The first phase of a malware incident response playbook is Detection & Analysis. In this phase, it’s critical to distinguish harmless events from genuine security incidents. A 24/7 managed SOC can be crucial here, helping your team avoid “alert fatigue.” 

Malware can manifest as unknown processes, blocked access, or strange pop-ups. However, a layered defense of EDR, SIEM, and antivirus tools uses telemetry to correlate deeper, technical malware signals. A Word document spawning a PowerShell, or Windows Management Instrumentation (WMI), being used to delete Volume Shadow Copies (VSS) can signal an alert. Human-centric triggers can still help validate technical analysis.

The technical workflow for confirming an incident consists of:

1. Triage security alerts

2. Analyze system logs for correlation

3. Validate context

4. Declare the incident

Once the Incident Response team confirms a positive incident and assigns a severity level based on potential impact, they promptly move to the next phase.

The goal is to contain malware as quickly as possible while preserving the environment for analysis. First, isolate the infected device from the network. Ideally, your EDR tool can isolate the host so that it remains powered on but is only able to communicate with the EDR management console. If software isolation isn’t an option, you may need to physically disconnect the device from the network or reassign its switch port to a quarantine VLAN.

Next, disable compromised accounts in Active Directory (don’t delete them, as this may hinder forensic investigation or break associated service dependencies). Revoke all active sessions for the compromised user in identity providers (IdP), like Azure AD or Okta. 

With the immediate threat contained, determine the scope of the attack and prevent re-infection. This hinges on identifying “Patient Zero,” the initial entry vector. Review logs for suspicious activity leading up to the event. 

• Phishing remains a primary delivery method for trojans and initial access brokers. Review email gateway logs for suspicious attachments or links. 

• Check public-facing infrastructure (VPNs, firewalls, web servers) for unpatched vulnerabilities. 

• Analyze logs for brute-force or credential stuffing attacks (e.g., a high volume of failed logons followed by a successful logon from an external IP)

Next, map lateral movement, looking for signals like PsExec and SMB abuse, WMI commands, or pass-the-hash techniques. Once you know how far the attackers spread, you can determine what they stole. Review firewall logs for large, sustained outbound data transfers. Look for the presence of exfiltration tools like Rclone, MEGAcmd, or FileZilla, or large archive files (ZIP, RAR, 7z) in unexpected directories. Beyond assessing your organization’s exposure, determining what was stolen is often a legal and regulatory requirement (GDPR, HIPAA).

Once the scope of the breach is understood and evidence is preserved, you can move forward with the eradication phase. Thoroughness is crucial, as leaving a single backdoor often leads to a more destructive second attack.

• Terminate malicious processes (if you haven’t already).

• Remove persistence mechanisms (registry run keys, scheduled tasks, services, WMI consumers).

• Delete artifacts (malware binaries, droppers, etc.).

• Apply critical security updates and harden configurations (disable RDP and SMBv1, restrict PowerShell execution).

• Reset credentials for impacted accounts.

While many EDRs can enable tactical remediation and get you back to a safe state, the only 100% confident way to eliminate any unknown or undiscovered threats is to reinstall the operating system from a trusted "gold image.

In the eagerness to restore business operations, be cautious not to rush recovery, as this could risk re-infection. If the backup was taken after the initial infection but before detection, you can wind up reintroducing the malware.

"Lessons Learned" meeting with all stakeholders (IT, Security, Legal, C-Suite) to review the attack timeline and gap analysis. Look at where detection, response, and policy failed, and update your incident response plan accordingly. Implement any necessary technical hardening (network segmentation, least privilege principles, zero trust architecture, etc.). Finally, consider adding managed security awareness training (SAT) to your malware incident response checklist. Educate your team on how to spot phishing and other threats, and help protect one of the top entry points for malware. 

Huntress Managed EDR arms your organization with a 24/7 AI-assisted SOC for continuous monitoring and assisted remediation. Contain infections fast, remove malware safely, and stay ahead of repeat attacks. Discover Huntress Managed EDR today.