Web Application Compromise

Exploitation of web application vulnerabilities such as injection flaws, authentication bypasses, or server-side request forgery leading to unauthorized access.

Triage

3 procedures
P1

Bound the Investigation Timeframe

~30 min
P1

Identify Patient Zero (First Compromised System)

~60 min
P2

Validate the Initial Access Vector

~45 min

Containment

2 procedures
P1

Network Isolation of Compromised Systems

~30 min
P1

Credential and Account Lockdown

~45 min
Sponsored

Preservation

3 procedures
P1

Volatile Memory Capture

~60 min
P1

Log Preservation and Snapshot

~45 min
P2

Document Chain of Custody for All Collected Evidence

~30 min

Collection

5 procedures
P2

EDR Telemetry Collection

~120 min
P2

M365 Unified Audit Log Collection

~90 min
P2

Identify Alternative Evidence When Primary Logs Are Missing

~60 min
P2

Collect and Analyze Web Server Logs for Web App Compromise

~90 min
P3

Coordinate Log Collection from Third-Party Vendors

~120 min

Analysis

2 procedures
P1

Lateral Movement Analysis and Mapping

~120 min
P1

Detect and Analyze Web Shells on Compromised Servers

~90 min

Eradication

5 procedures
P1

Remove Malware, Backdoors, and Persistence Mechanisms

~120 min
P1

Comprehensive Persistence Mechanism Sweep

~120 min
P1

Eradication Verification Checklist

~90 min
P2

Patch Exploited Vulnerabilities to Prevent Re-Compromise

~60 min
P2

Post-Incident Configuration Hardening

~180 min

Recovery

2 procedures
P1

Rebuild Compromised Systems from Known-Good Images

~240 min
P2

Phased Service Restoration with Enhanced Monitoring

~120 min

Post-Incident Review

4 procedures
P2

Create New Detection Rules Based on Incident Findings

~90 min
P2

Generate Comprehensive Incident Report

~180 min
P2

Review Web Application Root Cause and Exposure Window

~75 min
P3

Conduct Lessons Learned Review Session

~120 min