respond-malware
$
npx mdskill add dandye/ai-runbooks/respond-malwareExecute PICERL malware response from triage to recovery.
- Coordinates endpoint isolation and malware removal workflows.
- Integrates with triage-malware for initial analysis data.
- Generates structured reports for each incident phase.
- Delivers actionable host and network indicator lists.
SKILL.md
.github/skills/respond-malwareView on GitHub ↗
---
name: respond-malware
description: "Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis."
required_roles:
chronicle: roles/chronicle.admin
soar: roles/chronicle.soarAdmin
gti: GTI Enterprise
scc: roles/securitycenter.findingsEditor
personas: [incident-responder]
---
# Malware Incident Response Skill
Structured workflow for responding to suspected malware incidents using the PICERL model.
## Inputs
- `CASE_ID` - SOAR case ID for the incident
- `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers from SOAR
- `INITIAL_INDICATORS` - Details from initial alerts:
- File hashes
- IPs/domains
- Affected hosts
- Affected users
## Required Outputs
**After completing each phase, you MUST report these outputs:**
### Identification Phase
| Output | Description |
|--------|-------------|
| `AFFECTED_HOSTS` | Hosts with confirmed malware |
| `MALWARE_SAMPLES` | File hashes requiring triage/analysis |
| `MALWARE_IOCS` | Network indicators (IPs, domains, URLs) |
| `AFFECTED_USERS` | Users who executed/accessed malware |
### Containment Phase
| Output | Description |
|--------|-------------|
| `ISOLATED_HOSTS` | Hosts successfully isolated from network |
| `BLOCKED_IOCS` | IOCs blocked at firewall/proxy |
### Eradication Phase
| Output | Description |
|--------|-------------|
| `CLEANED_HOSTS` | Hosts with malware removed |
| `REMOVED_PERSISTENCE` | Persistence mechanisms removed |
### Recovery Phase
| Output | Description |
|--------|-------------|
| `RESTORED_HOSTS` | Hosts restored to operational state |
| `VALIDATION_STATUS` | Post-recovery scan results |
## PICERL Phases
### Phase 2: Identification
**Step 2.1: Initial Triage**
Use `/triage-alert` with CASE_ID for initial assessment.
```
secops-soar.get_case_full_details(case_id=CASE_ID)
```
Use `/check-duplicates`.
**Step 2.2: Malware Triage**
If file hash is primary indicator:
Use `/triage-malware`:
```
/triage-malware FILE_HASH=abc123 CASE_ID=1234
```
This provides:
- GTI classification
- Behavioral indicators
- Network IOCs
- Affected hosts/users
**Step 2.3: IOC Enrichment**
For other key IOCs (IPs, domains, URLs):
Use `/enrich-ioc` for each.
**Step 2.4: Initial Scope Assessment**
Compile:
- `AFFECTED_ENDPOINTS` - Hosts with malware
- `AFFECTED_USERS` - Users who executed/accessed
- `MALICIOUS_IOCs` - Network indicators
Use `/document-in-case` with findings.
---
### Phase 3: Containment
**Step 3.1: Endpoint Isolation**
For each endpoint in `AFFECTED_ENDPOINTS`:
Use `/confirm-action`:
> "Isolate endpoint [HOSTNAME] from network?"
If confirmed, execute isolation via EDR.
**Step 3.2: Network IOC Containment**
For each IOC in `MALICIOUS_IOCs`:
Use `/confirm-action`:
> "Block [IOC_TYPE] [VALUE] at firewall/proxy?"
If confirmed, implement blocks.
**Step 3.3: User Account Containment**
If compromised user involved:
Trigger `/respond-compromised-account`
**Step 3.4: Verify Containment**
Monitor for continued activity:
```
secops-mcp.search_security_events(
text="Activity from contained IOCs or endpoints",
hours_back=1
)
```
Use `/document-in-case` with containment status.
---
### Phase 4: Eradication
**Step 4.1: Identify Persistence**
From `/triage-malware` results and GTI behavior summary, identify:
- Scheduled tasks
- Services installed
- Registry modifications
- Dropped files
- WMI subscriptions
**Step 4.2: Remove Malware & Persistence**
*(Requires EDR/endpoint tools)*
Execute removal plan:
1. Terminate malicious processes
2. Delete malware files
3. Remove persistence mechanisms
4. Clear malicious registry keys
**Step 4.3: Scan for Residual Infection**
*(Requires EDR/AV tools)*
Perform thorough scans post-eradication.
Use `/document-in-case` with eradication results.
---
### Phase 5: Recovery
**Step 5.1: Determine Recovery Strategy**
Based on severity and admin rights involved:
| Factor | Rebuild | Clean |
|--------|---------|-------|
| Admin rights compromised | ✅ | ❌ |
| Unknown malware | ✅ | ❌ |
| Known commodity malware | Consider | ✅ |
| High confidence eradication | Consider | ✅ |
**Step 5.2: Execute Recovery**
*(Involves IT Ops/System Admins)*
- Rebuild from known-good image OR clean existing
- Apply all patches before reconnecting
- Perform vulnerability scan
- Restore data from clean backups if needed
**Step 5.3: Monitor Recovered Systems**
Closely monitor for 24-72 hours post-recovery:
- Watch for re-infection indicators
- Monitor for unusual behavior
- Verify normal operations
**Step 5.4: Lift Containment**
Gradually remove isolation once confidence is high.
Use `/document-in-case` with recovery status.
---
### Phase 6: Lessons Learned
Use `/generate-report` with:
- Malware classification
- Entry vector
- Spread/impact
- Response timeline
- Recovery actions
- Recommendations
Conduct review:
- How did malware enter?
- Was detection timely?
- Were containment actions effective?
- What detections should be added?
---
## Critical Warnings
- **DO NOT skip** endpoint isolation for confirmed infections
- **MUST identify** malware strain/behavior
- **DO NOT restore** without verifying eradication
- **ALWAYS verify** scan results before reconnecting
## Malware Response Quick Reference
| Phase | Key Question | Action |
|-------|--------------|--------|
| Identification | What is it? | `/triage-malware` |
| Identification | Where is it? | SIEM search |
| Containment | Stop the spread | Isolate endpoints |
| Containment | Block C2 | Block network IOCs |
| Eradication | Remove it | EDR remediation |
| Recovery | Restore ops | Rebuild or clean |
More from dandye/ai-runbooks
- analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
- audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
- check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
- close-case-artifact"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
- cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
- confirm-action"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
- correlate-ioc"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
- deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
- design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
- document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."