respond-malware
$
npx mdskill add dandye/ai-runbooks/respond-malwareExecute PICERL malware response from triage to recovery.
- Coordinates endpoint isolation and malware removal workflows.
- Integrates with triage-malware for initial analysis data.
- Generates structured reports for each incident phase.
- Delivers actionable host and network indicator lists.
SKILL.md
.github/skills/respond-malwareView on GitHub ↗
---
name: respond-malware
description: "Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis."
required_roles:
chronicle: roles/chronicle.admin
soar: roles/chronicle.soarAdmin
gti: GTI Enterprise
scc: roles/securitycenter.findingsEditor
personas: [incident-responder]
---
# Malware Incident Response Skill
Structured workflow for responding to suspected malware incidents using the PICERL model.
## Inputs
- `CASE_ID` - SOAR case ID for the incident
- `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers from SOAR
- `INITIAL_INDICATORS` - Details from initial alerts:
- File hashes
- IPs/domains
- Affected hosts
- Affected users
## Required Outputs
**After completing each phase, you MUST report these outputs:**
### Identification Phase
| Output | Description |
|--------|-------------|
| `AFFECTED_HOSTS` | Hosts with confirmed malware |
| `MALWARE_SAMPLES` | File hashes requiring triage/analysis |
| `MALWARE_IOCS` | Network indicators (IPs, domains, URLs) |
| `AFFECTED_USERS` | Users who executed/accessed malware |
### Containment Phase
| Output | Description |
|--------|-------------|
| `ISOLATED_HOSTS` | Hosts successfully isolated from network |
| `BLOCKED_IOCS` | IOCs blocked at firewall/proxy |
### Eradication Phase
| Output | Description |
|--------|-------------|
| `CLEANED_HOSTS` | Hosts with malware removed |
| `REMOVED_PERSISTENCE` | Persistence mechanisms removed |
### Recovery Phase
| Output | Description |
|--------|-------------|
| `RESTORED_HOSTS` | Hosts restored to operational state |
| `VALIDATION_STATUS` | Post-recovery scan results |
## PICERL Phases
### Phase 2: Identification
**Step 2.1: Initial Triage**
Use `/triage-alert` with CASE_ID for initial assessment.
```
secops-soar.get_case_full_details(case_id=CASE_ID)
```
Use `/check-duplicates`.
**Step 2.2: Malware Triage**
If file hash is primary indicator:
Use `/triage-malware`:
```
/triage-malware FILE_HASH=abc123 CASE_ID=1234
```
This provides:
- GTI classification
- Behavioral indicators
- Network IOCs
- Affected hosts/users
**Step 2.3: IOC Enrichment**
For other key IOCs (IPs, domains, URLs):
Use `/enrich-ioc` for each.
**Step 2.4: Initial Scope Assessment**
Compile:
- `AFFECTED_ENDPOINTS` - Hosts with malware
- `AFFECTED_USERS` - Users who executed/accessed
- `MALICIOUS_IOCs` - Network indicators
Use `/document-in-case` with findings.
---
### Phase 3: Containment
**Step 3.1: Endpoint Isolation**
For each endpoint in `AFFECTED_ENDPOINTS`:
Use `/confirm-action`:
> "Isolate endpoint [HOSTNAME] from network?"
If confirmed, execute isolation via EDR.
**Step 3.2: Network IOC Containment**
For each IOC in `MALICIOUS_IOCs`:
Use `/confirm-action`:
> "Block [IOC_TYPE] [VALUE] at firewall/proxy?"
If confirmed, implement blocks.
**Step 3.3: User Account Containment**
If compromised user involved:
Trigger `/respond-compromised-account`
**Step 3.4: Verify Containment**
Monitor for continued activity:
```
secops-mcp.search_security_events(
text="Activity from contained IOCs or endpoints",
hours_back=1
)
```
Use `/document-in-case` with containment status.
---
### Phase 4: Eradication
**Step 4.1: Identify Persistence**
From `/triage-malware` results and GTI behavior summary, identify:
- Scheduled tasks
- Services installed
- Registry modifications
- Dropped files
- WMI subscriptions
**Step 4.2: Remove Malware & Persistence**
*(Requires EDR/endpoint tools)*
Execute removal plan:
1. Terminate malicious processes
2. Delete malware files
3. Remove persistence mechanisms
4. Clear malicious registry keys
**Step 4.3: Scan for Residual Infection**
*(Requires EDR/AV tools)*
Perform thorough scans post-eradication.
Use `/document-in-case` with eradication results.
---
### Phase 5: Recovery
**Step 5.1: Determine Recovery Strategy**
Based on severity and admin rights involved:
| Factor | Rebuild | Clean |
|--------|---------|-------|
| Admin rights compromised | ✅ | ❌ |
| Unknown malware | ✅ | ❌ |
| Known commodity malware | Consider | ✅ |
| High confidence eradication | Consider | ✅ |
**Step 5.2: Execute Recovery**
*(Involves IT Ops/System Admins)*
- Rebuild from known-good image OR clean existing
- Apply all patches before reconnecting
- Perform vulnerability scan
- Restore data from clean backups if needed
**Step 5.3: Monitor Recovered Systems**
Closely monitor for 24-72 hours post-recovery:
- Watch for re-infection indicators
- Monitor for unusual behavior
- Verify normal operations
**Step 5.4: Lift Containment**
Gradually remove isolation once confidence is high.
Use `/document-in-case` with recovery status.
---
### Phase 6: Lessons Learned
Use `/generate-report` with:
- Malware classification
- Entry vector
- Spread/impact
- Response timeline
- Recovery actions
- Recommendations
Conduct review:
- How did malware enter?
- Was detection timely?
- Were containment actions effective?
- What detections should be added?
---
## Critical Warnings
- **DO NOT skip** endpoint isolation for confirmed infections
- **MUST identify** malware strain/behavior
- **DO NOT restore** without verifying eradication
- **ALWAYS verify** scan results before reconnecting
## Malware Response Quick Reference
| Phase | Key Question | Action |
|-------|--------------|--------|
| Identification | What is it? | `/triage-malware` |
| Identification | Where is it? | SIEM search |
| Containment | Stop the spread | Isolate endpoints |
| Containment | Block C2 | Block network IOCs |
| Eradication | Remove it | EDR remediation |
| Recovery | Restore ops | Rebuild or clean |