# Malware Analysis Triage and Containment One-sentence definition: Rapid extraction of indicators and behaviors to support containment and eradication. ## Key Facts - Static (hashes, imports, strings), dynamic (sandbox behavior), memory artifacts. - Derive IOCs (domains, IPs, mutexes) and IOAs (behaviors). - Containment: isolate hosts, block hashes/domains, reset creds. - Share intel to SIEM/EDR; retain samples safely. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Know triage outputs that drive quick blocks. **Mnemonic:** “**See** it, **stop** it.” ## Mini Scenario Q: Macro drops PowerShell from temp—what block? A: Block hash, disable macro policy, EDR rule for PowerShell spawn. ## Revision Checklist - IOC vs IOA. - Two containment steps. - Evidence storage. ## Related [[Endpoint EDR Detection Validation]] · [[Email Security Operations (SPF DKIM DMARC Sandboxing)]] · [[Incident Response Lifecycle (NIST-Style)]] · [[Threat Hunting Program Basics]] · [[Playbooks and SOAR Automation]] · [[Domain 7 - Index]]