🌐 Web Application Compromise — IR Cheatsheet

25 nodes | 8 stages | Generated for analyst role

Triage

Timeframe BoundingP1 | 30m
  1. 1.Query SIEM for the earliest alert or IOC match and record the timestamp as T-start; search across all log sources (EDR, firewall, proxy, authentication) for corroborating events within +/- 24 hours.
  2. 2.Use PowerShell to pull the $MFT timeline: `Get-ForensicTimeline -VolumeName C: | Where-Object { $_.Date -ge $tStart -and $_.Date -le $tEnd } | Export-Csv mft_timeline.csv` -- compare with SIEM timestamps.
  3. 3.Run Velociraptor hunt `Windows.Timeline.MFT` across suspected hosts to identify file creation/modification clusters that may push T-start earlier.
index=* (sourcetype=crowdstrike OR sourcetype=defender OR sourcetype=sysmon) earliest=-30d | stats earliest(_time) as fi...
SecurityEvent | where TimeGenerated between (ago(30d) .. now()) | where EventID in (4624, 4625, 4648, 4672) | summarize ...
Patient ZeroP1 | 60m
  1. 1.Pivot from the earliest IOC timestamp to identify the originating host: correlate source IPs, user accounts, and process trees across EDR telemetry.
  2. 2.Run Velociraptor artifact `Windows.EventLogs.Evtx` with a time filter around T-start on candidate hosts to find logon events (4624 Type 3/10), service installations (7045), and scheduled task creation (4698).
  3. 3.Check email logs for the earliest malicious delivery if phishing is suspected: `sourcetype=o365:messageTrace | search directionality=Inbound status=Delivered | where _time >= T_start | stats earliest(_time) by sender, recipient, subject`.
DeviceLogonEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where LogonType in ("RemoteInteract...
index=proxy sourcetype=bluecoat OR sourcetype=zscaler dest IN (ioc_ip_list) OR url IN (ioc_url_list) | stats earliest(_t...
Access ValidationP2 | 45m
  1. 1.On patient zero, parse Outlook OST/PST for the phishing email and extract attachment hashes. Use `oletools` to analyze macros: `olevba -a malicious.docm | tee olevba_output.txt`.
  2. 2.For web-app compromise, review IIS/Apache/Nginx access logs around T-start: look for exploit patterns (path traversal, SQLi, deserialization payloads) targeting the specific CVE.
  3. 3.Check for credential-based access: query Azure AD sign-in logs for impossible travel, legacy auth protocols, or sign-ins from anonymizing infrastructure (Tor, VPN providers).
SigninLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where UserPrincipalName == "compromise...
DeviceProcessEvents | where DeviceName == "PATIENT_ZERO" | where Timestamp between (datetime(T_START) .. datetime(T_END)...

Containment

Network IsolationP1 | 30m
  1. 1.Initiate EDR network containment on the compromised host (CrowdStrike: `falconctl -s --cid | containment enable`, Defender: Isolate device from MDE portal or via API `POST /api/machines/{id}/isolate`).
  2. 2.If EDR containment is not available, implement switch-port isolation: move the host VLAN to a quarantine VLAN with no routes except to the forensic workstation. Document the original VLAN assignment.
  3. 3.Deploy firewall rules to block the host IP from all outbound communication except the forensic subnet: `iptables -I FORWARD -s <compromised_ip> -j DROP` or equivalent on your perimeter firewall.
DeviceNetworkEvents | where DeviceName == "COMPROMISED_HOST" | where Timestamp > ago(1h) | summarize ConnectionCount=cou...
index=firewall sourcetype=paloalto_traffic src_ip=COMPROMISED_IP action=allowed | stats count by dest_ip, dest_port, app...
Account LockdownP1 | 45m
  1. 1.Disable the compromised user account in AD: `Disable-ADAccount -Identity compromised_user` and in Azure AD: `Set-AzureADUser -ObjectId <user_id> -AccountEnabled $false`.
  2. 2.Revoke all Azure AD refresh tokens immediately: `Revoke-AzureADUserAllRefreshToken -ObjectId <user_id>`. For M365, also run: `Get-AzureADUserRegisteredDevice -ObjectId <user_id> | ForEach-Object { Remove-AzureADDeviceRegisteredUser -ObjectId $_.ObjectId }`.
  3. 3.Force Kerberos ticket expiry for on-prem AD: reset the user password twice (this invalidates all cached TGTs). Then reset the KRBTGT account if Golden Ticket is suspected: `Reset-KrbtgtKeys -Server DC01 -Force`.
let compromised_user = "[email protected]"; SigninLogs | where UserPrincipalName == compromised_user | where TimeGenerated...
let compromised_user = "[email protected]"; AuditLogs | where InitiatedBy has compromised_user | where TimeGenerated > ago...

Preservation

Memory CaptureP1 | 60m
  1. 1.Windows -- Use WinPmem from a trusted USB or network share: `winpmem_mini_x64.exe --output F:\case\%COMPUTERNAME%_memdump.raw --format raw`. Verify the output file size matches expected RAM.
  2. 2.Windows alternative -- Use Magnet RAM Capture or Belkasoft Live RAM Capturer if WinPmem fails. For remote collection via Velociraptor: deploy `Windows.Memory.Acquisition` artifact.
  3. 3.Linux -- Use AVML (Acquire Volatile Memory for Linux): `./avml --compress output.lime.gz`. Alternative: `sudo insmod lime.ko "path=/case/mem.lime format=lime"`. Verify module unloads cleanly after capture.
DeviceProcessEvents | where DeviceName == "TARGET_HOST" | where Timestamp > ago(1h) | where FileName in~ ("winpmem","ram...
SELECT pid, name, ppid, cmdline, create_time FROM processes WHERE on_disk = 0 OR name IN ("powershell.exe","cmd.exe","ru...
Log SnapshotP1 | 45m
  1. 1.Windows -- Export critical event logs: `wevtutil epl Security C:\case\Security.evtx`, `wevtutil epl System C:\case\System.evtx`, `wevtutil epl "Microsoft-Windows-PowerShell/Operational" C:\case\PowerShell.evtx`, `wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\case\Sysmon.evtx`.
  2. 2.Linux -- Preserve auth and system logs: `cp -p /var/log/auth.log* /var/log/syslog* /var/log/secure* /var/log/audit/audit.log* /case/logs/`. For journald: `journalctl --since "T_START" --until "T_END" -o json > /case/logs/journal_export.json`.
  3. 3.M365/Azure -- Export Azure AD sign-in and audit logs via PowerShell: `Get-AzureADAuditSignInLogs -Filter "createdDateTime ge T_START" -All $true | Export-Csv azure_signins.csv`. Export UAL: `Search-UnifiedAuditLog -StartDate T_START -EndDate T_END -ResultSize 5000 | Export-Csv ual_export.csv`.
index=_internal sourcetype=splunkd component=HotBucketRoller OR component=WarmToColdManager | stats latest(data_size) as...
// Velociraptor: collect all EVTX files from target host
SELECT FullPath, Size, Mtime FROM glob(globs="C:/Windows/System...
Chain of CustodyP2 | 30m
  1. 1.For each evidence item collected, record: item description, source system, collection method, collector name, date/time (UTC), and storage location.
  2. 2.Hash all evidence files immediately upon collection using SHA-256: `sha256sum /case/evidence/* > /case/evidence_hashes.sha256` (Linux) or `Get-FileHash -Algorithm SHA256 -Path C:\case\evidence\* | Export-Csv C:\case\evidence_hashes.csv` (PowerShell).
  3. 3.Store evidence on write-protected media or in a secured evidence repository with access logging. Document any transfers between storage locations.
Get-ChildItem -Path C:\case\evidence -Recurse | Get-FileHash -Algorithm SHA256 | Select-Object Hash, Path, @{Name="SizeK...

Collection

EDR CollectionP2 | 120m
  1. 1.CrowdStrike -- Export full RTR session data and detection details via the Falcon API: `GET /detects/queries/detects/v1?filter=device.hostname:"TARGET_HOST"`. Pull process tree JSON for each detection.
  2. 2.Microsoft Defender -- Run Advanced Hunting queries to extract process execution history, file events, and network connections for the investigation window. Export results to CSV for offline analysis.
  3. 3.Deploy a Velociraptor hunt across all in-scope hosts using the SANS triage collection: `velociraptor-v0.7.0 --config client.config.yaml artifacts collect Windows.KapeFiles.Targets --args target="!SANS_Triage" --output /case/host_triage/`.
DeviceProcessEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. date...
DeviceFileEvents | where DeviceName in ("HOST1","HOST2","HOST3") | where Timestamp between (datetime(T_START) .. datetim...
M365 UAL CollectionP2 | 90m
  1. 1.Export the UAL using PowerShell for the investigation window. Note the 5000-record per query limit: `$results = Search-UnifiedAuditLog -StartDate "T_START" -EndDate "T_END" -ResultSize 5000 -SessionCommand ReturnLargeSet`. Page through all results and export to JSON for parsing.
  2. 2.Use the CISA Sparrow tool or CrowdStrike CRT (Cloud Response Tool) for automated collection: `sparrow.ps1` performs bulk UAL export, Azure AD analysis, and inbox rule enumeration.
  3. 3.Export Azure AD sign-in logs (requires P1/P2): `Get-MgAuditLogSignIn -Filter "createdDateTime ge T_START" -All | Export-Csv signins.csv`. Also export `Get-MgAuditLogDirectoryAudit` for admin activity.
CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where AccountObjectId == "<user_object...
AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Category in ("ApplicationManageme...
Missing Log FallbackP2 | 60m
  1. 1.Identify which log sources are missing and the affected time window. Document the gap: source name, expected retention, actual available range, and suspected reason for absence.
  2. 2.For missing Windows Event Logs, check Volume Shadow Copies: `vssadmin list shadows` then mount and extract .evtx files from shadow copies. Also check `C:\Windows\System32\winevt\Logs` for partially overwritten logs that may contain older entries.
  3. 3.Harvest NTFS metadata as a timeline substitute: `MFTECmd.exe -f C:\$MFT --csv /case/output/` provides file creation/modification timestamps even when application logs are gone. The $UsnJrnl provides granular file change records.
SecurityEvent | where TimeGenerated > ago(90d) | summarize MinTime=min(TimeGenerated), MaxTime=max(TimeGenerated), Count...
DeviceEvents | where Timestamp > ago(30d) | summarize EarliestEvent=min(Timestamp), LatestEvent=max(Timestamp), EventCou...
Web Server LogsP2 | 90m
  1. 1.Collect web server access logs: Apache/Nginx (`/var/log/apache2/access.log`, `/var/log/nginx/access.log`), IIS (`C:\inetpub\logs\LogFiles\`). Include rotated/archived logs covering the investigation timeframe.
  2. 2.Collect web server error logs for stack traces and application errors that may indicate exploitation attempts.
  3. 3.Collect WAF logs if available (ModSecurity, AWS WAF, Azure WAF, Cloudflare). These contain blocked and flagged requests that may show earlier attack attempts.
index=web sourcetype=access_combined OR sourcetype=iis | where status >= 400 | stats count by uri_path, status, clientip...
index=web sourcetype=access_combined | where method="POST" | where uri_path=".php" OR uri_path=".aspx" OR uri_path=".jsp...
Third-Party LogsP3 | 120m
  1. 1.Identify which third-party vendors hold relevant logs: ISP flow data, cloud hosting provider logs, SaaS application audit trails, MSP monitoring data, CDN/WAF provider logs.
  2. 2.Draft a formal log preservation and production request specifying: timeframe (T-30d to present), log types needed, format requirements (CSV, JSON, syslog), and delivery method (SFTP, encrypted email).
  3. 3.Include in the request: case reference number, legal basis for the request (contract clause, legal process), contact person, and urgency level.
Review vendor contracts and SLAs for log retention periods and incident response support obligations.

Analysis

Lateral MovementP1 | 120m
  1. 1.Query for RDP lateral movement: filter for Event ID 4624 (LogonType 10) and 4778/4779 (RDP session reconnect/disconnect) across all domain controllers and target hosts during the investigation window.
  2. 2.Identify pass-the-hash/pass-the-ticket: look for 4624 LogonType 9 (NewCredentials) and 4648 (explicit credential logon). Cross-reference with EDR for suspicious LSASS access (Mimikatz, ProcDump, comsvcs.dll MiniDump).
  3. 3.Map SMB lateral movement via admin shares: `DeviceNetworkEvents | where RemotePort == 445 | where InitiatingProcessFileName in~ ("cmd.exe","powershell.exe","wmic.exe","psexec.exe","smbclient")` and correlate with service installation events (7045) on target hosts.
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID in (4624, 4648) | whe...
DeviceProcessEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FileName in~ ("psexec.exe",...
Web Shell DetectionP1 | 90m
  1. 1.Scan web root directories for common web shell patterns: `find /var/www -name "*.php" -newer /var/log/syslog -exec grep -l "eval\|base64_decode\|system\|exec\|passthru" {} \;` (Linux) or search IIS directories for aspx files with suspicious content.
  2. 2.Check file timestamps for anomalies: files created during non-business hours, files with modification dates matching the compromise window, or timestomped files where $MFT timestamps disagree with $UsnJrnl.
  3. 3.Analyze identified web shells for functionality: command execution, file upload/download, database access, reverse shell capability. Determine the attacker skill level and objectives.
W3CIISLog | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where csUriStem has_any (".aspx",".asp"...
DeviceFileEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where FolderPath has_any ("wwwroot",...

Eradication

Malware RemovalP1 | 120m
  1. 1.Compile a complete list of all identified malicious artifacts: file paths, registry keys, scheduled tasks, services, cron jobs, web shells, and any other persistence mechanisms discovered during analysis.
  2. 2.On Windows: remove malicious scheduled tasks (`schtasks /delete /tn "TASK_NAME" /f`), services (`sc delete SERVICE_NAME`), registry Run keys, WMI event subscriptions, and startup folder entries. Use Autoruns to verify: `autorunsc.exe -a * -c -h -s -v -vt > autoruns_post_cleanup.csv`.
  3. 3.On Linux: remove malicious cron entries (`crontab -r -u COMPROMISED_USER`), systemd services, modified SSH authorized_keys, LD_PRELOAD entries, and files in /tmp or /dev/shm. Check for rootkits: `chkrootkit` and `rkhunter --check`.
DeviceFileEvents | where Timestamp > ago(1h) | where DeviceName == "CLEANED_HOST" | where FolderPath has_any ("\Temp\","...
DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName == "CLEANED_HOST" | where RemoteUrl in~ (KNOWN_C2_DOM...
Persistence HuntP1 | 120m
  1. 1.Windows persistence sweep: Run Autoruns (`autorunsc.exe -a * -c -h -s -v -vt > autoruns_sweep.csv`), check: Run/RunOnce registry keys, Services, Scheduled Tasks, WMI Event Subscriptions, startup folder, DLL search order hijacking, COM object hijacking, AppInit_DLLs, Image File Execution Options, Winlogon helper DLLs.
  2. 2.Linux persistence sweep: Check crontab (all users), systemd services/timers, rc.local, .bashrc/.profile modifications, SSH authorized_keys, LD_PRELOAD, /etc/ld.so.preload, at jobs, inetd/xinetd, modified system binaries (verify against package manager: `rpm -Va` or `debsums -c`).
  3. 3.Cloud persistence sweep: Check Azure AD app registrations, OAuth consents, Service Principals, Conditional Access exceptions, mailbox rules and forwarding, Power Automate flows, SharePoint webhooks, and federation trust configurations.
DeviceRegistryEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where RegistryKey has_any ("Run"...
DeviceEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("ScheduledTaskCreat...
Eradication VerificationP1 | 90m
  1. 1.Run a full Autoruns sweep on all Windows hosts previously in scope -- compare against pre-incident baseline and flag any new entries added during the compromise window
  2. 2.Execute YARA rules for all known malware hashes and families identified during analysis across every endpoint using EDR live-response or Velociraptor hunts
  3. 3.Verify all compromised credentials have been reset: cross-reference the credential exposure list against Azure AD password-last-changed timestamps and on-prem AD pwdLastSet attributes
// KQL -- Verify no ransomware/malware re-execution post-eradication
DeviceProcessEvents
| where Timestamp > ago(48h)
| ...
// KQL -- Check for residual C2 communication
DeviceNetworkEvents
| where Timestamp > ago(48h)
| where RemoteIP in ("<C2...
Patch VulnerabilityP2 | 60m
  1. 1.Confirm the exact CVE or vulnerability exploited based on investigation findings. Cross-reference with the initial access analysis.
  2. 2.Test the patch in a staging environment if possible. Apply the patch to all affected systems: production, development, and staging environments.
  3. 3.Verify the patch was applied successfully: check version numbers, run vulnerability scans against the patched systems, and attempt to reproduce the exploit (in a safe manner).
DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-XXXX-XXXXX" | project DeviceName, SoftwareName, SoftwareVersion, ...
Config HardeningP2 | 180m
  1. 1.Disable legacy authentication protocols exploited during the attack: NTLMv1, LLMNR, NBT-NS, WPAD, SMBv1, and unencrypted LDAP binds
  2. 2.Enable Windows Attack Surface Reduction (ASR) rules relevant to the observed TTPs: block Office macro child processes, block credential theft from LSASS, block unsigned/untrusted executables from USB
  3. 3.Harden Azure AD conditional access: enforce MFA on all accounts, block legacy auth, require compliant devices, implement sign-in risk and user risk policies
// PowerShell -- Enable ASR rules
$rules = @(
  "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550", # Block Office child processes
 ...
// KQL -- Verify hardening changes took effect
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType startswith "...

Recovery

System RebuildP1 | 240m
  1. 1.Take a final forensic image of each compromised system before rebuilding (for evidence preservation).
  2. 2.Rebuild systems from the organization gold image. Apply all current security patches to the fresh image.
  3. 3.Install and configure EDR agent, verify it is reporting to the console, and run a full system scan.
DeviceInfo | where Timestamp > ago(1h) | where DeviceName == "REBUILT_HOST" | project DeviceName, OSPlatform, OSVersion,...
Service RestorationP2 | 120m
  1. 1.Create service restoration tiers: Tier 1 (authentication, email, ERP), Tier 2 (file shares, internal apps), Tier 3 (development, non-essential). Restore one tier at a time.
  2. 2.Before each tier, verify: security tooling installed and reporting, monitoring rules deployed, containment controls updated for legitimate traffic.
  3. 3.Deploy enhanced monitoring rules: alert on C2 connections, new services, admin account creation, PowerShell/WMI remote execution.
DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName in ("RESTORED_HOSTS") | where RemoteUrl !endswith ".m...
SecurityEvent | where TimeGenerated > ago(4h) | where Computer in ("RESTORED_HOSTS") | where EventID in (4720, 4732, 704...

Post-Incident Review

Detection ImprovementP2 | 90m
  1. 1.Document all attacker TTPs observed with specific indicators: process names, command lines, file paths, registry keys, network destinations.
  2. 2.Write Sigma rules for each TTP that can be shared and converted to multiple SIEM platforms.
  3. 3.Create custom KQL/SPL detection rules for the organization SIEM targeting the specific attack patterns.
SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4688 | where Proce...
Incident ReportP2 | 180m
  1. 1.Write the technical narrative covering: initial detection, investigation scope, evidence collected, attacker TTPs, impact assessment, containment actions, eradication steps, and recovery.
  2. 2.Create the final incident timeline with all key events in chronological order.
  3. 3.Compile the IOC appendix: file hashes, IP addresses, domains, email addresses, user agents, and other indicators.
Compile all queries used during the investigation for the report appendix.
Lessons LearnedP3 | 120m
  1. 1.Compile the complete incident timeline from detection through recovery with all key events, decisions, and timestamps.
  2. 2.Document all evidence gaps encountered and how they were addressed (or could not be addressed).
  3. 3.Identify detection gaps: what alerts should have fired but did not? What telemetry would have enabled faster detection?
Review all investigation notes, evidence logs, and timeline entries compiled during the incident.