Malware

Systems Involved

Identify the system on which the malware was reported.

Account(s) Involved

Identify the account(s) logged into the host. If the malware was reported by an EDR, that tool might indicate what account was used when attempting to execute the malware.

Malware IOCs

There are many different types of malware IOCs. Some are more reliable than others in precisely indicating the existence of malware on a host. Review the alert to identify the malware IOCs used to produce this detection. IOCs can include:

• File Names
• File Hashes
• IP addresses
• Domain names
• Coding characteristics such as code obfuscation (making code purposefully hard to read to avoid detection)
• Program behaviors such as accessing sensitive locations in memory or in the file system

‍

‍

1. How was the malware detected?
   
   There are many ways to detect malware, some of which are very reliable such as using file hashes. Others are far less reliable such as network IOCs (IPs, Domain Names, or program behaviors).
   
   If the detection used a very reliable indicator of malware, there is a good chance that this could be a true positive. However, if the indicator is less reliable, more analysis will be needed.
   ‍
2. Was the malware executed successfully?
   
   Many systems have more than one control that could stop the execution of malicious code. For example, a malware IOC could be reported by an EDR, but the program could have been blocked and cleaned by AV software.
   
   Alternatively, sometimes an AV tool will flag a file that has been on a system for some time, but has not been executed. This can happen if the AV system's rule set was updated to include new signatures.
   ‍
3. What kind of malware is being reported?
   
   Some tools flagged as malicious also have legitimate purposes. Sometimes these programs are known as "Potentially Unwanted" or "Living off the Land Binaries."
   ‍
4. What system(s) was the malware identified on?
   
   Malware on any system is a problem, but understanding what the system(s) are can help indicate if there is reason to believe this code is part of a business function.
   ‍
5. How was the code being executed?
   
   Oftentimes, attackers need to rely on a third-party function or user to execute their malicious code. Code executed from a program such as Word or Outlook is very suspicious. However, code executed by an approved system management software such as SCCM can indicate system maintenance activity. It's important to verify with IT support if you suspect their tools are responsible for executing code flagged as malware.
   

If there isn't an obvious reason why this activity is expected, it might be time to either escalate to a more senior analyst or start executing your incident response plan.

Common initial response actions can include:

• For user workstations, isolate the host from the network and collect artifacts from the host for further analysis.
• For critical systems such as application servers and operational technology, it might not be possible or safe to isolate the host. Contact the system owner and proceed with caution.

‍