🔒 Ransomware — IR Cheatsheet

33 nodes | 8 stages | Generated for analyst role

Triage

Timeframe BoundingP1 | 30m
  1. 1.Query SIEM for the earliest alert or IOC match and record the timestamp as T-start; search across all log sources (EDR, firewall, proxy, authentication) for corroborating events within +/- 24 hours.
  2. 2.Use PowerShell to pull the $MFT timeline: `Get-ForensicTimeline -VolumeName C: | Where-Object { $_.Date -ge $tStart -and $_.Date -le $tEnd } | Export-Csv mft_timeline.csv` -- compare with SIEM timestamps.
  3. 3.Run Velociraptor hunt `Windows.Timeline.MFT` across suspected hosts to identify file creation/modification clusters that may push T-start earlier.
index=* (sourcetype=crowdstrike OR sourcetype=defender OR sourcetype=sysmon) earliest=-30d | stats earliest(_time) as fi...
SecurityEvent | where TimeGenerated between (ago(30d) .. now()) | where EventID in (4624, 4625, 4648, 4672) | summarize ...
Patient ZeroP1 | 60m
  1. 1.Pivot from the earliest IOC timestamp to identify the originating host: correlate source IPs, user accounts, and process trees across EDR telemetry.
  2. 2.Run Velociraptor artifact `Windows.EventLogs.Evtx` with a time filter around T-start on candidate hosts to find logon events (4624 Type 3/10), service installations (7045), and scheduled task creation (4698).
  3. 3.Check email logs for the earliest malicious delivery if phishing is suspected: `sourcetype=o365:messageTrace | search directionality=Inbound status=Delivered | where _time >= T_start | stats earliest(_time) by sender, recipient, subject`.
DeviceLogonEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where LogonType in ("RemoteInteract...
index=proxy sourcetype=bluecoat OR sourcetype=zscaler dest IN (ioc_ip_list) OR url IN (ioc_url_list) | stats earliest(_t...
Ransom Note AnalysisP1 | 45m
  1. 1.Collect the ransom note from affected systems without modifying it: `copy "C:\Users\*\Desktop\README*.txt" F:\case\ransom_notes\` -- preserve original metadata. Photograph any wallpaper-based notes with screenshots.
  2. 2.Upload a sample encrypted file and the ransom note to ID Ransomware (id-ransomware.malwarehunterteam.com) or No More Ransom (nomoreransom.org) to identify the variant. Do NOT upload files containing sensitive data.
  3. 3.Extract IOCs from the ransom note: Bitcoin/Monero wallet addresses, Tor .onion URLs, email addresses, unique victim IDs. Check these against threat intelligence platforms (VirusTotal, OTX, MISP).
DeviceFileEvents | where Timestamp > ago(24h) | where ActionType == "FileRenamed" | where FileName endswith ".locked" or...
DeviceProcessEvents | where Timestamp > ago(24h) | where ProcessCommandLine has_any ("vssadmin delete shadows","wmic sha...
Access ValidationP2 | 45m
  1. 1.On patient zero, parse Outlook OST/PST for the phishing email and extract attachment hashes. Use `oletools` to analyze macros: `olevba -a malicious.docm | tee olevba_output.txt`.
  2. 2.For web-app compromise, review IIS/Apache/Nginx access logs around T-start: look for exploit patterns (path traversal, SQLi, deserialization payloads) targeting the specific CVE.
  3. 3.Check for credential-based access: query Azure AD sign-in logs for impossible travel, legacy auth protocols, or sign-ins from anonymizing infrastructure (Tor, VPN providers).
SigninLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where UserPrincipalName == "compromise...
DeviceProcessEvents | where DeviceName == "PATIENT_ZERO" | where Timestamp between (datetime(T_START) .. datetime(T_END)...

Containment

Network IsolationP1 | 30m
  1. 1.Initiate EDR network containment on the compromised host (CrowdStrike: `falconctl -s --cid | containment enable`, Defender: Isolate device from MDE portal or via API `POST /api/machines/{id}/isolate`).
  2. 2.If EDR containment is not available, implement switch-port isolation: move the host VLAN to a quarantine VLAN with no routes except to the forensic workstation. Document the original VLAN assignment.
  3. 3.Deploy firewall rules to block the host IP from all outbound communication except the forensic subnet: `iptables -I FORWARD -s <compromised_ip> -j DROP` or equivalent on your perimeter firewall.
DeviceNetworkEvents | where DeviceName == "COMPROMISED_HOST" | where Timestamp > ago(1h) | summarize ConnectionCount=cou...
index=firewall sourcetype=paloalto_traffic src_ip=COMPROMISED_IP action=allowed | stats count by dest_ip, dest_port, app...
Account LockdownP1 | 45m
  1. 1.Disable the compromised user account in AD: `Disable-ADAccount -Identity compromised_user` and in Azure AD: `Set-AzureADUser -ObjectId <user_id> -AccountEnabled $false`.
  2. 2.Revoke all Azure AD refresh tokens immediately: `Revoke-AzureADUserAllRefreshToken -ObjectId <user_id>`. For M365, also run: `Get-AzureADUserRegisteredDevice -ObjectId <user_id> | ForEach-Object { Remove-AzureADDeviceRegisteredUser -ObjectId $_.ObjectId }`.
  3. 3.Force Kerberos ticket expiry for on-prem AD: reset the user password twice (this invalidates all cached TGTs). Then reset the KRBTGT account if Golden Ticket is suspected: `Reset-KrbtgtKeys -Server DC01 -Force`.
let compromised_user = "[email protected]"; SigninLogs | where UserPrincipalName == compromised_user | where TimeGenerated...
let compromised_user = "[email protected]"; AuditLogs | where InitiatedBy has compromised_user | where TimeGenerated > ago...
Block ExfiltrationP1 | 30m
  1. 1.Block exfiltration destination IPs and domains on the perimeter firewall: add to deny list and verify with `show access-list` or equivalent. Confirm blocks are applied to all egress points.
  2. 2.Add exfiltration domains to the DNS sinkhole/blackhole: update the DNS resolver block list or RPZ zone. Verify resolution fails: `nslookup exfil-domain.com` should return NXDOMAIN or sinkhole IP.
  3. 3.Block cloud storage sync tools at the proxy level: create URL category blocks for file-sharing domains (mega.nz, rclone endpoints, transfer.sh). Apply SSL inspection to detect HTTPS-based exfiltration.
CommonSecurityLog | where TimeGenerated > ago(1h) | where DestinationIP in ("EXFIL_IP1","EXFIL_IP2") or DestinationHostN...
DnsEvents | where TimeGenerated > ago(1h) | where Name has "exfil-domain.com" | summarize QueryCount=count() by ClientIP...
Stop Ransomware SpreadP1 | 30m
  1. 1.Block SMB laterally across all VLANs immediately: apply firewall rules `deny tcp any any eq 445` on all inter-VLAN ACLs. This is the primary propagation vector for most ransomware families.
  2. 2.Block RDP between endpoints: `deny tcp any any eq 3389` on inter-VLAN ACLs. Allow RDP only from designated jump servers if needed for IR operations.
  3. 3.Deploy EDR containment on all systems showing active encryption: CrowdStrike `containment enable` or Defender device isolation. Kill the ransomware process: `Stop-Process -Name <ransomware_proc> -Force`.
DeviceFileEvents | where Timestamp > ago(1h) | where ActionType == "FileRenamed" | summarize RenameCount=count() by Devi...
DeviceNetworkEvents | where Timestamp > ago(1h) | where RemotePort == 445 | where ActionType == "ConnectionSuccess" | su...

Preservation

Memory CaptureP1 | 60m
  1. 1.Windows -- Use WinPmem from a trusted USB or network share: `winpmem_mini_x64.exe --output F:\case\%COMPUTERNAME%_memdump.raw --format raw`. Verify the output file size matches expected RAM.
  2. 2.Windows alternative -- Use Magnet RAM Capture or Belkasoft Live RAM Capturer if WinPmem fails. For remote collection via Velociraptor: deploy `Windows.Memory.Acquisition` artifact.
  3. 3.Linux -- Use AVML (Acquire Volatile Memory for Linux): `./avml --compress output.lime.gz`. Alternative: `sudo insmod lime.ko "path=/case/mem.lime format=lime"`. Verify module unloads cleanly after capture.
DeviceProcessEvents | where DeviceName == "TARGET_HOST" | where Timestamp > ago(1h) | where FileName in~ ("winpmem","ram...
SELECT pid, name, ppid, cmdline, create_time FROM processes WHERE on_disk = 0 OR name IN ("powershell.exe","cmd.exe","ru...
Log SnapshotP1 | 45m
  1. 1.Windows -- Export critical event logs: `wevtutil epl Security C:\case\Security.evtx`, `wevtutil epl System C:\case\System.evtx`, `wevtutil epl "Microsoft-Windows-PowerShell/Operational" C:\case\PowerShell.evtx`, `wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\case\Sysmon.evtx`.
  2. 2.Linux -- Preserve auth and system logs: `cp -p /var/log/auth.log* /var/log/syslog* /var/log/secure* /var/log/audit/audit.log* /case/logs/`. For journald: `journalctl --since "T_START" --until "T_END" -o json > /case/logs/journal_export.json`.
  3. 3.M365/Azure -- Export Azure AD sign-in and audit logs via PowerShell: `Get-AzureADAuditSignInLogs -Filter "createdDateTime ge T_START" -All $true | Export-Csv azure_signins.csv`. Export UAL: `Search-UnifiedAuditLog -StartDate T_START -EndDate T_END -ResultSize 5000 | Export-Csv ual_export.csv`.
index=_internal sourcetype=splunkd component=HotBucketRoller OR component=WarmToColdManager | stats latest(data_size) as...
// Velociraptor: collect all EVTX files from target host
SELECT FullPath, Size, Mtime FROM glob(globs="C:/Windows/System...
Ransomware PreservationP1 | 90m
  1. 1.Enumerate all Volume Shadow Copies on affected systems using vssadmin list shadows -- these may contain pre-encryption versions of files and provide the encryption start timestamp
  2. 2.Export VSS snapshots to external storage before any remediation: use mklink /d to mount shadows, then robocopy critical directories from the shadow mount point
  3. 3.Capture the ransomware encryption timeline by analyzing $MFT timestamps: compare LastModified (encryption time) against Created (original file creation) to determine encryption start/end and propagation speed
// PowerShell -- Enumerate and preserve VSS snapshots
vssadmin list shadows
# Mount the most recent pre-encryption snaps...
// PowerShell -- Encryption timeline from MFT
# Using MFTECmd (Eric Zimmerman):
.\MFTECmd.exe -f "C:\Evidence\$MFT" --cs...
Chain of CustodyP2 | 30m
  1. 1.For each evidence item collected, record: item description, source system, collection method, collector name, date/time (UTC), and storage location.
  2. 2.Hash all evidence files immediately upon collection using SHA-256: `sha256sum /case/evidence/* > /case/evidence_hashes.sha256` (Linux) or `Get-FileHash -Algorithm SHA256 -Path C:\case\evidence\* | Export-Csv C:\case\evidence_hashes.csv` (PowerShell).
  3. 3.Store evidence on write-protected media or in a secured evidence repository with access logging. Document any transfers between storage locations.
Get-ChildItem -Path C:\case\evidence -Recurse | Get-FileHash -Algorithm SHA256 | Select-Object Hash, Path, @{Name="SizeK...

Collection

EDR CollectionP2 | 120m
  1. 1.CrowdStrike -- Export full RTR session data and detection details via the Falcon API: `GET /detects/queries/detects/v1?filter=device.hostname:"TARGET_HOST"`. Pull process tree JSON for each detection.
  2. 2.Microsoft Defender -- Run Advanced Hunting queries to extract process execution history, file events, and network connections for the investigation window. Export results to CSV for offline analysis.
  3. 3.Deploy a Velociraptor hunt across all in-scope hosts using the SANS triage collection: `velociraptor-v0.7.0 --config client.config.yaml artifacts collect Windows.KapeFiles.Targets --args target="!SANS_Triage" --output /case/host_triage/`.
DeviceProcessEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. date...
DeviceFileEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetim...
M365 UAL CollectionP2 | 90m
  1. 1.Export the UAL using PowerShell for the investigation window. Note the 5000-record per query limit: `$results = Search-UnifiedAuditLog -StartDate "T_START" -EndDate "T_END" -ResultSize 5000 -SessionCommand ReturnLargeSet`. Page through all results and export to JSON for parsing.
  2. 2.Use the CISA Sparrow tool or CrowdStrike CRT (Cloud Response Tool) for automated collection: `sparrow.ps1` performs bulk UAL export, Azure AD analysis, and inbox rule enumeration.
  3. 3.Export Azure AD sign-in logs (requires P1/P2): `Get-MgAuditLogSignIn -Filter "createdDateTime ge T_START" -All | Export-Csv signins.csv`. Also export `Get-MgAuditLogDirectoryAudit` for admin activity.
CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where AccountObjectId == "<user_object...
AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Category in ("ApplicationManageme...
Missing Log FallbackP2 | 60m
  1. 1.Identify which log sources are missing and the affected time window. Document the gap: source name, expected retention, actual available range, and suspected reason for absence.
  2. 2.For missing Windows Event Logs, check Volume Shadow Copies: `vssadmin list shadows` then mount and extract .evtx files from shadow copies. Also check `C:\Windows\System32\winevt\Logs` for partially overwritten logs that may contain older entries.
  3. 3.Harvest NTFS metadata as a timeline substitute: `MFTECmd.exe -f C:\$MFT --csv /case/output/` provides file creation/modification timestamps even when application logs are gone. The $UsnJrnl provides granular file change records.
SecurityEvent | where TimeGenerated > ago(90d) | summarize MinTime=min(TimeGenerated), MaxTime=max(TimeGenerated), Count...
DeviceEvents | where Timestamp > ago(30d) | summarize EarliestEvent=min(Timestamp), LatestEvent=max(Timestamp), EventCou...
Third-Party LogsP3 | 120m
  1. 1.Identify which third-party vendors hold relevant logs: ISP flow data, cloud hosting provider logs, SaaS application audit trails, MSP monitoring data, CDN/WAF provider logs.
  2. 2.Draft a formal log preservation and production request specifying: timeframe (T-30d to present), log types needed, format requirements (CSV, JSON, syslog), and delivery method (SFTP, encrypted email).
  3. 3.Include in the request: case reference number, legal basis for the request (contract clause, legal process), contact person, and urgency level.
Review vendor contracts and SLAs for log retention periods and incident response support obligations.

Analysis

Lateral MovementP1 | 120m
  1. 1.Query for RDP lateral movement: filter for Event ID 4624 (LogonType 10) and 4778/4779 (RDP session reconnect/disconnect) across all domain controllers and target hosts during the investigation window.
  2. 2.Identify pass-the-hash/pass-the-ticket: look for 4624 LogonType 9 (NewCredentials) and 4648 (explicit credential logon). Cross-reference with EDR for suspicious LSASS access (Mimikatz, ProcDump, comsvcs.dll MiniDump).
  3. 3.Map SMB lateral movement via admin shares: `DeviceNetworkEvents | where RemotePort == 445 | where InitiatingProcessFileName in~ ("cmd.exe","powershell.exe","wmic.exe","psexec.exe","smbclient")` and correlate with service installation events (7045) on target hosts.
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID in (4624, 4648) | whe...
DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("psexec.exe",...
Exfil ChannelsP1 | 90m
  1. 1.Analyze proxy/firewall logs for large outbound transfers: `index=proxy sourcetype=bluecoat OR sourcetype=zscaler bytes_out>10000000 | stats sum(bytes_out) as total_bytes by src_ip, dest, cs_host, cs_uri_path | eval total_MB=round(total_bytes/1048576,2) | sort -total_MB | head 50`.
  2. 2.Hunt for DNS tunneling indicators: look for high-volume DNS queries to a single domain with long subdomain labels: `index=dns | stats count avg(len(query)) as avg_len by query_domain src_ip | where count > 500 AND avg_len > 40`.
  3. 3.Check for unauthorized cloud sync client usage: `DeviceProcessEvents | where FileName in~ ("rclone.exe","megasync.exe","gdrive.exe","onedrive.exe","dropbox.exe") | project Timestamp, DeviceName, ProcessCommandLine, AccountName`.
CommonSecurityLog | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where DeviceAction == "allowed"...
DnsEvents | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | extend SubdomainLength=strlen(tostring(...
Encryption ScopeP1 | 90m
  1. 1.Run a Velociraptor hunt across all endpoints to detect encrypted file extensions: `Windows.Search.FileFinder` with glob pattern `C:\**\*.{locked,encrypted,crypt,enc}` -- summarize results by host and directory.
  2. 2.Check file server shares for encryption markers: `Get-ChildItem -Path \\fileserver\shares -Recurse -Include "*.locked","*.encrypted","*.crypt","DECRYPT_*.txt","README_RANSOM*" | Group-Object Directory | Select Name, Count`.
  3. 3.Query EDR for file rename storms indicating encryption activity: `DeviceFileEvents | where ActionType == "FileRenamed" | summarize RenameCount=count() by DeviceName, bin(Timestamp, 5m) | where RenameCount > 100`.
DeviceFileEvents | where Timestamp > ago(48h) | where ActionType == "FileRenamed" | extend NewExtension=tostring(split(F...
index=edr sourcetype=crowdstrike:events event_type=FileWritten file_extension IN ("locked","encrypted","crypt") | stats ...
Credential DumpingP1 | 90m
  1. 1.Check for LSASS memory access: look for processes reading lsass.exe memory via Event ID 4663, Sysmon Event ID 10 (ProcessAccess with TargetImage containing lsass.exe), and EDR alerts for credential access.
  2. 2.Check for SAM/SYSTEM/SECURITY hive copies: `reg save HKLM\SAM`, `reg save HKLM\SYSTEM`, or shadow copy access to these files.
  3. 3.Detect DCSync attacks: look for Directory Service Access events (Event ID 4662) with replication rights GUIDs from non-DC sources.
DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("mimikatz.exe...
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4662 | where Prope...
Data StagingP2 | 60m
  1. 1.Search for archive creation using common staging tools: `DeviceProcessEvents | where FileName in~ ("7z.exe","rar.exe","winrar.exe","zip.exe","tar.exe","makecab.exe") | project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName`.
  2. 2.Hunt for renamed archive tools or LOLBins used for compression: check for `compact.exe /c`, `certutil -encode`, or PowerShell `Compress-Archive` commands across EDR telemetry.
  3. 3.Identify large file creation events in staging directories: `DeviceFileEvents | where FolderPath matches regex @"(?i)(\\temp\\|\\staging\\|\\public\\|C:\\PerfLogs)" | where FileSize > 50000000 | project Timestamp, DeviceName, FileName, FolderPath, FileSize`.
DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ProcessCommandLine has_any ...
DeviceFileEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType == "FileCreated" | ...

Eradication

Malware RemovalP1 | 120m
  1. 1.Compile a complete list of all identified malicious artifacts: file paths, registry keys, scheduled tasks, services, cron jobs, web shells, and any other persistence mechanisms discovered during analysis.
  2. 2.On Windows: remove malicious scheduled tasks (`schtasks /delete /tn "TASK_NAME" /f`), services (`sc delete SERVICE_NAME`), registry Run keys, WMI event subscriptions, and startup folder entries. Use Autoruns to verify: `autorunsc.exe -a * -c -h -s -v -vt > autoruns_post_cleanup.csv`.
  3. 3.On Linux: remove malicious cron entries (`crontab -r -u COMPROMISED_USER`), systemd services, modified SSH authorized_keys, LD_PRELOAD entries, and files in /tmp or /dev/shm. Check for rootkits: `chkrootkit` and `rkhunter --check`.
DeviceFileEvents | where Timestamp > ago(1h) | where DeviceName == "CLEANED_HOST" | where FolderPath has_any ("\Temp\","...
DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName == "CLEANED_HOST" | where RemoteUrl in~ (KNOWN_C2_DOM...
Credential ResetP1 | 90m
  1. 1.Reset passwords for all confirmed compromised accounts. Use strong, unique passwords: `Set-ADAccountPassword -Identity USERNAME -Reset -NewPassword (ConvertTo-SecureString "NEW_COMPLEX_PASSWORD" -AsPlainText -Force)`.
  2. 2.Perform krbtgt account double-reset (with 12+ hour gap between resets) to invalidate all Kerberos tickets: `Reset-KrbtgtKeyInteractive` or manual: `Set-ADAccountPassword -Identity krbtgt -Reset`. Document reset times.
  3. 3.Revoke all cloud sessions: `Revoke-AzureADUserAllRefreshToken -ObjectId USER_OBJECT_ID` for each compromised user. Also revoke OAuth app consents: `Remove-AzureADOAuth2PermissionGrant`.
IdentityInfo | where AccountName in~ (COMPROMISED_ACCOUNTS) | project AccountName, AccountDomain, IsAccountEnabled, Pass...
SigninLogs | where TimeGenerated > ago(1h) | where UserPrincipalName in~ (RESET_ACCOUNTS) | where ResultType == 0 | proj...
Persistence HuntP1 | 120m
  1. 1.Windows persistence sweep: Run Autoruns (`autorunsc.exe -a * -c -h -s -v -vt > autoruns_sweep.csv`), check: Run/RunOnce registry keys, Services, Scheduled Tasks, WMI Event Subscriptions, startup folder, DLL search order hijacking, COM object hijacking, AppInit_DLLs, Image File Execution Options, Winlogon helper DLLs.
  2. 2.Linux persistence sweep: Check crontab (all users), systemd services/timers, rc.local, .bashrc/.profile modifications, SSH authorized_keys, LD_PRELOAD, /etc/ld.so.preload, at jobs, inetd/xinetd, modified system binaries (verify against package manager: `rpm -Va` or `debsums -c`).
  3. 3.Cloud persistence sweep: Check Azure AD app registrations, OAuth consents, Service Principals, Conditional Access exceptions, mailbox rules and forwarding, Power Automate flows, SharePoint webhooks, and federation trust configurations.
DeviceRegistryEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where RegistryKey has_any ("Run"...
DeviceEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("ScheduledTaskCreat...
Eradication VerificationP1 | 90m
  1. 1.Run a full Autoruns sweep on all Windows hosts previously in scope -- compare against pre-incident baseline and flag any new entries added during the compromise window
  2. 2.Execute YARA rules for all known malware hashes and families identified during analysis across every endpoint using EDR live-response or Velociraptor hunts
  3. 3.Verify all compromised credentials have been reset: cross-reference the credential exposure list against Azure AD password-last-changed timestamps and on-prem AD pwdLastSet attributes
// KQL -- Verify no ransomware/malware re-execution post-eradication
DeviceProcessEvents
| where Timestamp > ago(48h)
| ...
// KQL -- Check for residual C2 communication
DeviceNetworkEvents
| where Timestamp > ago(48h)
| where RemoteIP in ("<C2...
Config HardeningP2 | 180m
  1. 1.Disable legacy authentication protocols exploited during the attack: NTLMv1, LLMNR, NBT-NS, WPAD, SMBv1, and unencrypted LDAP binds
  2. 2.Enable Windows Attack Surface Reduction (ASR) rules relevant to the observed TTPs: block Office macro child processes, block credential theft from LSASS, block unsigned/untrusted executables from USB
  3. 3.Harden Azure AD conditional access: enforce MFA on all accounts, block legacy auth, require compliant devices, implement sign-in risk and user risk policies
// PowerShell -- Enable ASR rules
$rules = @(
  "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550", # Block Office child processes
 ...
// KQL -- Verify hardening changes took effect
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType startswith "...

Recovery

Decryption AssessmentP1 | 120m
  1. 1.Check for free decryptors at nomoreransom.org and other researcher repositories. Upload a sample encrypted file (non-sensitive) and the ransom note to ID Ransomware for variant-specific tool recommendations.
  2. 2.Analyze memory dumps for encryption keys using Volatility: `vol3 -f memdump.raw windows.memmap --dump --pid <ransomware_pid>` -- search the dumped memory for key material patterns. For some variants, keys are held in memory until reboot.
  3. 3.Check for surviving Volume Shadow Copies: `vssadmin list shadows` or `Get-WmiObject Win32_ShadowCopy`. Many ransomware variants attempt to delete VSS but some fail. Restore from VSS if available.
DeviceProcessEvents | where DeviceName == "ENCRYPTED_HOST" | where Timestamp > ago(48h) | where ProcessCommandLine has_a...
SELECT Name, InstallDate, Description FROM Win32_ShadowCopy -- WMI/osquery query to check for surviving shadow copies on...
System RebuildP1 | 240m
  1. 1.Take a final forensic image of each compromised system before rebuilding (for evidence preservation).
  2. 2.Rebuild systems from the organization gold image. Apply all current security patches to the fresh image.
  3. 3.Install and configure EDR agent, verify it is reporting to the console, and run a full system scan.
DeviceInfo | where Timestamp > ago(1h) | where DeviceName == "REBUILT_HOST" | project DeviceName, OSPlatform, OSVersion,...
Backup ValidationP1 | 180m
  1. 1.Inventory all backup sets: document date, type (full/incremental), storage location, retention status.
  2. 2.Select backups predating T-start by at least 24-48 hours to account for potential early undetected access.
  3. 3.Mount backups in an air-gapped test environment. Do NOT connect to production network.
Event | where Source == "VSS" or Source == "VolSnap" | where TimeGenerated between (datetime(T_START) .. now()) | where ...
Service RestorationP2 | 120m
  1. 1.Create service restoration tiers: Tier 1 (authentication, email, ERP), Tier 2 (file shares, internal apps), Tier 3 (development, non-essential). Restore one tier at a time.
  2. 2.Before each tier, verify: security tooling installed and reporting, monitoring rules deployed, containment controls updated for legitimate traffic.
  3. 3.Deploy enhanced monitoring rules: alert on C2 connections, new services, admin account creation, PowerShell/WMI remote execution.
DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName in ("RESTORED_HOSTS") | where RemoteUrl !endswith ".m...
SecurityEvent | where TimeGenerated > ago(4h) | where Computer in ("RESTORED_HOSTS") | where EventID in (4720, 4732, 704...

Post-Incident Review

Detection ImprovementP2 | 90m
  1. 1.Document all attacker TTPs observed with specific indicators: process names, command lines, file paths, registry keys, network destinations.
  2. 2.Write Sigma rules for each TTP that can be shared and converted to multiple SIEM platforms.
  3. 3.Create custom KQL/SPL detection rules for the organization SIEM targeting the specific attack patterns.
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4688 | where Proce...
Incident ReportP2 | 180m
  1. 1.Write the technical narrative covering: initial detection, investigation scope, evidence collected, attacker TTPs, impact assessment, containment actions, eradication steps, and recovery.
  2. 2.Create the final incident timeline with all key events in chronological order.
  3. 3.Compile the IOC appendix: file hashes, IP addresses, domains, email addresses, user agents, and other indicators.
Compile all queries used during the investigation for the report appendix.
Lessons LearnedP3 | 120m
  1. 1.Compile the complete incident timeline from detection through recovery with all key events, decisions, and timestamps.
  2. 2.Document all evidence gaps encountered and how they were addressed (or could not be addressed).
  3. 3.Identify detection gaps: what alerts should have fired but did not? What telemetry would have enabled faster detection?
Review all investigation notes, evidence logs, and timeline entries compiled during the incident.