| Phase | Action | |-------|--------| | | • Maintain up‑to‑date YARA rules and IOC feeds. • Ensure backups are immutable and tested. | | Identification | • Alert triggered by AV, EDR, or SIEM (see detection rules). • Verify the hash, file path, and process tree. | | Containment | • Isolate host. • Block associated C2 IPs/domains at firewall. | | Eradication | • Delete malicious files & registry entries. • Run a second‑stage scan (e.g., Microsoft Safety Scanner ). | | Recovery | • Reboot into clean OS image (if possible). • Re‑enable network access after confirming clean state. | | Lessons Learned | • Update IOC list (hashes, domains, file paths). • Review why the file was allowed (e.g., email filter bypass). • Adjust policies/training accordingly. |