npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE D3FEND
When to Use
- EDR or antivirus detects malware execution on one or more endpoints
- A user reports suspicious system behavior indicative of malware infection
- Threat intelligence indicates a malware campaign targeting the organization's industry
- Network monitoring detects beaconing traffic consistent with known malware C2 patterns
- A file detonation in a sandbox returns a malicious verdict
Do not use for analyzing malware samples in a research context; use dedicated malware analysis procedures for reverse engineering.
Prerequisites
- EDR platform with process tree visibility and host isolation capability
- Malware sandbox environment (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis)
- Access to threat intelligence platforms for malware family identification (VirusTotal, MalwareBazaar)
- Forensic imaging tools for evidence preservation (FTK Imager, KAPE)
- Clean system images or gold images for endpoint rebuild
- MITRE ATT&CK framework reference for technique mapping
Workflow
Step 1: Detect and Confirm Malware Presence
Validate the malware alert and gather initial indicators:
- Review EDR alert details: detection name, file path, hash (SHA-256), process tree
- Check if the detection is a known malware family or generic heuristic detection
- Query the file hash against VirusTotal, MalwareBazaar, and internal threat intelligence
- Examine the process execution chain to determine how the malware was delivered
Detection Summary:
File: C:\Users\jsmith\AppData\Local\Temp\update.exe
SHA-256: a1b2c3d4e5f6...
Detection: CrowdStrike: Malware/Qakbot | VirusTotal: 58/72 engines
Parent: WINWORD.EXE → cmd.exe → powershell.exe → update.exe
Delivery: Email attachment (Invoice-Nov2025.docm)
Network: HTTPS POST to 185.220.101[.]42:443 every 60s
Persistence: Scheduled Task "WindowsUpdate" → update.exeStep 2: Scope the Infection
Determine how many systems are affected and the malware's propagation method:
- Use EDR to search for the malware hash, filename, and behavioral indicators across all endpoints
- Check for network-based spreading (SMB, WMI, PsExec, exploitation)
- Query email gateway logs for all recipients of the delivery email
- Search for C2 communications to the identified infrastructure from other internal hosts
- Check for persistence mechanisms on all identified infected hosts
Step 3: Contain Infected Systems
Execute containment per the active breach containment procedures:
- Network-isolate infected endpoints via EDR containment
- Block malware C2 infrastructure at firewall and DNS
- Block the malware hash in EDR prevention policy organization-wide
- Quarantine the delivery email from all mailboxes (if email-delivered)
- Disable compromised user accounts if credential theft is suspected
Step 4: Analyze the Malware
Perform sufficient analysis to support complete eradication:
- Submit the sample to a sandbox for dynamic analysis (behavioral report, dropped files, network IOCs)
- Identify all persistence mechanisms: registry keys, scheduled tasks, services, WMI subscriptions, startup folders
- Document all file system artifacts: dropped files, modified files, created directories
- Extract network IOCs: C2 domains, IPs, URLs, user agents, JA3/JA3S hashes
- Map observed behaviors to MITRE ATT&CK techniques
Malware Analysis Summary - Qakbot Variant
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Initial Access: T1566.001 - Spearphishing Attachment (.docm)
Execution: T1059.001 - PowerShell (encoded downloader)
Persistence: T1053.005 - Scheduled Task
Defense Evasion: T1055.012 - Process Hollowing (explorer.exe)
C2: T1071.001 - HTTPS with custom headers
Collection: T1005 - Data from Local System (browser credentials)
Exfiltration: T1041 - Exfiltration Over C2 Channel
Artifacts:
- C:\Users\*\AppData\Local\Temp\update.exe (dropper)
- C:\ProgramData\Microsoft\{GUID}\config.dll (payload)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{random} (backup persistence)
- Scheduled Task: "WindowsUpdate" (primary persistence)Step 5: Eradicate the Malware
Remove all malware artifacts from every infected system:
- Terminate malicious processes and injected threads
- Delete malware files from all identified paths
- Remove persistence mechanisms (scheduled tasks, registry keys, services, WMI subscriptions)
- Clear browser credential stores if credential harvesting was confirmed
- Run a full EDR scan to verify no artifacts remain
- If eradication confidence is low, reimage the system from a known-clean gold image
Step 6: Recover and Validate
Restore systems to production and verify clean status:
- Reconnect contained systems to the network in stages
- Monitor for 72 hours for any recurrence of malware indicators
- Force password resets for all users on infected endpoints
- Verify that C2 traffic has completely ceased across the environment
- Update detection rules based on newly discovered IOCs from the investigation
- Distribute IOCs to threat intelligence sharing partners (ISAC, MISP)
Key Concepts
| Term | Definition |
|---|---|
| Malware Family | Classification of malware variants sharing code, infrastructure, or behavior patterns (e.g., Qakbot, Emotet, Cobalt Strike) |
| Process Hollowing | Technique where malware creates a legitimate process in a suspended state, replaces its memory with malicious code, then resumes execution |
| Beacon | Periodic network communication from malware to its C2 server, typically with a set interval and jitter for detection evasion |
| Dropper | Initial malware component that downloads or unpacks the primary payload; often delivered via phishing |
| Persistence Mechanism | Method used by malware to survive system reboots (registry run keys, scheduled tasks, services, WMI event subscriptions) |
| IOC (Indicator of Compromise) | Observable artifact such as file hash, IP address, domain, or registry key that indicates malware presence |
Tools & Systems
- CrowdStrike Falcon / Microsoft Defender for Endpoint: EDR platforms for detection, containment, and threat hunting
- ANY.RUN / Joe Sandbox: Interactive malware sandboxes for dynamic behavioral analysis
- VirusTotal / MalwareBazaar: Malware intelligence platforms for sample identification and IOC enrichment
- KAPE (Kroll Artifact Parser and Extractor): Forensic triage tool for rapid artifact collection from infected endpoints
- YARA: Pattern-matching engine for creating custom malware detection rules based on observed indicators
Common Scenarios
Scenario: Emotet Loader Leading to Cobalt Strike Deployment
Context: EDR detects a macro-enabled document that spawns PowerShell, downloads an Emotet DLL, which subsequently loads a Cobalt Strike beacon. Three hosts are infected within 45 minutes.
Approach:
- Immediately isolate all three hosts and block C2 IPs at the perimeter
- Search email gateway for all recipients of the original phishing email and quarantine it
- Sweep all endpoints for the Emotet DLL hash and Cobalt Strike beacon indicators
- Analyze the Cobalt Strike beacon configuration to extract watermark, C2 profile, and staging URLs
- Check for credential harvesting (Mimikatz/LSASS dump) and lateral movement artifacts
- Eradicate all malware artifacts and reset credentials for affected users
Pitfalls:
- Focusing only on Emotet and missing the Cobalt Strike second-stage payload
- Failing to extract and block the Cobalt Strike Malleable C2 profile indicators
- Not checking for additional persistence beyond the initial detection (Emotet often installs multiple backup persistence mechanisms)
Output Format
MALWARE INCIDENT RESPONSE REPORT
=================================
Incident: INC-2025-1547
Malware Family: Qakbot (variant: Obama265)
Delivery Vector: Spearphishing attachment (Invoice-Nov2025.docm)
First Detection: 2025-11-15T14:23:17Z
Scope: 4 endpoints confirmed infected
INFECTION TIMELINE
14:18 UTC - Phishing email received by jsmith@corp.example.com
14:19 UTC - Macro executed in WINWORD.EXE
14:20 UTC - PowerShell downloads update.exe from staging server
14:21 UTC - update.exe establishes persistence (Scheduled Task)
14:23 UTC - C2 beacon initiated to 185.220.101[.]42
14:35 UTC - Lateral spread to WKSTN-087 via stolen credentials
14:42 UTC - EDR detection fires, SOC alerted
IOCs EXTRACTED
File Hashes: [SHA-256 list]
C2 Domains: [domain list]
C2 IPs: [IP list]
File Paths: [artifact paths]
ERADICATION STATUS
[x] All malware artifacts removed from 4 hosts
[x] Persistence mechanisms deleted
[x] C2 infrastructure blocked
[x] Compromised credentials reset
[x] Email quarantined from all mailboxes
RECOMMENDATIONS
1. Deploy YARA rule for Qakbot variant detection
2. Block macro execution in documents from external senders
3. Implement application whitelisting on finance workstationsReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md1.7 KB
API Reference: Malware Incident Response Agent
Overview
Automates malware incident triage: hashes samples, queries VirusTotal and MalwareBazaar for family attribution, retrieves related IOCs from ThreatFox, isolates endpoints via CrowdStrike, and generates IR reports.
Dependencies
| Package | Version | Purpose |
|---|---|---|
| requests | >=2.28 | API communication |
CLI Usage
python agent.py --incident-id INC-001 --sample malware.exe --vt-key <key> \
--cs-token <token> --device-id <id> --output report.jsonKey Functions
hash_file(file_path)
Computes SHA-256 and MD5 hashes of a malware sample file.
query_virustotal(file_hash, api_key)
Queries VirusTotal v3 API for detection stats, threat classification, tags, and first seen date.
query_malwarebazaar(file_hash)
Queries MalwareBazaar for sample family attribution, file type, delivery method, and tags.
query_threatfox_iocs(malware_family)
Retrieves IOCs associated with a malware family from ThreatFox (C2 IPs, domains, URLs).
isolate_endpoint_crowdstrike(api_base, token, device_id)
Isolates an infected endpoint using CrowdStrike Falcon network containment API.
search_enterprise_iocs(splunk_url, session_key, iocs)
Searches Splunk for enterprise-wide IOC matches from the malware family.
External APIs Used
| API | Endpoint | Auth | Purpose |
|---|---|---|---|
| VirusTotal v3 | /api/v3/files/{hash} |
API key | File reputation |
| MalwareBazaar | https://mb-api.abuse.ch/api/v1/ |
None | Sample metadata |
| ThreatFox | https://threatfox-api.abuse.ch/api/v1/ |
None | Family IOCs |
| CrowdStrike | /devices/entities/devices-actions/v2 |
Bearer token | Endpoint isolation |
Scripts 1
agent.py7.1 KB
#!/usr/bin/env python3
"""Malware Incident Response Agent - Triages malware infections and automates containment."""
import json
import hashlib
import logging
import os
import argparse
from datetime import datetime
import requests
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def hash_file(file_path):
"""Compute SHA-256 and MD5 hashes of a file."""
sha256 = hashlib.sha256()
md5 = hashlib.md5()
with open(file_path, "rb") as f:
for chunk in iter(lambda: f.read(8192), b""):
sha256.update(chunk)
md5.update(chunk)
return {"sha256": sha256.hexdigest(), "md5": md5.hexdigest()}
def query_virustotal(file_hash, api_key):
"""Query VirusTotal for file hash reputation."""
url = f"https://www.virustotal.com/api/v3/files/{file_hash}"
headers = {"x-apikey": api_key}
resp = requests.get(url, headers=headers, timeout=30)
if resp.status_code == 200:
attrs = resp.json()["data"]["attributes"]
stats = attrs.get("last_analysis_stats", {})
result = {
"hash": file_hash,
"malicious": stats.get("malicious", 0),
"undetected": stats.get("undetected", 0),
"total": sum(stats.values()),
"popular_threat_name": attrs.get("popular_threat_classification", {}).get("suggested_threat_label", ""),
"type_description": attrs.get("type_description", ""),
"first_seen": attrs.get("first_submission_date"),
"tags": attrs.get("tags", []),
}
logger.info("VT: %s - %d/%d detections (%s)",
file_hash[:16], result["malicious"], result["total"], result["popular_threat_name"])
return result
return {"hash": file_hash, "error": resp.status_code}
def query_malwarebazaar(file_hash):
"""Query MalwareBazaar for sample metadata."""
url = "https://mb-api.abuse.ch/api/v1/"
resp = requests.post(url, data={"query": "get_info", "hash": file_hash}, timeout=30)
result = resp.json()
if result.get("query_status") == "ok":
sample = result["data"][0]
return {
"hash": file_hash,
"family": sample.get("signature", "unknown"),
"file_type": sample.get("file_type", "unknown"),
"delivery_method": sample.get("delivery_method", "unknown"),
"tags": sample.get("tags", []),
"intelligence": sample.get("intelligence", {}),
}
return {"hash": file_hash, "status": "not_found"}
def query_threatfox_iocs(malware_family):
"""Search ThreatFox for IOCs associated with a malware family."""
url = "https://threatfox-api.abuse.ch/api/v1/"
data = {"query": "taginfo", "tag": malware_family, "limit": 50}
resp = requests.post(url, json=data, timeout=30)
result = resp.json()
iocs = []
if result.get("query_status") == "ok":
for entry in result.get("data", []):
iocs.append({
"ioc": entry.get("ioc"),
"ioc_type": entry.get("ioc_type"),
"threat_type": entry.get("threat_type"),
"malware": entry.get("malware_printable"),
"confidence": entry.get("confidence_level"),
})
logger.info("ThreatFox: %d IOCs for family '%s'", len(iocs), malware_family)
return iocs
def isolate_endpoint_crowdstrike(api_base, token, device_id):
"""Isolate an infected endpoint via CrowdStrike Falcon API."""
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
resp = requests.post(
f"{api_base}/devices/entities/devices-actions/v2?action_name=contain",
headers=headers, json={"ids": [device_id]}, timeout=30,
)
if resp.status_code == 202:
logger.info("Endpoint %s isolated via CrowdStrike", device_id)
return True
logger.error("Isolation failed for %s: %d", device_id, resp.status_code)
return False
def search_enterprise_iocs(splunk_url, session_key, iocs):
"""Search Splunk for IOC matches across the enterprise."""
ioc_values = [i.get("ioc", "") for i in iocs if i.get("ioc")]
if not ioc_values:
return []
search_terms = " OR ".join([f'"{v}"' for v in ioc_values[:20]])
query = f'search index=* ({search_terms}) | stats count by host, sourcetype | sort - count'
resp = requests.post(
f"{splunk_url}/services/search/jobs",
headers={"Authorization": f"Splunk {session_key}"},
data={"search": query, "output_mode": "json"},
verify=not os.environ.get("SKIP_TLS_VERIFY", "").lower() == "true", timeout=30, # Set SKIP_TLS_VERIFY=true for self-signed certs in lab environments
)
return resp.json() if resp.status_code == 201 else []
def generate_malware_ir_report(incident_id, hashes, vt_results, bazaar_results, family_iocs, containment):
"""Generate a malware incident response report."""
report = {
"incident_id": incident_id,
"timestamp": datetime.utcnow().isoformat(),
"sample_hashes": hashes,
"virustotal": vt_results,
"malwarebazaar": bazaar_results,
"malware_family": bazaar_results.get("family", vt_results.get("popular_threat_name", "Unknown")),
"related_iocs": family_iocs[:20],
"containment_actions": containment,
}
family = report["malware_family"]
detections = vt_results.get("malicious", 0)
print(f"MALWARE IR REPORT - {incident_id}")
print(f"Family: {family} | VT Detections: {detections} | Related IOCs: {len(family_iocs)}")
return report
def main():
parser = argparse.ArgumentParser(description="Malware Incident Response Agent")
parser.add_argument("--incident-id", required=True, help="Incident ID")
parser.add_argument("--sample", help="Path to malware sample file")
parser.add_argument("--hash", help="SHA-256 hash of malware sample")
parser.add_argument("--vt-key", help="VirusTotal API key")
parser.add_argument("--cs-token", help="CrowdStrike API token")
parser.add_argument("--device-id", help="CrowdStrike device ID to isolate")
parser.add_argument("--output", default="malware_ir_report.json")
args = parser.parse_args()
hashes = {}
if args.sample:
hashes = hash_file(args.sample)
elif args.hash:
hashes = {"sha256": args.hash}
file_hash = hashes.get("sha256", "")
vt_results = query_virustotal(file_hash, args.vt_key) if args.vt_key and file_hash else {}
bazaar_results = query_malwarebazaar(file_hash) if file_hash else {}
family = bazaar_results.get("family", vt_results.get("popular_threat_name", ""))
family_iocs = query_threatfox_iocs(family) if family and family != "unknown" else []
containment = []
if args.cs_token and args.device_id:
if isolate_endpoint_crowdstrike("https://api.crowdstrike.com", args.cs_token, args.device_id):
containment.append(f"Isolated {args.device_id}")
report = generate_malware_ir_report(
args.incident_id, hashes, vt_results, bazaar_results, family_iocs, containment
)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", args.output)
if __name__ == "__main__":
main()