respond-malware

star 115

Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis.

dandye By dandye schedule Updated 2/4/2026
play_arrow Run Skill in Manus View GitHub

name: respond-malware description: "Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis." required_roles: chronicle: roles/chronicle.admin soar: roles/chronicle.soarAdmin gti: GTI Enterprise scc: roles/securitycenter.findingsEditor personas: [incident-responder]

Malware Incident Response Skill

Structured workflow for responding to suspected malware incidents using the PICERL model.

Inputs

  • CASE_ID - SOAR case ID for the incident
  • ALERT_GROUP_IDENTIFIERS - Alert group identifiers from SOAR
  • INITIAL_INDICATORS - Details from initial alerts:
    • File hashes
    • IPs/domains
    • Affected hosts
    • Affected users

Required Outputs

After completing each phase, you MUST report these outputs:

Identification Phase

Output Description
AFFECTED_HOSTS Hosts with confirmed malware
MALWARE_SAMPLES File hashes requiring triage/analysis
MALWARE_IOCS Network indicators (IPs, domains, URLs)
AFFECTED_USERS Users who executed/accessed malware

Containment Phase

Output Description
ISOLATED_HOSTS Hosts successfully isolated from network
BLOCKED_IOCS IOCs blocked at firewall/proxy

Eradication Phase

Output Description
CLEANED_HOSTS Hosts with malware removed
REMOVED_PERSISTENCE Persistence mechanisms removed

Recovery Phase

Output Description
RESTORED_HOSTS Hosts restored to operational state
VALIDATION_STATUS Post-recovery scan results

PICERL Phases

Phase 2: Identification

Step 2.1: Initial Triage

Use /triage-alert with CASE_ID for initial assessment.

secops-soar.get_case_full_details(case_id=CASE_ID)

Use /check-duplicates.

Step 2.2: Malware Triage

If file hash is primary indicator:

Use /triage-malware:

/triage-malware FILE_HASH=abc123 CASE_ID=1234

This provides:

  • GTI classification
  • Behavioral indicators
  • Network IOCs
  • Affected hosts/users

Step 2.3: IOC Enrichment

For other key IOCs (IPs, domains, URLs):

Use /enrich-ioc for each.

Step 2.4: Initial Scope Assessment

Compile:

  • AFFECTED_ENDPOINTS - Hosts with malware
  • AFFECTED_USERS - Users who executed/accessed
  • MALICIOUS_IOCs - Network indicators

Use /document-in-case with findings.

Phase 3: Containment

Step 3.1: Endpoint Isolation

For each endpoint in AFFECTED_ENDPOINTS:

Use /confirm-action:

"Isolate endpoint [HOSTNAME] from network?"

If confirmed, execute isolation via EDR.

Step 3.2: Network IOC Containment

For each IOC in MALICIOUS_IOCs:

Use /confirm-action:

"Block [IOC_TYPE] [VALUE] at firewall/proxy?"

If confirmed, implement blocks.

Step 3.3: User Account Containment

If compromised user involved:

Trigger /respond-compromised-account

Step 3.4: Verify Containment

Monitor for continued activity:

secops-mcp.search_security_events(
    text="Activity from contained IOCs or endpoints",
    hours_back=1
)

Use /document-in-case with containment status.

Phase 4: Eradication

Step 4.1: Identify Persistence

From /triage-malware results and GTI behavior summary, identify:

  • Scheduled tasks
  • Services installed
  • Registry modifications
  • Dropped files
  • WMI subscriptions

Step 4.2: Remove Malware & Persistence

(Requires EDR/endpoint tools)

Execute removal plan:

  1. Terminate malicious processes
  2. Delete malware files
  3. Remove persistence mechanisms
  4. Clear malicious registry keys

Step 4.3: Scan for Residual Infection

(Requires EDR/AV tools)

Perform thorough scans post-eradication.

Use /document-in-case with eradication results.

Phase 5: Recovery

Step 5.1: Determine Recovery Strategy

Based on severity and admin rights involved:

Factor Rebuild Clean
Admin rights compromised
Unknown malware
Known commodity malware Consider
High confidence eradication Consider

Step 5.2: Execute Recovery

(Involves IT Ops/System Admins)

  • Rebuild from known-good image OR clean existing
  • Apply all patches before reconnecting
  • Perform vulnerability scan
  • Restore data from clean backups if needed

Step 5.3: Monitor Recovered Systems

Closely monitor for 24-72 hours post-recovery:

  • Watch for re-infection indicators
  • Monitor for unusual behavior
  • Verify normal operations

Step 5.4: Lift Containment

Gradually remove isolation once confidence is high.

Use /document-in-case with recovery status.

Phase 6: Lessons Learned

Use /generate-report with:

  • Malware classification
  • Entry vector
  • Spread/impact
  • Response timeline
  • Recovery actions
  • Recommendations

Conduct review:

  • How did malware enter?
  • Was detection timely?
  • Were containment actions effective?
  • What detections should be added?

Critical Warnings

  • DO NOT skip endpoint isolation for confirmed infections
  • MUST identify malware strain/behavior
  • DO NOT restore without verifying eradication
  • ALWAYS verify scan results before reconnecting

Malware Response Quick Reference

Phase Key Question Action
Identification What is it? /triage-malware
Identification Where is it? SIEM search
Containment Stop the spread Isolate endpoints
Containment Block C2 Block network IOCs
Eradication Remove it EDR remediation
Recovery Restore ops Rebuild or clean
Install via CLI
npx skills add https://github.com/dandye/ai-runbooks --skill respond-malware
Repository Details
star Stars 115
call_split Forks 31
navigation Branch main
article Path SKILL.md
Occupations
Detectives And Criminal Investigators 333021
More from Creator
dandye
dandye Explore all skills →