Incident Response Playbooks
Specific incident response procedures for common security scenarios
Table of Contents
Detailed response procedures for specific security incident scenarios. These playbooks provide step-by-step guidance for the most common incidents MSPs encounter.
Using These Playbooks
Each playbook follows the incident response lifecycle:
- Detection and Analysis
- Containment
- Eradication
- Recovery
- Post-Incident Activity
Time is critical. Follow procedures in order but be prepared to escalate immediately for critical incidents.
Ransomware Response
Detection and Analysis
Indicators of Compromise
- Files renamed with unusual extensions (.locked, .encrypted, .crypted)
- Ransom notes appearing on systems (README.txt, HOW_TO_DECRYPT.txt)
- Sudden spike in file modifications
- Network shares becoming inaccessible
- Desktop wallpaper changed to ransom message
- Shadow copies deleted
- Backup systems disabled or encrypted
Initial Assessment
# Check for ransom notes
Get-ChildItem -Path C:\ -Recurse -Include "*DECRYPT*","*README*","*RANSOM*" -ErrorAction SilentlyContinue
# Check recent file modifications
Get-ChildItem -Path C:\Users -Recurse -File | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-2)} | Select FullName, LastWriteTime
# Check for shadow copy deletion
vssadmin list shadows
# Check event logs for suspicious activity
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} -MaxEvents 100 | Where-Object {$_.Message -like "*vssadmin*delete*"}Immediate Containment
CRITICAL: Do these steps in the first 5 minutes
Isolate Infected Systems
# Disable network adapters (run on each infected machine)
Get-NetAdapter | Disable-NetAdapter -Confirm:$false
# Or physically disconnect network cablePreserve Evidence
# Capture memory dump (if time permits)
# Using DumpIt or similar tool
# Document what you see
# Take photos of ransom notes
# Screenshot any error messagesDisable Service Accounts
# Disable potentially compromised service accounts
Disable-ADAccount -Identity "svc_backup"
Disable-ADAccount -Identity "svc_admin"
# Force password reset for admin accounts
Set-ADAccountPassword -Identity "domain_admin" -ResetBlock Lateral Movement
# Disable SMB on unaffected systems
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Set-SmbServerConfiguration -EnableSMB2Protocol $false -Force
# Enable firewall on all systems
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled TrueProtect Backups
# Immediately disconnect or make backup storage read-only
# Take offline backups offline if not already
# Verify backup integrity before proceedingInvestigation
Determine Scope
# Check all systems for encrypted files
$computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=domain,DC=com"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer.Name -Count 1 -Quiet) {
Write-Host "Checking $($computer.Name)"
Invoke-Command -ComputerName $computer.Name -ScriptBlock {
Get-ChildItem -Path C:\Users -Recurse -Include "*.encrypted","*.locked" -ErrorAction SilentlyContinue | Select-Object FullName
}
}
}Identify Ransomware Variant
- Note file extensions used
- Review ransom note content
- Check ID Ransomware (https://id-ransomware.malwarehunterteam.com)
- Search for decryption tools at No More Ransom Project
Determine Entry Point
- Review firewall logs for unauthorized access
- Check VPN logs for suspicious connections
- Review email logs for phishing attempts
- Check RDP logs (Event ID 4624, 4625)
- Review antivirus alerts and quarantine
Eradication
Remove Malware
# Scan with multiple tools
# Run in Safe Mode with Networking
# Microsoft Defender Offline Scan
Start-MpWDOScan
# Malwarebytes scan
& "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe" /
/start
# Additional scans with Kaspersky, Bitdefender, etc.Clean Persistence Mechanisms
# Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Select TaskName, TaskPath, State
# Check startup items
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location
# Check services
Get-Service | Where-Object {$_.StartType -eq "Automatic" -and $_.Status -eq "Running"} | Select Name, DisplayName
# Check Run keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"Recovery
Restore from Backup (If Available)
- Verify backup integrity before restoring
- Restore to isolated network segment first
- Scan restored systems before reconnecting
- Verify no re-infection occurs
Rebuild Systems (If No Clean Backup)
- Format and reinstall operating system
- Apply all patches before connecting to network
- Restore data from clean backups only
- Change all passwords
Restore Services
# Bring systems back online gradually
# Start with critical infrastructure
# Monitor for any signs of re-infection
# Re-enable network adapters
Get-NetAdapter | Enable-NetAdapter
# Re-enable user accounts
Enable-ADAccount -Identity username
# Restore normal firewall rulesPost-Incident
Document Everything
- Timeline of events
- Systems affected
- Actions taken
- Data lost
- Recovery time
- Costs incurred
Lessons Learned
- How did they get in?
- What controls failed?
- What worked well?
- What needs improvement?
Preventative Measures
- Implement or improve backup strategy
- Deploy EDR solution
- Implement application whitelisting
- Disable unnecessary services (RDP, SMB)
- Implement MFA everywhere
- Security awareness training
- Regular backup testing
Phishing Incident Response
Detection and Analysis
User Reports Suspicious Email
Do NOT click links or open attachments 2. Obtain copy of email with full headers 3. Verify if other users received same email
Extract Email Headers
Outlook: File > Properties > Internet Headers
Gmail: Show Original
O365: View > Message SourceAnalyze Headers
# Check for spoofing
# Look for mismatches between:
# - From address vs Reply-To
# - Envelope sender vs header sender
# - Return-Path vs From
# Key headers to review:
Received: # Trace email path
From: # Sender (can be forged)
Return-Path: # Actual sender
Reply-To: # Where replies go
Authentication-Results: # SPF/DKIM/DMARC resultsAnalyze Links
# Extract links without clicking
# Use URL analysis tools:
# - VirusTotal
# - URLScan.io
# - ANY.RUN sandbox
# Check for common phishing indicators:
# - Shortened URLs
# - Misspelled domains (goog1e.com)
# - Unusual TLDs
# - IP addresses instead of domainsContainment
If Email Widely Distributed
Create Mail Flow Rule to Delete
# O365/Exchange Online
New-TransportRule -Name "Block Phishing Email" `
-SubjectContainsWords "Urgent: Account Verification Required" `
-DeleteMessage $true `
-Comments "Phishing campaign - delete immediately"Search for Email Across Organization
# O365 Security & Compliance Center
# Content Search > New Search
# Query: subject:"Urgent Account Verification"
# Review results before deletionDelete from All Mailboxes
# After creating search, use Search-Mailbox
Search-Mailbox -Identity user@domain.com -SearchQuery 'Subject:"Phishing Subject"' -DeleteContentIf User Clicked Link
Isolate user’s computer
# Disable network
Disable-NetAdapter -Name "Ethernet" -Confirm:$falseChange user’s password immediately
Set-ADAccountPassword -Identity username -Reset
Set-ADUser -Identity username -ChangePasswordAtLogon $trueRevoke active sessions
# O365
Get-MsolUser -UserPrincipalName user@domain.com | Revoke-MsolUserAllRefreshToken
# Or force sign-out in Azure ADIf User Entered Credentials
- Reset password immediately
- Enable MFA if not already active
- Review account activity
# O365 audit log
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
-UserIds user@domain.com -Operations UserLoggedIn, MailItemsAccessedCheck for mailbox rules
Get-InboxRule -Mailbox user@domain.com | Where-Object {$_.RedirectTo -ne $null -or $_.ForwardTo -ne $null}Check for mail forwarding
Get-Mailbox user@domain.com | Select ForwardingAddress, ForwardingSmtpAddressInvestigation
Determine Impact
- How many users received the email?
- How many clicked the link?
- How many entered credentials?
- Was malware downloaded?
- Did attackers access any accounts?
Review Logs
# Web proxy logs (if available)
# Look for connections to malicious domain
# Firewall logs
# Check for outbound connections to C2 servers
# Antivirus logs
# Check for malware downloads/blocks
# Authentication logs
# Look for suspicious login attemptsEradication
Remove Malicious Emails
# Use compliance search and purge
# O365 Security & Compliance CenterRemove Malware (If Downloaded)
# Run full antivirus scan
Start-MpScan -ScanType FullScan
# Check for persistence
Get-ScheduledTask | Where-Object Author -ne "Microsoft"Remove Attacker Access
- Reset compromised passwords
- Revoke sessions
- Remove mailbox rules
- Disable forwarding
- Review app permissions
Recovery
Restore Normal Operations
# Re-enable network access
Enable-NetAdapter -Name "Ethernet"
# Remove transport rule blocking emails
Remove-TransportRule -Identity "Block Phishing Email"User Communication
- Inform affected users
- Provide guidance on spotting phishing
- Remind to report suspicious emails
Post-Incident
User Training
- Schedule security awareness training
- Use actual phishing email as example
- Test with simulated phishing campaigns
Technical Controls
- Implement DMARC
- Enable Advanced Threat Protection
- Configure link wrapping/safe links
- Block dangerous file attachments
- Implement email filtering rules
Account Compromise
Detection and Analysis
Indicators
- Impossible travel (logins from distant locations)
- Login from unfamiliar IP addresses
- Login outside business hours
- Mailbox rules created automatically
- Mass emails sent from account
- Password reset requests user didn’t make
- MFA fatigue attacks
Check Recent Activity
# O365 audit logs
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
-UserIds user@domain.com `
-ResultSize 5000 | Export-Csv -Path audit.csv
# Check sign-in logs
Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq 'user@domain.com'" | Select CreatedDateTime, IpAddress, Location, StatusImmediate Containment
Within 5 Minutes
Reset password
Set-ADAccountPassword -Identity username -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "TempPassword123!" -Force)
Set-ADUser -Identity username -ChangePasswordAtLogon $trueRevoke all sessions
Revoke-MsolUserAllRefreshToken -UserPrincipalName user@domain.comDisable account temporarily (optional)
Disable-ADAccount -Identity usernameInvestigation
Check for Malicious Activity
Inbox rules
Get-InboxRule -Mailbox user@domain.com | Format-List Name, Description, Enabled, ForwardTo, RedirectToMail forwarding
Get-Mailbox user@domain.com | Format-List ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForwardSent items
# Check for mass mailings
Search-Mailbox -Identity user@domain.com -SearchQuery 'sent:>=$(Get-Date).AddDays(-7)' -TargetMailbox admin@domain.com -TargetFolder "Investigation"App permissions
# Check for OAuth app consents
Get-AzureADUser -ObjectId user@domain.com | Get-AzureADUserOAuthPermissionGrantEradication
Remove Attacker Access
# Remove inbox rules
Get-InboxRule -Mailbox user@domain.com | Remove-InboxRule -Confirm:$false
# Remove forwarding
Set-Mailbox user@domain.com -ForwardingAddress $null -ForwardingSmtpAddress $null
# Remove suspicious app permissions
Remove-AzureADOAuth2PermissionGrant -ObjectId [grant-id]Check for Lateral Movement
# Check if account accessed other systems
# Review file server access logs
# Check administrative actions
Search-UnifiedAuditLog -Operations FileAccessed,FileSyncDownloadedFull -UserIds user@domain.comRecovery
Re-enable Account
Enable-ADAccount -Identity username
# Enable MFA
Set-MsolUser -UserPrincipalName user@domain.com -StrongAuthenticationRequirements @(New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement)Monitor for Re-compromise
- Watch for unusual login patterns
- Alert on password changes
- Monitor inbox rule creation
Post-Incident
Document
- How was account compromised?
- What did attacker access?
- Data exfiltration occurred?
- Other accounts affected?
Preventative Measures
- Enforce MFA organization-wide
- Implement conditional access policies
- Deploy password protection (Azure AD)
- Regular security awareness training
- Monitor for suspicious activity
Malware Outbreak
Detection and Analysis
Indicators
- Antivirus alerts across multiple systems
- Unusual CPU/network usage
- Systems behaving abnormally
- Files being modified/deleted
- Network traffic to unknown IPs
Triage Alerts
# Collect AV alerts from all systems
# Identify common malware signature
# Determine patient zero (first infected system)Containment
Isolate Affected Systems
# Disconnect from network
Disable-NetAdapter -Name * -Confirm:$false
# Or use network segmentation
# Move to quarantine VLANPrevent Spread
# Block malware hash at firewall
# Block C2 domain/IP at DNS/firewall
# Deploy AV signature updates
# Create GPO to block execution
# If malware in specific location:
New-GPO -Name "Block Malware Path" | Set-GPRegistryValue -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" -ValueName DefaultLevel -Type DWORD -Value 0Eradication
Remove Malware
# Boot to safe mode
bcdedit /set {current} safeboot minimal
# Run full scans with multiple tools
Start-MpScan -ScanType FullScan
# Remove persistence mechanisms
# Check Task Scheduler, Services, Run keysRebuild If Necessary
# For severe infections, rebuild from known-good image
# Restore data from clean backups onlyRecovery
Bring Systems Back Online
- Scan before reconnecting
- Monitor for re-infection
- Patch vulnerabilities exploited
Post-Incident
Root Cause Analysis
- How did malware enter network?
- Why didn’t AV detect it initially?
- What controls failed?
Improvements
- Update AV signatures
- Patch systems
- Implement application whitelisting
- Network segmentation
- Endpoint detection and response (EDR)
Data Breach
Detection and Analysis
Indicators
- Unusual data access patterns
- Large file downloads
- Data copied to external media
- Cloud storage uploads
- Email with sensitive attachments to external addresses
Investigate
# Check file access logs
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4663]]" | Where-Object {$_.Message -like "*sensitive_folder*"}
# Check for data exfiltration
Search-UnifiedAuditLog -Operations FileDownloaded,FileSyncDownloadedFull -StartDate (Get-Date).AddDays(-30)Containment
Stop Data Flow
- Disable compromised accounts
- Block file transfers
- Revoke external access
- Block upload to cloud storage
Investigation
Determine Scope
- What data was accessed?
- What data was exfiltrated?
- Who had access?
- When did breach occur?
Legal/Compliance
- Notify legal counsel immediately
- Determine breach notification requirements
- Preserve evidence for investigation
Eradication
Remove Attacker Access
- Change all passwords
- Review and remove unauthorized access
- Close security gaps
Recovery
Restore Normal Operations
- Implement additional monitoring
- Regular access reviews
Post-Incident
Required Actions
- Breach notification (if required by law)
- Credit monitoring for affected individuals
- Public disclosure (if required)
Prevent Recurrence
- Data Loss Prevention (DLP) solution
- Access controls and least privilege
- Data classification
- Encryption for sensitive data
- Regular access audits