New detections should cover the initial access vector, lateral movement techniques, and any persistence mechanisms used by the attacker.