Skill

conducting-malware-incident-response

Guides malware incident response on enterprise endpoints: identifies family, vectors, assesses spread, executes eradication across detection, containment, analysis, removal, recovery.

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- EDR or antivirus detects malware execution on one or more endpoints

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Conducting Malware Incident Response

When to Use

EDR or antivirus detects malware execution on one or more endpoints
A user reports suspicious system behavior indicative of malware infection
Threat intelligence indicates a malware campaign targeting the organization's industry
Network monitoring detects beaconing traffic consistent with known malware C2 patterns
A file detonation in a sandbox returns a malicious verdict

Do not use for analyzing malware samples in a research context; use dedicated malware analysis procedures for reverse engineering.

Prerequisites

EDR platform with process tree visibility and host isolation capability
Malware sandbox environment (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis)
Access to threat intelligence platforms for malware family identification (VirusTotal, MalwareBazaar)
Forensic imaging tools for evidence preservation (FTK Imager, KAPE)
Clean system images or gold images for endpoint rebuild
MITRE ATT&CK framework reference for technique mapping

Workflow

Step 1: Detect and Confirm Malware Presence

Validate the malware alert and gather initial indicators:

Review EDR alert details: detection name, file path, hash (SHA-256), process tree
Check if the detection is a known malware family or generic heuristic detection
Query the file hash against VirusTotal, MalwareBazaar, and internal threat intelligence
Examine the process execution chain to determine how the malware was delivered

Detection Summary:
File:        C:\Users\jsmith\AppData\Local\Temp\update.exe
SHA-256:     a1b2c3d4e5f6...
Detection:   CrowdStrike: Malware/Qakbot | VirusTotal: 58/72 engines
Parent:      WINWORD.EXE → cmd.exe → powershell.exe → update.exe
Delivery:    Email attachment (Invoice-Nov2025.docm)
Network:     HTTPS POST to 185.220.101[.]42:443 every 60s
Persistence: Scheduled Task "WindowsUpdate" → update.exe

Step 2: Scope the Infection

Determine how many systems are affected and the malware's propagation method:

Use EDR to search for the malware hash, filename, and behavioral indicators across all endpoints
Check for network-based spreading (SMB, WMI, PsExec, exploitation)
Query email gateway logs for all recipients of the delivery email
Search for C2 communications to the identified infrastructure from other internal hosts
Check for persistence mechanisms on all identified infected hosts

Step 3: Contain Infected Systems

Execute containment per the active breach containment procedures:

Network-isolate infected endpoints via EDR containment
Block malware C2 infrastructure at firewall and DNS
Block the malware hash in EDR prevention policy organization-wide
Quarantine the delivery email from all mailboxes (if email-delivered)
Disable compromised user accounts if credential theft is suspected

Step 4: Analyze the Malware

Perform sufficient analysis to support complete eradication:

Submit the sample to a sandbox for dynamic analysis (behavioral report, dropped files, network IOCs)
Identify all persistence mechanisms: registry keys, scheduled tasks, services, WMI subscriptions, startup folders
Document all file system artifacts: dropped files, modified files, created directories
Extract network IOCs: C2 domains, IPs, URLs, user agents, JA3/JA3S hashes
Map observed behaviors to MITRE ATT&CK techniques

Malware Analysis Summary - Qakbot Variant
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Initial Access:   T1566.001 - Spearphishing Attachment (.docm)
Execution:        T1059.001 - PowerShell (encoded downloader)
Persistence:      T1053.005 - Scheduled Task
Defense Evasion:  T1055.012 - Process Hollowing (explorer.exe)
C2:               T1071.001 - HTTPS with custom headers
Collection:       T1005 - Data from Local System (browser credentials)
Exfiltration:     T1041 - Exfiltration Over C2 Channel

Artifacts:
- C:\Users\*\AppData\Local\Temp\update.exe (dropper)
- C:\ProgramData\Microsoft\{GUID}\config.dll (payload)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{random} (backup persistence)
- Scheduled Task: "WindowsUpdate" (primary persistence)

Step 5: Eradicate the Malware

Remove all malware artifacts from every infected system:

Terminate malicious processes and injected threads
Delete malware files from all identified paths
Remove persistence mechanisms (scheduled tasks, registry keys, services, WMI subscriptions)
Clear browser credential stores if credential harvesting was confirmed
Run a full EDR scan to verify no artifacts remain
If eradication confidence is low, reimage the system from a known-clean gold image

Step 6: Recover and Validate

Restore systems to production and verify clean status:

Reconnect contained systems to the network in stages
Monitor for 72 hours for any recurrence of malware indicators
Force password resets for all users on infected endpoints
Verify that C2 traffic has completely ceased across the environment
Update detection rules based on newly discovered IOCs from the investigation
Distribute IOCs to threat intelligence sharing partners (ISAC, MISP)

Key Concepts

Term	Definition
Malware Family	Classification of malware variants sharing code, infrastructure, or behavior patterns (e.g., Qakbot, Emotet, Cobalt Strike)
Process Hollowing	Technique where malware creates a legitimate process in a suspended state, replaces its memory with malicious code, then resumes execution
Beacon	Periodic network communication from malware to its C2 server, typically with a set interval and jitter for detection evasion
Dropper	Initial malware component that downloads or unpacks the primary payload; often delivered via phishing
Persistence Mechanism	Method used by malware to survive system reboots (registry run keys, scheduled tasks, services, WMI event subscriptions)
IOC (Indicator of Compromise)	Observable artifact such as file hash, IP address, domain, or registry key that indicates malware presence

Tools & Systems

CrowdStrike Falcon / Microsoft Defender for Endpoint: EDR platforms for detection, containment, and threat hunting
ANY.RUN / Joe Sandbox: Interactive malware sandboxes for dynamic behavioral analysis
VirusTotal / MalwareBazaar: Malware intelligence platforms for sample identification and IOC enrichment
KAPE (Kroll Artifact Parser and Extractor): Forensic triage tool for rapid artifact collection from infected endpoints
YARA: Pattern-matching engine for creating custom malware detection rules based on observed indicators

Common Scenarios

Scenario: Emotet Loader Leading to Cobalt Strike Deployment

Context: EDR detects a macro-enabled document that spawns PowerShell, downloads an Emotet DLL, which subsequently loads a Cobalt Strike beacon. Three hosts are infected within 45 minutes.

Approach:

Immediately isolate all three hosts and block C2 IPs at the perimeter
Search email gateway for all recipients of the original phishing email and quarantine it
Sweep all endpoints for the Emotet DLL hash and Cobalt Strike beacon indicators
Analyze the Cobalt Strike beacon configuration to extract watermark, C2 profile, and staging URLs
Check for credential harvesting (Mimikatz/LSASS dump) and lateral movement artifacts
Eradicate all malware artifacts and reset credentials for affected users

Pitfalls:

Focusing only on Emotet and missing the Cobalt Strike second-stage payload
Failing to extract and block the Cobalt Strike Malleable C2 profile indicators
Not checking for additional persistence beyond the initial detection (Emotet often installs multiple backup persistence mechanisms)

Output Format

MALWARE INCIDENT RESPONSE REPORT
=================================
Incident:         INC-2025-1547
Malware Family:   Qakbot (variant: Obama265)
Delivery Vector:  Spearphishing attachment (Invoice-Nov2025.docm)
First Detection:  2025-11-15T14:23:17Z
Scope:            4 endpoints confirmed infected

INFECTION TIMELINE
14:18 UTC - Phishing email received by jsmith@corp.example.com
14:19 UTC - Macro executed in WINWORD.EXE
14:20 UTC - PowerShell downloads update.exe from staging server
14:21 UTC - update.exe establishes persistence (Scheduled Task)
14:23 UTC - C2 beacon initiated to 185.220.101[.]42
14:35 UTC - Lateral spread to WKSTN-087 via stolen credentials
14:42 UTC - EDR detection fires, SOC alerted

IOCs EXTRACTED
File Hashes:  [SHA-256 list]
C2 Domains:   [domain list]
C2 IPs:       [IP list]
File Paths:   [artifact paths]

ERADICATION STATUS
[x] All malware artifacts removed from 4 hosts
[x] Persistence mechanisms deleted
[x] C2 infrastructure blocked
[x] Compromised credentials reset
[x] Email quarantined from all mailboxes

RECOMMENDATIONS
1. Deploy YARA rule for Qakbot variant detection
2. Block macro execution in documents from external senders
3. Implement application whitelisting on finance workstations