Incident Response — CyberSOC Playbook

1 IR Lifecycle Overview

The incident response process follows the NIST SP 800-61r3 framework, adapted for Microsoft Defender for Endpoint operations. Each phase builds upon the previous one to ensure systematic and thorough incident handling.

1. Preparation

Establish IR capabilities before incidents occur. Ensure tooling, access, communication channels, and documentation are ready. Validate MDE configurations, Live Response permissions, and API integrations.

2. Detection & Analysis

Identify potential security incidents through MDE alerts, Advanced Hunting queries, and external intelligence. Determine scope, severity, and impact. Correlate indicators across the fleet to build a complete picture.

3. Containment

Limit the blast radius of confirmed incidents. Use MDE device isolation, app restriction, and account disabling to prevent further spread. Balance containment speed with evidence preservation.

4. Eradication

Remove the threat from all affected systems. Eliminate malware, persistence mechanisms, compromised credentials, and attacker footholds. Validate removal through Advanced Hunting queries and AV scans.

5. Recovery

Restore affected systems to normal operation. Release device isolation, remove app restrictions, re-enable accounts, and validate business function. Monitor closely for recurrence during the recovery window.

6. Lessons Learned

Conduct post-incident review within 5 business days. Document root cause, timeline, actions taken, and improvement recommendations. Update playbooks, detection rules, and response procedures based on findings.

2 Preparation

Complete this preparation checklist before any incident occurs to ensure your team can respond effectively. Review quarterly and after every major incident.

3 Detection & Analysis

Use these KQL queries during the initial detection and scoping phase to identify all affected assets, correlate alerts, and understand attacker activity across your environment.

All Alerts for Incident

All Alerts for Incident Scoping

Retrieve all alerts matching a specific search term or MITRE ATT&CK technique. Summarizes affected devices, users, and techniques per alert for rapid incident scoping.

AlertInfo
| where Timestamp > ago(30d)
| join kind=inner AlertEvidence on AlertId
| where Title has "your-search-term" or AttackTechniques has "T1059"
| summarize AlertCount = count(), Devices = make_set(DeviceName),
            Users = make_set(AccountName), Techniques = make_set(AttackTechniques)
    by AlertId, Title, Severity, Category
| sort by Severity asc, AlertCount desc

Expected Output

Table of alerts with associated device names, user accounts, and ATT&CK techniques, sorted by severity for prioritization.

When to Use

At the start of any incident to enumerate all related alerts and quickly determine the scope of affected assets.

Identify All Affected Devices

Identify All Affected Devices Scoping

Given known alert IDs from an incident, identify all unique devices involved and enrich with device metadata including OS version, machine group, and public IP.

let incidentAlerts = AlertEvidence
    | where Timestamp > ago(7d)
    | where AlertId in ("alert-id-1", "alert-id-2")
    | distinct DeviceName, DeviceId;
incidentAlerts
| join kind=leftouter (
    DeviceInfo
    | where Timestamp > ago(1d)
    | summarize arg_max(Timestamp, *) by DeviceId
) on DeviceId
| project DeviceName, DeviceId, OSPlatform, OSVersion,
         MachineGroup, PublicIP, LoggedOnUsers

Expected Output

Enriched device list with OS details, network group, and currently logged-on users for each affected endpoint.

When to Use

After identifying incident alerts, use this to build a complete device inventory for containment planning.

Compromised Account Activity Across Fleet

Compromised Account Activity Across Fleet Investigation

Track a known compromised user account across all devices in the fleet. Shows logon patterns, device spread, and logon types over time to identify lateral movement.

let compromisedUser = "target_username";
DeviceLogonEvents
| where Timestamp > ago(7d)
| where AccountName == compromisedUser
| summarize LogonCount = count(),
            Devices = make_set(DeviceName),
            LogonTypes = make_set(LogonType),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
    by AccountDomain, AccountName, bin(Timestamp, 1h)
| sort by Timestamp desc

Expected Output

Hourly breakdown of the compromised account's logon activity across the fleet, showing which devices were accessed and what logon methods were used.

When to Use

When a user account is confirmed or suspected to be compromised, use this to map the full extent of the attacker's access.

4 MDE Response Actions

Microsoft Defender for Endpoint provides a comprehensive set of response actions that can be executed through the portal or via the API. Understand the impact level of each action before execution.

Warning

Device isolation and app restriction are high-impact actions. Ensure proper authorization before executing. Always document the justification and get SOC Manager approval for P2+ incidents.

Action	How to Execute	API Endpoint	Impact Level	When to Use
Isolate Device	Device page → Response actions → Isolate device	`POST /api/machines/{id}/isolate`	HIGH Cuts all network except MDE	Confirmed compromise, active C2
Release from Isolation	Device page → Response actions → Release from isolation	`POST /api/machines/{id}/unisolate`	MEDIUM	After containment verified
Restrict App Execution	Device page → Response actions → Restrict app execution	`POST /api/machines/{id}/restrictCodeExecution`	HIGH Only MS-signed can run	Active malware execution
Remove App Restriction	Device page → Response actions → Remove app restriction	`POST /api/machines/{id}/unrestrictCodeExecution`	MEDIUM	After eradication
Run AV Scan (Quick)	Device page → Response actions → Run antivirus scan	`POST /api/machines/{id}/runAntiVirusScan` (Quick)	LOW	Initial response
Run AV Scan (Full)	Device page → Response actions → Run antivirus scan	`POST /api/machines/{id}/runAntiVirusScan` (Full)	MEDIUM	Post-eradication validation
Collect Investigation Package	Device page → Response actions → Collect investigation package	`POST /api/machines/{id}/collectInvestigationPackage`	LOW	Evidence collection
Stop and Quarantine File	File page → Response actions → Stop and quarantine	`POST /api/files/{sha1}/StopAndQuarantineFile`	HIGH Removes file fleet-wide	Confirmed malicious file
Initiate Live Response	Device page → Response actions → Initiate live response session	Portal-based + API	VARIES	Forensic investigation

5 Live Response Commands

Live Response provides a remote shell to affected endpoints for forensic investigation and remediation. Commands are split into basic (available to all Live Response users) and advanced (requires elevated permissions).

Basic Commands

Command	Syntax	Use Case	Example
`dir`	`dir C:\path`	List directory contents	`dir C:\Users\Public\Downloads`
`findfile`	`findfile <filename>`	Locate files by name	`findfile mimikatz.exe`
`getfile`	`getfile <filepath>`	Download file for analysis	`getfile C:\Windows\Temp\payload.exe`
`processes`	`processes`	List running processes	Identify suspicious processes
`connections`	`connections`	Show active network connections	Identify C2 connections
`persistence`	`persistence`	Show persistence mechanisms	Check for attacker footholds
`registry`	`registry <key>`	Read registry values	`registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
`scheduledtasks`	`scheduledtasks`	List all scheduled tasks	Identify malicious tasks
`services`	`services`	List all services	Identify rogue services
`fileinfo`	`fileinfo <filepath>`	Get file metadata and hash	`fileinfo C:\Windows\System32\svchost.exe`
`startupfolders`	`startupfolders`	Show startup folder contents	Check persistence
`trace`	`trace`	Enable diagnostic logging	Debug Live Response issues

Advanced Commands

Permission Required

Advanced Live Response commands require the Live Response (Advanced) permission role. Ensure your account has been granted this access before attempting these commands.

Command	Syntax	Use Case	Required Permissions
`run`	`run <script.ps1>`	Execute PS1 from library	Live Response (Advanced)
`putfile`	`putfile <filename>`	Upload file to device	Live Response (Advanced)
`remediate`	`remediate file <path>`	Quarantine a file	Live Response (Advanced)
`undo`	`undo file <path>`	Restore quarantined file	Live Response (Advanced)
`analyze`	`analyze file <path>`	Submit for deep analysis	Live Response (Advanced)

6 KQL Queries for IR Scenarios

Scenario-specific KQL queries organized by attack type. These queries are designed for use during active incident investigations in MDE Advanced Hunting.

Ransomware Detection Queries

Mass File Encryption Detection Critical

Detect processes performing a high volume of file modifications or renames within a short timeframe, which is a primary indicator of ransomware encryption activity.

DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType in ("FileModified", "FileRenamed")
| summarize FileCount = count(),
            UniqueExtensions = dcount(FileName),
            SampleFiles = make_set(FileName, 5)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileCount > 100
| sort by FileCount desc

Expected Output

Processes with unusually high file modification counts, sorted by volume. FileCount above 100 in 1 hour strongly indicates encryption activity.

Ransomware Note Detection Critical

Identify creation of ransom note files by matching common ransomware note naming patterns and file extensions.

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName matches regex @"(?i)(readme|decrypt|restore|recover|ransom|how_to|help_decrypt|!readme)\.(txt|html|hta)"
| project Timestamp, DeviceName, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

Expected Output

List of ransom note files with full paths, creation times, and the process that created them.

Shadow Copy Deletion Detection Critical

Detect attempts to delete volume shadow copies or disable recovery options, a common ransomware pre-encryption technique (MITRE T1490).

DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName == "vssadmin.exe" and ProcessCommandLine has "delete shadows")
    or (FileName == "wmic.exe" and ProcessCommandLine has "shadowcopy delete")
    or (FileName == "bcdedit.exe" and ProcessCommandLine has "recoveryenabled" and ProcessCommandLine has "no")
    or (FileName == "wbadmin.exe" and ProcessCommandLine has "delete" and ProcessCommandLine has "backup")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, AccountName

Expected Output

Any commands attempting to destroy backup and recovery capabilities, with full process lineage and responsible user account.

Identify Encryption Process Investigation

Identify the specific process responsible for mass file operations by aggregating file events into 5-minute bins. Helps pinpoint the encryption binary.

DeviceFileEvents
| where Timestamp > ago(2h)
| where ActionType in ("FileModified", "FileRenamed", "FileCreated")
| summarize FileOperations = count() by DeviceName, InitiatingProcessFileName,
            InitiatingProcessId, bin(Timestamp, 5m)
| where FileOperations > 50
| sort by FileOperations desc
| take 20

Expected Output

Top 20 processes by file operation count in 5-minute windows. The encryption binary will show dramatically higher counts than normal processes.

Lateral Movement Detection Queries

Remote Service Creation (PsExec) Investigation

Detect remote service creation typically used by PsExec and similar lateral movement tools. Processes spawned by services.exe or wmiprvse.exe on remote systems indicate potential lateral movement (MITRE T1021.002).

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("services.exe", "wmiprvse.exe")
| where FileName != "svchost.exe"
| where ProcessCommandLine != ""
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, AccountName
| sort by Timestamp desc

Expected Output

Non-standard processes launched by services.exe or WMI, indicating remote execution on target systems.

WMI Remote Execution Investigation

Identify processes launched remotely via WMI (MITRE T1047). Filters out legitimate WMI child processes to focus on suspicious remote executions.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "wmiprvse.exe"
| where FileName !in ("WmiApSrv.exe", "WmiPrvSE.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
         AccountName, InitiatingProcessCommandLine
| sort by Timestamp desc

Expected Output

Processes spawned by WMI provider that are not standard WMI components, indicating potential remote code execution.

RDP Lateral Movement Investigation

Detect excessive RDP logons with local administrator privileges, which may indicate lateral movement using stolen credentials (MITRE T1021.001).

DeviceLogonEvents
| where Timestamp > ago(7d)
| where LogonType == "RemoteInteractive"
| where IsLocalAdmin == true
| summarize RDPCount = count(),
            SourceDevices = make_set(RemoteDeviceName),
            Accounts = make_set(AccountName)
    by DeviceName, bin(Timestamp, 1h)
| where RDPCount > 3
| sort by RDPCount desc

Expected Output

Devices receiving multiple admin RDP sessions per hour, with source device and account details for pivot analysis.

Pass-the-Hash Detection Critical

Detect potential Pass-the-Hash attacks by identifying high volumes of NTLM network logons with admin privileges from single accounts (MITRE T1550.002).

DeviceLogonEvents
| where Timestamp > ago(7d)
| where LogonType == "Network"
| where Protocol == "NTLM"
| where IsLocalAdmin == true
| summarize NTLMCount = count(),
            SourceDevices = make_set(RemoteDeviceName),
            TargetDevices = make_set(DeviceName)
    by AccountName, bin(Timestamp, 1h)
| where NTLMCount > 5
| sort by NTLMCount desc

Expected Output

Accounts performing high-frequency NTLM authentications across multiple devices, a strong indicator of credential reuse via hash-based attacks.

SMB Lateral Scanning Investigation

Detect devices scanning for SMB (port 445) targets, which often precedes lateral movement via PsExec, WMI, or direct file copy operations.

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| summarize TargetCount = dcount(RemoteIP),
            Targets = make_set(RemoteIP, 20)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 15m)
| where TargetCount > 5
| sort by TargetCount desc

Expected Output

Devices connecting to many unique SMB targets in short time windows, with the initiating process and target IP addresses.

Data Exfiltration Detection Queries

Large Outbound Data Transfers Critical

Detect large volumes of data being sent to public IP addresses. Threshold set at 100 MB to reduce noise while catching significant data transfers (MITRE T1041).

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| summarize TotalBytesSent = sum(SentBytes),
            ConnectionCount = count(),
            RemotePorts = make_set(RemotePort)
    by DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName
| where TotalBytesSent > 104857600 // 100 MB
| sort by TotalBytesSent desc
| extend TotalMB = round(TotalBytesSent / 1048576.0, 2)

Expected Output

Outbound connections exceeding 100 MB with destination IP, URL, total data volume in MB, and the responsible process.

Cloud Storage Upload Detection Investigation

Identify connections to known cloud storage and file sharing services that may be used for data exfiltration (MITRE T1567.002).

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any ("dropbox.com", "drive.google.com", "onedrive.live.com",
    "mega.nz", "wetransfer.com", "sendspace.com", "mediafire.com", "box.com")
| summarize ConnectionCount = count(),
            BytesSent = sum(SentBytes),
            Devices = make_set(DeviceName)
    by RemoteUrl, InitiatingProcessFileName
| sort by BytesSent desc

Expected Output

Connections to cloud storage providers with data volume, source devices, and process names for further investigation.

DNS Tunneling Detection Critical

Detect DNS tunneling by identifying unusually long domain queries and high volumes of unique subdomains, which can indicate data exfiltration over DNS (MITRE T1048.003).

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsQueryResponse"
| extend DomainLength = strlen(RemoteUrl)
| where DomainLength > 50
| summarize QueryCount = count(),
            AvgLength = avg(DomainLength),
            UniqueSubs = dcount(RemoteUrl)
    by DeviceName, tostring(split(RemoteUrl, ".")[-2])
| where QueryCount > 100
| sort by QueryCount desc

Expected Output

Domains with abnormally long queries and high unique subdomain counts, indicating potential DNS-based data exfiltration channels.

Suspicious Archive Creation Before Exfil Investigation

Detect the use of archiving tools that may be used to stage data for exfiltration. Attackers commonly compress sensitive data before transferring it out (MITRE T1560.001).

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in ("7z.exe", "rar.exe", "zip.exe", "tar.exe", "WinRAR.exe")
    or (FileName == "powershell.exe" and ProcessCommandLine has "Compress-Archive")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
         AccountName, InitiatingProcessFileName
| sort by Timestamp desc

Expected Output

Archive creation events with command line details showing what data was compressed and by which user/process.

Persistence Detection Queries

Registry Autorun Modifications Critical

Detect modifications to well-known registry autorun locations that provide persistence across system reboots (MITRE T1547.001).

DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (
    @"CurrentVersion\Run",
    @"CurrentVersion\RunOnce",
    @"CurrentVersion\RunServices",
    @"Winlogon\Shell",
    @"Winlogon\Userinit"
)
| project Timestamp, DeviceName, ActionType, RegistryKey,
         RegistryValueName, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

Expected Output

Registry modifications to autorun keys with full value data and the process responsible for the change.

Scheduled Task Creation Investigation

Detect new scheduled tasks created via schtasks.exe, a common persistence and execution mechanism (MITRE T1053.005).

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "schtasks.exe" and ProcessCommandLine has "/create"
| project Timestamp, DeviceName, ProcessCommandLine,
         AccountName, InitiatingProcessFileName
| sort by Timestamp desc

Expected Output

All scheduled task creation commands with full command line details, revealing the task name, trigger, and action configured.

New Service Installation Investigation

Detect new Windows services being installed, which can be used for persistence and privilege escalation (MITRE T1543.003).

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "ServiceInstalled"
| project Timestamp, DeviceName,
         ServiceName = tostring(AdditionalFields.ServiceName),
         ServicePath = tostring(AdditionalFields.ServiceBinaryPath),
         ServiceStartType = tostring(AdditionalFields.ServiceStartType),
         AccountName
| sort by Timestamp desc

Expected Output

Newly installed services with binary paths and start types. Investigate services with unusual binary paths or those installed by non-admin users.

WMI Event Subscription Critical

Detect WMI event subscriptions used for fileless persistence. Attackers create WMI bindings, consumers, and filters to execute code without leaving files on disk (MITRE T1546.003).

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType has "WmiBinding"
    or ActionType has "WmiConsumer"
    or ActionType has "WmiFilter"
| project Timestamp, DeviceName, ActionType,
         AdditionalFields, InitiatingProcessFileName
| sort by Timestamp desc

Expected Output

WMI event subscription components (bindings, consumers, filters) with raw event data for forensic analysis.

Startup Folder Modifications Investigation

Detect new files dropped into user or system startup folders for persistence across logons (MITRE T1547.001).

DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FolderPath has @"Start Menu\Programs\Startup"
    or FolderPath has @"Microsoft\Windows\Start Menu\Programs\Startup"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

Expected Output

Files added to startup folders with SHA256 hashes for reputation checking and full process lineage.

Credential Theft Detection Queries

LSASS Access Detection Critical

Detect non-standard processes accessing LSASS (Local Security Authority Subsystem Service), which stores credentials in memory. This is a primary indicator of credential dumping (MITRE T1003.001).

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has "lsass" or ProcessCommandLine has "lsass"
| where InitiatingProcessFileName !in ("svchost.exe", "lsass.exe", "MsMpEng.exe", "csrss.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AccountName, FileName
| sort by Timestamp desc

Expected Output

Non-standard processes interacting with LSASS, with full process details for triage and forensic investigation.

Credential Dumping Tool Detection Critical

Detect known credential dumping tools and techniques by matching on binary names, command-line arguments, and common evasion methods like comsvcs.dll MiniDump (MITRE T1003).

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("mimikatz.exe", "procdump.exe", "procdump64.exe", "nanodump.exe")
    or ProcessCommandLine has_any ("sekurlsa", "lsadump", "kerberos::list",
        "MiniDump", "comsvcs.dll", "createdump")
    or ProcessCommandLine matches regex @"(?i)rundll32.*comsvcs.*MiniDump"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
         AccountName, InitiatingProcessFileName, SHA256
| sort by Timestamp desc

Expected Output

Credential dumping tool executions with SHA256 hashes for IOC tracking and full command lines showing the technique used.

SAM Database Access Investigation

Detect access to SAM, SYSTEM, and SECURITY registry hive files, which can be used to extract local account password hashes offline (MITRE T1003.002).

DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName in ("SAM", "SYSTEM", "SECURITY")
| where FolderPath has @"config" or FolderPath has @"Temp" or FolderPath has @"repair"
| where InitiatingProcessFileName !in ("svchost.exe", "TiWorker.exe", "poqexec.exe")
| project Timestamp, DeviceName, ActionType, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

Expected Output

Non-standard file operations on SAM/SYSTEM/SECURITY hive files, especially copies to Temp directories or unusual locations.

Kerberoasting Detection Critical

Detect Kerberoasting attacks by identifying high volumes of TGS requests using RC4 encryption (0x17), which attackers use to obtain crackable service ticket hashes (MITRE T1558.003).

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "KerberosTgsRequest"
| where tostring(AdditionalFields.EncryptionType) has "0x17" // RC4
| summarize RequestCount = count(),
            ServiceNames = make_set(tostring(AdditionalFields.ServiceName))
    by DeviceName, AccountName, bin(Timestamp, 1h)
| where RequestCount > 10
| sort by RequestCount desc

Expected Output

Accounts requesting high volumes of RC4-encrypted Kerberos service tickets, with targeted service names for blast radius assessment.

7 Evidence Preservation

Proper evidence handling is critical for incident investigation, potential legal proceedings, and regulatory compliance. Use the chain of custody template below for every piece of evidence collected.

Chain of Custody Template Template

Evidence Chain of Custody Record

Evidence ID

[Auto-generated: INC-YYYY-NNNN-E##]

Description

[Brief description of the evidence]

Source Device

[Device name and MDE Device ID]

Collected By

[Analyst name and ID]

Collection Date/Time

[UTC timestamp]

Collection Method

[MDE Investigation Package / Live Response / Manual]

Hash (SHA256)

[Hash of collected artifact]

Storage Location

[Secure evidence share path]

Chain of Custody Log

[Date | Action | Person | Notes]

Evidence Handling Best Practices

Always hash evidence immediately upon collection. Store in write-protected shares with restricted access. Document every transfer, access, and modification in the chain of custody log. Use UTC timestamps consistently.

8 Containment Strategies

Select the appropriate containment strategy based on the attack type. Primary containment should be executed immediately upon confirmation; secondary containment provides additional defense in depth.

Attack Type	Primary Containment	Secondary Containment	Key Considerations
Ransomware	Isolate device(s) immediately	Restrict app execution, disable affected accounts	Preserve encrypted files for potential decryption
Lateral Movement	Isolate compromised devices, disable compromised accounts	Network segmentation via firewall rules	Map full blast radius before containment
Data Exfiltration	Isolate device, block destination IPs/domains	Monitor for continued attempts	Preserve evidence of what was exfiltrated
Persistence/Backdoor	Isolate device	Restrict app execution	Full forensic analysis before eradication
Credential Theft	Disable compromised accounts, force password reset	Isolate source device, revoke all sessions	Check downstream access with stolen credentials
Phishing (Active)	Block sender domain, quarantine emails	Isolate devices that engaged	Scope impact to all recipients

9 Eradication Checklists

Use the appropriate eradication checklist based on the incident type. Complete all items before proceeding to recovery. Track progress using the interactive checkboxes.

Ransomware Eradication High Priority

Identify and terminate all malicious processes

Remove malicious files via MDE Stop & Quarantine

Remove persistence mechanisms (registry, scheduled tasks, services)

Clean WMI event subscriptions

Remove dropped scripts and tools

Run full AV scan on all affected devices

Verify no remaining malicious artifacts via Advanced Hunting

Validate endpoint protection is active and updated

Credential Theft Eradication High Priority

Reset passwords for all compromised accounts

Revoke all active sessions and tokens

Reset Kerberos TGT (krbtgt) if domain compromise suspected

Review and remove unauthorized account modifications

Check for newly created accounts by attacker

Remove credential harvesting tools

Verify no remaining access paths

10 Recovery Validation

Before returning any system to production, validate that all recovery criteria are met. All items must be completed and signed off by the incident commander.

Verify no active alerts on recovered devices (24h clean period)

Confirm endpoint protection is enabled and updated

Validate no persistence mechanisms remain

Verify normal network communication patterns

Confirm user can authenticate normally

Check that business applications function correctly

Verify backup integrity for affected systems

Document recovery actions and timeline

Obtain sign-off from incident commander for return to production

Recovery Complete

Once all recovery validation items are checked off and signed by the incident commander, schedule the Lessons Learned review within 5 business days. Document all findings in the post-incident report.