rule SuspiciousDownloader {
strings:
$a = "powershell -enc" nocase
$b = "Invoke-WebRequest" nocase
$c = "http://" nocase
condition:
#!/usr/bin/env bash
set -euo pipefail
# ==========================================================
# Production Incident Response Runbook
# ==========================================================
severities:
sev1: customer-impacting active compromise or confirmed data exposure
sev2: high risk suspicious activity with potential customer impact
sev3: contained issue with low current impact
first_hour:
#!/usr/bin/env bash
set -euo pipefail
OUT="/tmp/incident-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$OUT"
#!/usr/bin/env bash
tcpdump -i eth0 host 10.10.20.15 -w suspect-host.pcap
tcpdump -i eth0 port 443 and host api.example.com
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'
http.response.code >= 400
tcp.analysis.retransmission
tls.alert_message
dns.flags.response == 1 && dns.a
ip.addr == 10.10.20.15 && tcp.port == 443