☁️ Cloud & Identity Compromise — IR Cheatsheet

25 nodes | 8 stages | Generated for analyst role

Triage

Timeframe BoundingP1 | 30m
  1. 1.Query SIEM for the earliest alert or IOC match and record the timestamp as T-start; search across all log sources (EDR, firewall, proxy, authentication) for corroborating events within +/- 24 hours.
  2. 2.Use PowerShell to pull the $MFT timeline: `Get-ForensicTimeline -VolumeName C: | Where-Object { $_.Date -ge $tStart -and $_.Date -le $tEnd } | Export-Csv mft_timeline.csv` -- compare with SIEM timestamps.
  3. 3.Run Velociraptor hunt `Windows.Timeline.MFT` across suspected hosts to identify file creation/modification clusters that may push T-start earlier.
index=* (sourcetype=crowdstrike OR sourcetype=defender OR sourcetype=sysmon) earliest=-30d | stats earliest(_time) as fi...
SecurityEvent | where TimeGenerated between (ago(30d) .. now()) | where EventID in (4624, 4625, 4648, 4672) | summarize ...
Patient ZeroP1 | 60m
  1. 1.Pivot from the earliest IOC timestamp to identify the originating host: correlate source IPs, user accounts, and process trees across EDR telemetry.
  2. 2.Run Velociraptor artifact `Windows.EventLogs.Evtx` with a time filter around T-start on candidate hosts to find logon events (4624 Type 3/10), service installations (7045), and scheduled task creation (4698).
  3. 3.Check email logs for the earliest malicious delivery if phishing is suspected: `sourcetype=o365:messageTrace | search directionality=Inbound status=Delivered | where _time >= T_start | stats earliest(_time) by sender, recipient, subject`.
DeviceLogonEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where LogonType in ("RemoteInteract...
index=proxy sourcetype=bluecoat OR sourcetype=zscaler dest IN (ioc_ip_list) OR url IN (ioc_url_list) | stats earliest(_t...
Access ValidationP2 | 45m
  1. 1.On patient zero, parse Outlook OST/PST for the phishing email and extract attachment hashes. Use `oletools` to analyze macros: `olevba -a malicious.docm | tee olevba_output.txt`.
  2. 2.For web-app compromise, review IIS/Apache/Nginx access logs around T-start: look for exploit patterns (path traversal, SQLi, deserialization payloads) targeting the specific CVE.
  3. 3.Check for credential-based access: query Azure AD sign-in logs for impossible travel, legacy auth protocols, or sign-ins from anonymizing infrastructure (Tor, VPN providers).
SigninLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where UserPrincipalName == "compromise...
DeviceProcessEvents | where DeviceName == "PATIENT_ZERO" | where Timestamp between (datetime(T_START) .. datetime(T_END)...

Containment

Account LockdownP1 | 45m
  1. 1.Disable the compromised user account in AD: `Disable-ADAccount -Identity compromised_user` and in Azure AD: `Set-AzureADUser -ObjectId <user_id> -AccountEnabled $false`.
  2. 2.Revoke all Azure AD refresh tokens immediately: `Revoke-AzureADUserAllRefreshToken -ObjectId <user_id>`. For M365, also run: `Get-AzureADUserRegisteredDevice -ObjectId <user_id> | ForEach-Object { Remove-AzureADDeviceRegisteredUser -ObjectId $_.ObjectId }`.
  3. 3.Force Kerberos ticket expiry for on-prem AD: reset the user password twice (this invalidates all cached TGTs). Then reset the KRBTGT account if Golden Ticket is suspected: `Reset-KrbtgtKeys -Server DC01 -Force`.
let compromised_user = "[email protected]"; SigninLogs | where UserPrincipalName == compromised_user | where TimeGenerated...
let compromised_user = "[email protected]"; AuditLogs | where InitiatedBy has compromised_user | where TimeGenerated > ago...
Revoke Cloud SessionsP1 | 30m
  1. 1.Revoke all Azure AD refresh tokens: `Revoke-MgUserSignInSession -UserId <user_id>`. This invalidates all active sessions and forces re-authentication across all devices and applications.
  2. 2.Revoke specific OAuth app tokens: `Remove-AzureADOAuth2PermissionGrant -ObjectId <grant_id>` for each malicious grant identified. Also remove service principal assignments: `Remove-AzureADServiceAppRoleAssignment`.
  3. 3.Force re-registration of all user devices: `Get-AzureADUserRegisteredDevice -ObjectId <user_id> | ForEach-Object { Set-AzureADDevice -ObjectId $_.ObjectId -AccountEnabled $false }`. This invalidates device-based SSO tokens.
SigninLogs | where TimeGenerated > ago(2h) | where UserPrincipalName == "[email protected]" | where ResultType...
AuditLogs | where TimeGenerated > ago(24h) | where OperationName in ("Revoke user all refresh tokens","Invalidate all re...

Preservation

Memory CaptureP1 | 60m
  1. 1.Windows -- Use WinPmem from a trusted USB or network share: `winpmem_mini_x64.exe --output F:\case\%COMPUTERNAME%_memdump.raw --format raw`. Verify the output file size matches expected RAM.
  2. 2.Windows alternative -- Use Magnet RAM Capture or Belkasoft Live RAM Capturer if WinPmem fails. For remote collection via Velociraptor: deploy `Windows.Memory.Acquisition` artifact.
  3. 3.Linux -- Use AVML (Acquire Volatile Memory for Linux): `./avml --compress output.lime.gz`. Alternative: `sudo insmod lime.ko "path=/case/mem.lime format=lime"`. Verify module unloads cleanly after capture.
DeviceProcessEvents | where DeviceName == "TARGET_HOST" | where Timestamp > ago(1h) | where FileName in~ ("winpmem","ram...
SELECT pid, name, ppid, cmdline, create_time FROM processes WHERE on_disk = 0 OR name IN ("powershell.exe","cmd.exe","ru...
Log SnapshotP1 | 45m
  1. 1.Windows -- Export critical event logs: `wevtutil epl Security C:\case\Security.evtx`, `wevtutil epl System C:\case\System.evtx`, `wevtutil epl "Microsoft-Windows-PowerShell/Operational" C:\case\PowerShell.evtx`, `wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\case\Sysmon.evtx`.
  2. 2.Linux -- Preserve auth and system logs: `cp -p /var/log/auth.log* /var/log/syslog* /var/log/secure* /var/log/audit/audit.log* /case/logs/`. For journald: `journalctl --since "T_START" --until "T_END" -o json > /case/logs/journal_export.json`.
  3. 3.M365/Azure -- Export Azure AD sign-in and audit logs via PowerShell: `Get-AzureADAuditSignInLogs -Filter "createdDateTime ge T_START" -All $true | Export-Csv azure_signins.csv`. Export UAL: `Search-UnifiedAuditLog -StartDate T_START -EndDate T_END -ResultSize 5000 | Export-Csv ual_export.csv`.
index=_internal sourcetype=splunkd component=HotBucketRoller OR component=WarmToColdManager | stats latest(data_size) as...
// Velociraptor: collect all EVTX files from target host
SELECT FullPath, Size, Mtime FROM glob(globs="C:/Windows/System...
Chain of CustodyP2 | 30m
  1. 1.For each evidence item collected, record: item description, source system, collection method, collector name, date/time (UTC), and storage location.
  2. 2.Hash all evidence files immediately upon collection using SHA-256: `sha256sum /case/evidence/* > /case/evidence_hashes.sha256` (Linux) or `Get-FileHash -Algorithm SHA256 -Path C:\case\evidence\* | Export-Csv C:\case\evidence_hashes.csv` (PowerShell).
  3. 3.Store evidence on write-protected media or in a secured evidence repository with access logging. Document any transfers between storage locations.
Get-ChildItem -Path C:\case\evidence -Recurse | Get-FileHash -Algorithm SHA256 | Select-Object Hash, Path, @{Name="SizeK...
Cloud Tenant SnapshotP2 | 60m
  1. 1.Export all Azure AD users, groups, roles, and licenses using Microsoft Graph API or AzureAD PowerShell module to establish a baseline of the identity configuration at the time of incident
  2. 2.Snapshot all conditional access policies, named locations, and authentication methods: Export-AzureADMSConditionalAccessPolicy and Get-AzureADMSAuthorizationPolicy
  3. 3.Export all OAuth application registrations, enterprise applications, and service principals with their permissions and credential expiry dates
// PowerShell -- Comprehensive Azure AD tenant snapshot
# Users and roles
Get-AzureADUser -All $true | Export-Csv "C:\Ev...
// PowerShell -- OAuth app and service principal export
Get-AzureADApplication -All $true | Select-Object DisplayName, A...

Collection

EDR CollectionP2 | 120m
  1. 1.CrowdStrike -- Export full RTR session data and detection details via the Falcon API: `GET /detects/queries/detects/v1?filter=device.hostname:"TARGET_HOST"`. Pull process tree JSON for each detection.
  2. 2.Microsoft Defender -- Run Advanced Hunting queries to extract process execution history, file events, and network connections for the investigation window. Export results to CSV for offline analysis.
  3. 3.Deploy a Velociraptor hunt across all in-scope hosts using the SANS triage collection: `velociraptor-v0.7.0 --config client.config.yaml artifacts collect Windows.KapeFiles.Targets --args target="!SANS_Triage" --output /case/host_triage/`.
DeviceProcessEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. date...
DeviceFileEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetim...
M365 UAL CollectionP2 | 90m
  1. 1.Export the UAL using PowerShell for the investigation window. Note the 5000-record per query limit: `$results = Search-UnifiedAuditLog -StartDate "T_START" -EndDate "T_END" -ResultSize 5000 -SessionCommand ReturnLargeSet`. Page through all results and export to JSON for parsing.
  2. 2.Use the CISA Sparrow tool or CrowdStrike CRT (Cloud Response Tool) for automated collection: `sparrow.ps1` performs bulk UAL export, Azure AD analysis, and inbox rule enumeration.
  3. 3.Export Azure AD sign-in logs (requires P1/P2): `Get-MgAuditLogSignIn -Filter "createdDateTime ge T_START" -All | Export-Csv signins.csv`. Also export `Get-MgAuditLogDirectoryAudit` for admin activity.
CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where AccountObjectId == "<user_object...
AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Category in ("ApplicationManageme...
Azure AD LogsP2 | 60m
  1. 1.Export Azure AD sign-in logs via Microsoft Graph: `Get-MgAuditLogSignIn -Filter "createdDateTime ge T_START and createdDateTime le T_END" -All | Export-Csv signins.csv -NoTypeInformation`. Include both interactive and non-interactive sign-ins.
  2. 2.Export Azure AD audit logs: `Get-MgAuditLogDirectoryAudit -Filter "activityDateTime ge T_START" -All | Export-Csv audit_logs.csv`. Focus on user management, application management, and role management categories.
  3. 3.Collect risky sign-ins and risk detections (requires AAD P2): `Get-MgRiskyUser -Filter "riskLevel eq 'high'" | Export-Csv risky_users.csv` and `Get-MgRiskDetection -Filter "detectedDateTime ge T_START" | Export-Csv risk_detections.csv`.
SigninLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where ResultType == 0 | summarize Sign...
AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where OperationName in ("Add member to ...
Missing Log FallbackP2 | 60m
  1. 1.Identify which log sources are missing and the affected time window. Document the gap: source name, expected retention, actual available range, and suspected reason for absence.
  2. 2.For missing Windows Event Logs, check Volume Shadow Copies: `vssadmin list shadows` then mount and extract .evtx files from shadow copies. Also check `C:\Windows\System32\winevt\Logs` for partially overwritten logs that may contain older entries.
  3. 3.Harvest NTFS metadata as a timeline substitute: `MFTECmd.exe -f C:\$MFT --csv /case/output/` provides file creation/modification timestamps even when application logs are gone. The $UsnJrnl provides granular file change records.
SecurityEvent | where TimeGenerated > ago(90d) | summarize MinTime=min(TimeGenerated), MaxTime=max(TimeGenerated), Count...
DeviceEvents | where Timestamp > ago(30d) | summarize EarliestEvent=min(Timestamp), LatestEvent=max(Timestamp), EventCou...
Third-Party LogsP3 | 120m
  1. 1.Identify which third-party vendors hold relevant logs: ISP flow data, cloud hosting provider logs, SaaS application audit trails, MSP monitoring data, CDN/WAF provider logs.
  2. 2.Draft a formal log preservation and production request specifying: timeframe (T-30d to present), log types needed, format requirements (CSV, JSON, syslog), and delivery method (SFTP, encrypted email).
  3. 3.Include in the request: case reference number, legal basis for the request (contract clause, legal process), contact person, and urgency level.
Review vendor contracts and SLAs for log retention periods and incident response support obligations.

Analysis

Lateral MovementP1 | 120m
  1. 1.Query for RDP lateral movement: filter for Event ID 4624 (LogonType 10) and 4778/4779 (RDP session reconnect/disconnect) across all domain controllers and target hosts during the investigation window.
  2. 2.Identify pass-the-hash/pass-the-ticket: look for 4624 LogonType 9 (NewCredentials) and 4648 (explicit credential logon). Cross-reference with EDR for suspicious LSASS access (Mimikatz, ProcDump, comsvcs.dll MiniDump).
  3. 3.Map SMB lateral movement via admin shares: `DeviceNetworkEvents | where RemotePort == 445 | where InitiatingProcessFileName in~ ("cmd.exe","powershell.exe","wmic.exe","psexec.exe","smbclient")` and correlate with service installation events (7045) on target hosts.
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID in (4624, 4648) | whe...
DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("psexec.exe",...
OAuth AbuseP2 | 60m
  1. 1.Enumerate all OAuth permission grants for compromised users: `Get-AzureADUserOAuth2PermissionGrant -ObjectId <user_id> -All $true | Select ClientId, ConsentType, Scope, PrincipalId`. Cross-reference ClientId with known legitimate applications.
  2. 2.Identify suspicious application registrations created during the investigation window: `Get-AzureADApplication -Filter "createdDateTime ge T_START" | Select DisplayName, AppId, CreatedDateTime, Homepage, ReplyUrls`.
  3. 3.Check for high-privilege consent grants (Mail.ReadWrite, Files.ReadWrite.All, Directory.ReadWrite.All): `AuditLogs | where OperationName == "Consent to application" | where TargetResources has "Mail.ReadWrite" or TargetResources has "Files.ReadWrite"`. These are the most dangerous grants.
AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where OperationName in ("Consent to app...
CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType == "Consent to applic...
Inbox RulesP2 | 45m
  1. 1.Enumerate all inbox rules for compromised mailboxes: `Get-InboxRule -Mailbox [email protected] | Select Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage, MoveToFolder | Format-List`.
  2. 2.Check for mailbox forwarding and delegates: `Get-Mailbox -Identity compromised_user | Select ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxAndForward` and `Get-MailboxPermission -Identity compromised_user | Where-Object { $_.IsInherited -eq $false }`.
  3. 3.Search for rules that delete or move security notifications: look for rules with conditions matching "security","alert","password","suspicious","MFA" that move to Deleted Items or RSS Feeds folder.
OfficeActivity | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Operation in ("New-InboxRule...
CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("Set-InboxRule","...

Eradication

Credential ResetP1 | 90m
  1. 1.Reset passwords for all confirmed compromised accounts. Use strong, unique passwords: `Set-ADAccountPassword -Identity USERNAME -Reset -NewPassword (ConvertTo-SecureString "NEW_COMPLEX_PASSWORD" -AsPlainText -Force)`.
  2. 2.Perform krbtgt account double-reset (with 12+ hour gap between resets) to invalidate all Kerberos tickets: `Reset-KrbtgtKeyInteractive` or manual: `Set-ADAccountPassword -Identity krbtgt -Reset`. Document reset times.
  3. 3.Revoke all cloud sessions: `Revoke-AzureADUserAllRefreshToken -ObjectId USER_OBJECT_ID` for each compromised user. Also revoke OAuth app consents: `Remove-AzureADOAuth2PermissionGrant`.
IdentityInfo | where AccountName in~ (COMPROMISED_ACCOUNTS) | project AccountName, AccountDomain, IsAccountEnabled, Pass...
SigninLogs | where TimeGenerated > ago(1h) | where UserPrincipalName in~ (RESET_ACCOUNTS) | where ResultType == 0 | proj...
Persistence HuntP1 | 120m
  1. 1.Windows persistence sweep: Run Autoruns (`autorunsc.exe -a * -c -h -s -v -vt > autoruns_sweep.csv`), check: Run/RunOnce registry keys, Services, Scheduled Tasks, WMI Event Subscriptions, startup folder, DLL search order hijacking, COM object hijacking, AppInit_DLLs, Image File Execution Options, Winlogon helper DLLs.
  2. 2.Linux persistence sweep: Check crontab (all users), systemd services/timers, rc.local, .bashrc/.profile modifications, SSH authorized_keys, LD_PRELOAD, /etc/ld.so.preload, at jobs, inetd/xinetd, modified system binaries (verify against package manager: `rpm -Va` or `debsums -c`).
  3. 3.Cloud persistence sweep: Check Azure AD app registrations, OAuth consents, Service Principals, Conditional Access exceptions, mailbox rules and forwarding, Power Automate flows, SharePoint webhooks, and federation trust configurations.
DeviceRegistryEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where RegistryKey has_any ("Run"...
DeviceEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("ScheduledTaskCreat...
Eradication VerificationP1 | 90m
  1. 1.Run a full Autoruns sweep on all Windows hosts previously in scope -- compare against pre-incident baseline and flag any new entries added during the compromise window
  2. 2.Execute YARA rules for all known malware hashes and families identified during analysis across every endpoint using EDR live-response or Velociraptor hunts
  3. 3.Verify all compromised credentials have been reset: cross-reference the credential exposure list against Azure AD password-last-changed timestamps and on-prem AD pwdLastSet attributes
// KQL -- Verify no ransomware/malware re-execution post-eradication
DeviceProcessEvents
| where Timestamp > ago(48h)
| ...
// KQL -- Check for residual C2 communication
DeviceNetworkEvents
| where Timestamp > ago(48h)
| where RemoteIP in ("<C2...
Config HardeningP2 | 180m
  1. 1.Disable legacy authentication protocols exploited during the attack: NTLMv1, LLMNR, NBT-NS, WPAD, SMBv1, and unencrypted LDAP binds
  2. 2.Enable Windows Attack Surface Reduction (ASR) rules relevant to the observed TTPs: block Office macro child processes, block credential theft from LSASS, block unsigned/untrusted executables from USB
  3. 3.Harden Azure AD conditional access: enforce MFA on all accounts, block legacy auth, require compliant devices, implement sign-in risk and user risk policies
// PowerShell -- Enable ASR rules
$rules = @(
  "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550", # Block Office child processes
 ...
// KQL -- Verify hardening changes took effect
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType startswith "...

Recovery

Service RestorationP2 | 120m
  1. 1.Create service restoration tiers: Tier 1 (authentication, email, ERP), Tier 2 (file shares, internal apps), Tier 3 (development, non-essential). Restore one tier at a time.
  2. 2.Before each tier, verify: security tooling installed and reporting, monitoring rules deployed, containment controls updated for legitimate traffic.
  3. 3.Deploy enhanced monitoring rules: alert on C2 connections, new services, admin account creation, PowerShell/WMI remote execution.
DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName in ("RESTORED_HOSTS") | where RemoteUrl !endswith ".m...
SecurityEvent | where TimeGenerated > ago(4h) | where Computer in ("RESTORED_HOSTS") | where EventID in (4720, 4732, 704...

Post-Incident Review

Detection ImprovementP2 | 90m
  1. 1.Document all attacker TTPs observed with specific indicators: process names, command lines, file paths, registry keys, network destinations.
  2. 2.Write Sigma rules for each TTP that can be shared and converted to multiple SIEM platforms.
  3. 3.Create custom KQL/SPL detection rules for the organization SIEM targeting the specific attack patterns.
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4688 | where Proce...
Incident ReportP2 | 180m
  1. 1.Write the technical narrative covering: initial detection, investigation scope, evidence collected, attacker TTPs, impact assessment, containment actions, eradication steps, and recovery.
  2. 2.Create the final incident timeline with all key events in chronological order.
  3. 3.Compile the IOC appendix: file hashes, IP addresses, domains, email addresses, user agents, and other indicators.
Compile all queries used during the investigation for the report appendix.
Lessons LearnedP3 | 120m
  1. 1.Compile the complete incident timeline from detection through recovery with all key events, decisions, and timestamps.
  2. 2.Document all evidence gaps encountered and how they were addressed (or could not be addressed).
  3. 3.Identify detection gaps: what alerts should have fired but did not? What telemetry would have enabled faster detection?
Review all investigation notes, evidence logs, and timeline entries compiled during the incident.