INCIDENT RESPONSE & DIGITAL FORENSICS

Contain breaches.Eliminate adversaries.Restore operational control.

Spakto delivers rapid-response incident containment, advanced digital forensics, and executive-grade breach reporting — minimizing business disruption while preserving evidentiary integrity and regulatory alignment.

Activate Incident Response View IR Methodology →

● LIVE INCIDENTINC-2026-0047P1 CRITICAL
Incident Response
Command Center
ALPHV/BlackCat  ·  Ransomware Encryptor  ·  FINANCE-PC-07  ·  VLAN-14
P1
CRIT
SEVERITY
Incident Elapsed
00:47:23
HH : MM : SS
THREAT ACTOR
ALPHV/BlackCat
INITIAL VECTOR
Phishing/Macro
DWELL TIME
< 90 min
SCOPE
247 endpoints
LIVE
◈  EDR: Holdups.exe quarantined on 4 hosts | PID 4832 killed◈  AD: svc_backup Domain Admin rights revoked | Session 0x3f2a9 terminated◈  FW: C2 egress blocked -> 185.220.101.42:8443 (ALPHV TOR exit node)◈  SIEM: Lateral movement halted -- VLAN isolation active on 14 segments◈  FOR: 16.3GB memory image acquired -- SHA-256 match verified◈  NET: Zero new IOCs detected in last 15 minutes◈  BAK: T-72h restore snapshot validated clean for FINANCE-SRV-07◈  EDR: Holdups.exe quarantined on 4 hosts | PID 4832 killed◈  AD: svc_backup Domain Admin rights revoked | Session 0x3f2a9 terminated◈  FW: C2 egress blocked -> 185.220.101.42:8443 (ALPHV TOR exit node)◈  SIEM: Lateral movement halted -- VLAN isolation active on 14 segments◈  FOR: 16.3GB memory image acquired -- SHA-256 match verified◈  NET: Zero new IOCs detected in last 15 minutes◈  BAK: T-72h restore snapshot validated clean for FINANCE-SRV-07
IR Phase Pipeline
Phase Timeline
P1P2P3P4
SLA Commitments
P1 Containment< 60 min
P2 Acquisition< 2 hrs
P3 Eradication< 4 hrs
P4 Recovery< 24 hrs
Phase 1 of 4  ·  COMPLETE
ContainmentNetwork Isolation
COMPLETE
14:32 - 14:44
Duration: 12m
Phase Completion100%
Action Items
✓
VLAN-14 segment isolated at switch level
✓
svc_backup AD account suspended + session revoked
✓
4 endpoints quarantined via CrowdStrike RTR
SLA Target
60m
Assigned Analyst
AI-SOC-01
Evidence Volume
4 hosts
IR-COMMAND-LOG● LIVE
14:32:03EDRCRIT
Abnormal process chain: FINANCE-PC-07 svchost.exe -> powershell.exe -enc [B64_PAYLOAD_4f9a]
14:32:15SIEMHIGH
Lateral movement: WS-042 -> FILE-SRV-07 via SMB445 (PsExec artifact signature matched)
14:33:02ADCRIT
Privilege escalation: svc_backup -> Domain Admins via RunAs. Session ID 0x3f2a9 terminated.
14:35:41FWHIGH
Egress blocked: FINANCE-PC-07 -> 185.220.101.42:8443 (ALPHV known C2 node. TOR exit.)
14:37:18EDRCRIT
Ransomware binary terminated: holdups.exe (SHA256:3d9f8b...). 4/247 hosts quarantined.
▌
SPAKTO-SOC · SESSION-A19 EVENTS
●
0
Endpoints Isolated
QUARANTINED
◆
0
IOCs Identified
CONFIRMED
▲
0
Credentials Reset
MFA RE-ENROLLED
◉
0m
Containment Time
SLA: 60 MIN
Command Principle
Every second of uncontrolled attacker presence is an exponential multiplier on damage scope. Containment is not the conclusion — it is the beginning of surgical, evidence-preserving eradication.
CONTAIN
COMPLETE
ACQUIRE
ACTIVE
ERADICATE
QUEUED
RECOVER
QUEUED

Live IR Timeline · Active Engagement

End-to-End Incident Response. Every Minute Measured.

Structured 6-phase playbook with contractual SLA targets at every stage. Detection to Post-IR report in under 24 hours, guaranteed.

Incident Clock

00:43:34

Since detection

Phases

3/6

Complete

Ransomware — BlackCat/ALPHVP1 · CRITICAL

FINANCE-SRV-07 · AD Domain Controller

BEC — OAuth App Consent GrantP2 · HIGH

M365 Tenant · CFO Mailbox Compromised

Incident Context

IDINC-2024-0847

ActorALPHV Rust v3 / UNC2165

MITRETA0040 · Impact — T1490 Inhibit System Recovery

✓

DetectionSLA MET

AI-SOC-01 · AI Analyst

T1490

SLA

< 5m

ELAPSED

2m 14s

complete

›

✓

TriageSLA MET

SR-IR-02 · IR Lead

T1486

SLA

< 10m

ELAPSED

4m 38s

complete

›

✓

ContainmentSLA MET

AI-SOC-01 · AI Analyst

T1021

SLA

< 15m

ELAPSED

8m 51s

complete

›

E

EradicationACTIVE

SR-IR-03 · Senior IR

T1547

SLA

< 2h

ELAPSED

38m 20s

Active...

›

Actions Taken

23 malware binaries purged — IOC hashes blocked at perimeter FW

3 persistence scheduled tasks (T1547.005) deleted across all hosts

47-account credential reset in progress — 31 of 47 complete...

Telemetry

Binaries Removed23 / 23 ✓

Registry Keys7 Run keys deleted

Sched Tasks3 / 3 deleted ✓

Cred Resets31 / 47 ⟳

SLA Consumed32% of 2h window

R

Recovery

SLA

< 8h

ELAPSED

–

pending

›

P

Post-IR

SLA

< 24h

ELAPSED

–

pending

›

Live Action Log

6 events

14:22:47CRITEDR: vssadmin.exe delete shadows — T1490 detected

14:22:49CRITP1 auto-declared — IR on-call paged via PagerDuty

14:22:52SIEMCorr rule TA0040.T1490 fired — confidence 98.7%

14:23:01PB Playbook IR-RANS-001 activated automatically

14:23:14NET Outbound conn: 185.220.101.47:443 (TOR exit node)

14:24:38TRIGBlast radius confirmed: 4 hosts, 1 DC affected

Contractual SLA Targets

Detection< 5 min

Containment< 15 min

Eradication< 2 hrs

Recovery< 8 hrs

Post-IR< 24 hrs

Threat Triage Engine

Severity Classification. Zero Guesswork.

Every incident scored across 6 weighted factors — mapped to P1–P4 with contractual SLA targets, pre-approved response playbooks, and defined escalation chains.

CVSS 9.0 – 10.0

Critical

Active ransomware / data exfil / system outage affecting revenue operations

< 15 min response

CVSS 7.0 – 8.9

High

Confirmed breach or significant threat with potential for rapid escalation

< 1 hr response

CVSS 4.0 – 6.9

Medium

Suspicious activity requiring investigation — no confirmed breach

< 4 hr response

CVSS 0.1 – 3.9

Low

Policy violations or low-risk anomalies for tracking and documentation

< 24 hr response

Triage Factor Scoring Matrix

Weighted analysis → P2 High tier

22%

Data SensitivityTA0010

—

Does the system process PII, financial, or classified data?

20%

Blast RadiusTA0008

—

How many systems and users are impacted or at immediate risk?

18%

Business ImpactTA0040

—

Does this affect revenue operations or regulated business services?

15%

Regulatory RiskTA0012

—

Exposure under GDPR, HIPAA, PCI DSS, SOX, or sector regulations?

14%

Threat ActorTA0043

—

APT / ransomware group vs. opportunistic script-kiddie?

11%

Attack ComplexityTA0001

—

Sophistication: 0-day exploit vs. known CVE vs. brute-force attempt?

Factor Weights

Data: 22%

Blast: 20%

Business: 18%

Regulatory: 15%

Threat: 14%

Attack: 11%

Factor Radar

Data–

Blast–

Business–

Regulatory–

Threat–

Attack–

High Priority

CISO + Security Manager

Example Incidents

BEC with wire fraud attempt

Lateral movement detected

Cloud privilege escalation

Credential dumping confirmed

Escalation Path

CISO + Security Manager

Security leadership briefing within 30 minutes of declaration

SLA Commitments

Detection< 5 min

Initial Response< 1 hr

Containment< 8 hr

Incident Response · PreparationLIVE

IR Readiness Framework

Six-pillar preparation architecture ensuring your organisation is ready to detect, contain, and recover — built on playbooks, command, forensics, exercises, baselines, and compliance.

Preparation Pillars — Select to Inspect

Readiness Wheel

Response Playbooks

/ 100

Pre-built playbooks for ransomware, BEC, supply chain, and insider threats — 23 adversary scenarios with automated trigger conditions and decision trees.

▶Ransomware — 8 variants

LockBit 3.0, BlackCat, Cl0p, ALPHV, Hive, REvil, Conti, WannaCry — each with IOCs, containment, and recovery steps

▶Cloud compromise — 7 paths

AWS IAM takeover, Azure AD breach, GCP OAuth abuse, SaaS SSPM gaps, CASB bypass, shadow IT, API key exfil

▶BEC & wire fraud — 4 types

CEO fraud, vendor impersonation, payroll diversion, gift card attack — with finance hold triggers

▶Supply chain — 4 vectors

Software dependency attack, hardware tamper, MSP compromise, SBOM breach — with vendor isolation SOP

Key Metrics

Total Playbooks

Ransomware Variants

Cloud Scenarios

12d

Last Updated

Framework Alignment

MITRE ATT&CKNIST CSFAuto-triggerVersion-controlled

Pillar Readiness

Score92%

Recent Preparation Activity

08:14DRILLQ1 Tabletop · Ransomware scenario completed — 3 findings logged, 2 process improvements actioned

06:31AUDITEDR coverage audit — 3,847 endpoints confirmed, zero coverage gaps detected across all segments

1d agoUPDATEPlaybook PB-07 updated — LockBit 3.0 variant IOCs and updated containment steps integrated

2d agoREVIEWCommand RACI reviewed — 6 roles validated, escalation matrix reviewed and signed off by CISO

3d agoCHECKBackup integrity verified — 98% coverage confirmed, all 14 RTOs within defined SLA thresholds

“23 Playbooks · 4 Annual Exercises · 6-Role Command Structure · 100% Regulatory Coverage”

IR Preparation Framework · Composite Readiness 89/100

◉ DETECTION ENGINE4 LAYERS ACTIVE · REAL-TIME
Signal. Not noise.Multi-layer threat detection — Identity · Endpoint · Cloud · Network
SIGINT
◈  T1490: vssadmin shadow delete on FINANCE-PC-07◈  T1003.001: LSASS memory dump via rundll32.exe◈  T1528: OAuth consent grant — Data.Exfil scope approved◈  T1071.004: DNS tunnel to c2-beacon.darknet sinkholed at edge◈  T1048: 847GB staging detected via SSH to 185.220.101.42◈  T1557.001: AiTM session hijack — NY identity signal NY->HK 4m◈  T1114.003: External mail forwarding rule created — Finance inbox◈  T1055.012: Process hollowing svchost.exe PID 4832◈  T1490: vssadmin shadow delete on FINANCE-PC-07◈  T1003.001: LSASS memory dump via rundll32.exe◈  T1528: OAuth consent grant — Data.Exfil scope approved◈  T1071.004: DNS tunnel to c2-beacon.darknet sinkholed at edge◈  T1048: 847GB staging detected via SSH to 185.220.101.42◈  T1557.001: AiTM session hijack — NY identity signal NY->HK 4m◈  T1114.003: External mail forwarding rule created — Finance inbox◈  T1055.012: Process hollowing svchost.exe PID 4832
Detection Layers
Coverage Stats
Hosts Monitored247
Event Log Sources1,842
MITRE Techniques127 covered
Detection Fidelity99.7%
MODE
PASSIVE SCAN
SWEEP
000°
CONTACTS
8 TRACKED
IDENTITYENDPOINTCLOUDNETWORK85m68m51m
CRITICAL CONTACT
HIGH CONTACT
SWEEP TRACK
ACTIVE LAYER · IDENTITY
Entra ID / Azure AD Signal Intelligence
TELEMETRY
847 events/min
ANOMALIES
3 flagged
MITRE ATT&CK — Detections
T1557.001CRIT
AiTM Session Hijacking — NY→HK token theft
16:42:03
T1528HIGH
OAuth Consent Grant: Data.Exfil scope
16:42:08
T1078.004HIGH
Privileged Role Escalation via RunAs
16:43:11
T1550.001MED
Impossible Travel (NY→HK, 4 minutes)
16:44:29
TOOLS: Microsoft Sentinel · Defender for Identity · Entra ID Logs
ALERT FEED · LIVE● STREAMING
16:44:01NWCRIT
847GB staged via SSH tunnel -> 185.220.101.42 (exfil in progress)
16:43:55EPHIGH
Process hollowing: svchost.exe PID 4832 injected with holdups.dll
16:43:44CLHIGH
IAM key AKIA4XR off-hours: s3:GetObject 2.3TB in 8 minutes
16:43:20NWHIGH
Lateral RDP: FINANCE-PC-07 -> FILE-SRV-07 session 0x3a1 open
16:43:11IDCRIT
svc_backup -> Domain Admins escalation via RunAs confirmed
▌
SPAKTO-SIEM · STREAM10 ALERTS
Signal Strength — 7-Day Rolling Window
Identity LayerNOMINAL
D-7847 events/minNOW
Endpoint LayerALERT
D-712,400 events/minNOW
Cloud LayerANOMALY
D-72.1M API calls/dayNOW
Network LayerNOMINAL
D-798 Gbps monitoredNOW

CONTAINMENT PROTOCOL

Isolate. Neutralize. Preserve.

Multi-vector containment operating simultaneously across endpoint, identity, and network planes — stopping lateral movement while protecting evidence integrity for forensic prosecution.

CONTAINMENT VECTORS

BLAST RADIUS5 × 4 ENDPOINT GRID

Compromised

At-Risk

Isolated

Clean

EPCRITICAL

EDR-Driven Host Quarantine

Surgical host quarantine via CrowdStrike contain-host API — null-route at L2 switch level while preserving analyst shell access on each affected endpoint for live forensic acquisition.

4 / 247 hosts quarantinedLIVE

EXECUTION LOG

█

VECTOR METRICS

Hosts Quarantined

False Positives

2m 14s

Avg Isolation Time

4 live

Analyst Shells

CrowdStrike EDRL2 null-routeShell preservedZero disruption

CONTAINMENT TIMELINE

✓

Identify

Map all affected hosts, accounts, and data stores

Restrict

Suspend credentials, revoke tokens, quarantine hosts

Preserve

Capture memory, logs, and netflow before remediation

Stabilize

Restore business continuity on verified-clean assets

Containment Matrix · Live

Containment Actions. Executed in Seconds.

12 cross-domain containment actions — endpoint isolation, identity revocation, network segmentation, cloud ACLs, email purge — auto-executed on threat detection in under 60 seconds.

CONTAINMENT TIMER

00:00

0/ 12 actions done

All Domains

Endpoint

Identity

Network

Cloud

ACTION

DOMAIN

LATENCY

IMPACT

MODE

STATUS

Quarantine Host

Endpoint

< 8s

HIGH

AUTO

▶ Run

Kill Malicious Process

Endpoint

< 3s

MEDIUM

AUTO

▶ Run

Revoke User Session

Identity

< 5s

HIGH

AUTO

▶ Run

Reset Credentials

Identity

< 12s

HIGH

MANUAL

▶ Run

Block C2 IP

Network

< 6s

MEDIUM

AUTO

▶ Run

Isolate Network Segment

Network

< 15s

CRITICAL

AUTO

▶ Run

Revoke Cloud IAM Role

Cloud

< 10s

HIGH

AUTO

▶ Run

Disable Cloud API Key

Cloud

< 4s

HIGH

AUTO

▶ Run

Purge Malicious Emails

< 20s

MEDIUM

AUTO

▶ Run

Block Sender Domain

< 5s

LOW

AUTO

▶ Run

Remove OAuth App

Identity

< 8s

HIGH

MANUAL

▶ Run

Collect Memory Dump

Endpoint

< 45s

LOW

MANUAL

▶ Run

Execution Log

$ awaiting containment commands...█

Domain Coverage

Endpoint

0/3

Identity

0/3

Network

0/2

Cloud

0/2

Total AUTO actions0/9

Manual pending3 pending

Impact Legend

CRITICAL

HIGH

MEDIUM

LOW

Eradication EngineLIVE

Remove Persistence. Eliminate Root Cause.

4-phase eradication protocol — malware purge, persistence teardown, CVE patching, and domain-wide credential rotation — executed sequentially with full forensic evidence preservation.

0/4

Phases

125

Artifacts

4/4

Hosts

0

Reinfections

Eradication Phases

Overall Progress

Malware Removal0%

Persistence Cleanup0%

Vulnerability Remediation0%

Credential Reset0%

Active Toolset

CrowdStrike RTR · Defender ATP · KAPE · Volatility 3.2

Phase 01 / 04

Terminate and remove all malicious executables, hollowed DLL…

MR

Malware Removal

Terminate and remove all malicious executables, hollowed DLLs, memory-resident shellcode, and LOLBIN abuse across 4 compromised endpoints via live RTR sessions.

0

endpoints

Infected Hosts

0

files

Artifacts Removed

0

neutralised

Memory Injections

0

Detection Rate

Eradication Terminal — Phase 01

0/14

$ connecting to eradication engine...█

Host Remediation Matrix

Hostname

FINANCE-PC-07

10.1.2.31

✓

FINANCE-SRV-01

10.1.2.44

✓

—

FIN-SRV-04

10.1.3.12

✓

—

CORP-DC-01

10.0.0.5

✓

—

Threat Telemetry

Malware families3

IOCs extracted47

Registry artifacts11

Network IOCs8

MITRE techniques6

Forensic artifacts124

Eradication Status

Phase 1/4 in progress

Compliance Coverage

NIST SP 800-83ISO 27035SANS PICERLCIS Controls v8MITRE D3FEND

Spakto IR Platform · Eradication Engine v3.2 · Phase 01/04 — MALWARE REMOVAL

0 REINFECTIONS DETECTED

RECOVERY OPERATIONS

Rebuild Trust. Restore Integrity.

Four-phase recovery architecture — system restoration, integrity validation, security hardening, and enhanced post-incident monitoring — executed with full forensic continuity.

RECOVERY STAGES

RECOVERY HEALTH

SRVVSHOM

SRACTIVE

Restore from Verified Clean Backup (T-72h)

Rollback to known-good state prior to compromise — SHA-256 integrity verification before each restore, applied from T-72h immutable snapshot across 3 affected hosts.

3 systems restored · 0 reinfections detectedSTAGE 01 / 04

RESTORATION LOG

█

STAGE METRICS

Systems Restored

847 GB

Data Recovered

Reinfections

100%

Backup Integrity

SHA-256 verifiedT-72h snapshotImmutable backup3-2-1 strategy

P1 CRITICAL

◈  INC-2024-001847 · ALPHV/BlackCat Rust v3 · STATUS: CONTAINED◈  SHA256: 3d2a9f8e1c7b4a0d5e6f2c8b9a1d3e4f · C2: 185.220.101.42:443◈  14,847 files encrypted · 2.3 GB exfiltrated · 4 hosts quarantined◈  Ransom demand: $4.2M USD (BTC/XMR) · Decision: RESTORE from backup◈  Root cause: CVE-2024-3400 VMware ESXi 0-day · Unpatched 94 days◈  Recovery: T+11h39m · RPO <72h ✓ · RTO <12h ✓ · 97.3% data recovered◈  INC-2024-001847 · ALPHV/BlackCat Rust v3 · STATUS: CONTAINED◈  SHA256: 3d2a9f8e1c7b4a0d5e6f2c8b9a1d3e4f · C2: 185.220.101.42:443◈  14,847 files encrypted · 2.3 GB exfiltrated · 4 hosts quarantined◈  Ransom demand: $4.2M USD (BTC/XMR) · Decision: RESTORE from backup◈  Root cause: CVE-2024-3400 VMware ESXi 0-day · Unpatched 94 days◈  Recovery: T+11h39m · RPO <72h ✓ · RTO <12h ✓ · 97.3% data recovered

Ransomware IR Playbook

Ransomware Response. Step-by-Step. Time-Bound.

Purpose-built ransomware response playbook covering detection through post-incident regulatory reporting — 6 phases, 30 concrete steps with automated execution where possible and SLA targets at each gate.

Files Encrypted

across 3 hosts in VLAN-14

Hosts Quarantined

0 / 47

FINANCE-PC-07 · SRV-07 · BDC-01 · PRINT-01

Data Exfiltrated

0.0 GB

finance/Q3_earnings · HR/payroll

Data Recoverable

0.0%

T-72h backup · SHA-256 verified

INCIDENT TIMELINE

T+0 → T+72h · INC-2024-001847 · FINANCE-WS-04 → FINANCE-SRV-07

CVE-2024-3400ALPHV Rust v3GDPR Art.33

Immediate Triage

Network Containment

Blast Radius

Eradication

Restoration

Post-Incident

T+0T+15mT+30mT+1hT+4hT+12hT+24hT+72h

●

Immediate Triage

0–15 min

AUTO

T1486T1490

Network Containment

15–30 min

AUTO

T1562.001T1021

Blast Radius

30–60 min

MANUAL

T1074.001T1567.002

Eradication

1–4 hrs

MANUAL

T1059.001T1547.001

Restoration

4–12 hrs

MANUAL

RPO <72hRTO <12h

Post-Incident

24–72 hrs

MANUAL

GDPR Art.33ICO 72h

PHASE 01 · 0–15 min · SLA <15 min

Immediate Triage

T1486T1490● AUTOMATED

AI-SOC behavioral detection triggers P1 escalation chain — CISO, Legal, C-suite

█executing...

◉ THREAT INTELLIGENCE

StrainALPHV/BlackCat

VariantRust v3 (intermittent enc.)

IOC Hash3d2a9f8e…b9c0d

C2 Infra185.220.101.42:443

Ransom$4.2M (BTC/XMR)

Dark Webblackcat-blog.onion · 72h

Decryptor✗ Not available

T1486T1490T1059.001T1047T1562

RESPONSE SLA METRICS

Detection→Contain

22 min< 30 min

Eradication

3h51m< 4 hrs

Full Recovery

11h39m< 12 hrs

Data Recoverable

confirmed97.3%

Post-IR Report

pending< 24 hrs

PAY vs RESTORE DECISION

Backup (T-72h)✓ Verified — 512 GB

Decryptor✗ Not available

Exfil confirmed✓ 2.3 GB (finance/HR)

Ransom demanded$4.2M USD

Recommendation★ RESTORE from backup

Simulate full 6-phase playbook execution

DIGITAL FORENSICS LAB

Evidence Chain. Timeline Reconstruction.

Full forensic evidence collection with SHA-256 chain of custody, memory analysis, disk imaging, network capture, and YARA-based malware hunting — producing court-admissible artifacts within the first 2 hours of engagement.

0 / 4

Kill Chain Events Mapped

Forensic Artifacts

Forensic Tools Deployed

Avg Evidence Confidence

ATTACK TIMELINE RECONSTRUCTION

FORENSIC EVIDENCE · T+0 → T+25m46s · FINANCE-WS-04 → FINANCE-SRV-07

SHA-256 verifiedWrite-blockerACPO/NIST 800-86

14:21:47 UTC

T+0

T1566.001

Initial Access

Spearphishing Attachment

Artifacts Found

IOCs Identified

Log Sources

Volatility 3Autopsy 4+2

14:31:12 UTC

T+9m25s

T1548.002

Privilege Escalation

Abuse Elevation Control: UAC Bypass

Artifacts Found

IOCs Identified

Log Sources

Event Log ExplorerVolatility 3+2

14:38:55 UTC

T+17m08s

T1021.002

Lateral Movement

Remote Services: SMB / Windows Admin Shares

Artifacts Found

IOCs Identified

Log Sources

WiresharkAutopsy 4+2

14:47:33 UTC

T+25m46s

T1074.001

Data Staging

Data Staged: Local Data Staging

Artifacts Found

IOCs Identified

Log Sources

Autopsy 4FTK Imager+2

EVIDENCE ARTIFACTS

COMPLIANCE FRAMEWORK

ACPO/NIST 800-86SHA-256 verifiedWrite-blockerFull chain of custodyLegal-hold readyISO 27037

T1566.001Initial Access14:21:47 UTC · T+0

Spearphishing Attachment

Weaponised Excel (.xlsm) with auto-exec macro delivered to finance@target.com — macro dropped encoded PowerShell Stage-1 loader to %TEMP%, spawning a child process chain within 4 seconds of file open.

EVENT

EXCEL.EXE (PID 4821) spawned powershell.exe (PID 5912) with -enc flag — base64 payload decoded to in-memory stager, no disk write after initial drop.

EVIDENCE SOURCES

Prefetch: EXCEL.EXE-A8F14E12.pf · MRU: HKCU\...\RecentDocs\xlsm entry · Email header chain preserved · MFT entry timestamped 14:21:43 UTC

VECTOR / COMMAND

$FINANCE-WS-04\Users\jsmith\AppData\Local\Temp\tmp8AF2.ps1

FORENSIC TOOLS

Volatility 3Autopsy 4MailXaminerKAPE

ARTIFACT CHAIN

█

Artifacts Found

IOCs Identified

Log Sources

98%

Confidence

EVIDENCE INTEGRITY

▶ACPO/NIST 800-86 compliant▶SHA-256 verified at acquisition▶Write-blocker acquisition▶Full chain of custody▶Legal-hold preserved▶ISO/IEC 27037:2012

Digital Forensics Lab

Live Lab Analysis. Artifact Intelligence.

Evidence Artifacts

Memory Dumpanalyzed

FINANCE-PC-07

Tool: Volatility3

Disk Imagein-progress

FINANCE-SRV-07

Tool: Autopsy 4.21

Network PCAPanalyzed

FW-VLAN-14

Tool: Wireshark/Zeek

Event Loganalyzed

DC-01.corp.int

Tool: KAPE + EZ-Tools

YARA Scancomplete

All Hosts × 47

Tool: YARA 4.3.1

Memory Dump

FINANCE-PC-07 · 16.3 GB

Tool

Volatility3

Size

16.3 GB

CHAIN OF CUSTODY · SHA-256
sha256:d41d8cd9……

Key Findings

Injected shellcode in svchost.exe PID 4832

Credential material in LSASS (4 hashes)

Cobalt Strike beacon DLL: 0x7ffe0000

Attack Timeline Reconstruction — Forensic Evidence

Intelligence Reporting

Board-Ready. Regulator-Aligned.

REPORT ID: IR-2026-0419

Generated: 2026-03-18T09:45:00ZSHA-256: a3f8d2e9b1c7...

Classification

CONFIDENTIAL

Authorized recipients only

Report Sections

Report Stats

Total Pages47

Evidence Items124

IOCs Documented47

Digital Sigs3

Frameworks

NIST SP 800-61r3ISO 27035CREST CSIRSANS PICERL

CONFIDENTIAL — BOARD RESTRICTED

Audience: CISO · Board · Legal · CEO

§ 01 / 04

Executive Summary

Key Impact

$0 ransom paid · 100% data recovery · 4h 12m containment

Key Findings[0/4]

> retrieving evidence...█

Narrative Detail0/641

▌

0

hours

MTTR

0

indicators

IOCs Blocked

0

endpoints

Systems Scoped

0

items

Artifacts

Compliance Score

Business Impact

MINIMAL

$0 ransom · full recovery

Evidence Integrity

100%

Chain of custody verified

Notification Status

COMPLIANT

GDPR & PCI DSS filed

Recovery SLA

MET

4.2 hours total response

Report Integrity

SHA-256a3f8d2e9b1c7f4...

SignedCIRT Lead Analyst

Verified2026-03-18T22:47Z

Versionv2.1.0-FINAL

© Spakto IR Platform · IR-2026-0419 · CLASSIFICATION: CONFIDENTIAL · For authorized recipients only

GDPR Art.33PCI DSS v4.0ISO 27001:2022NIST 800-61r3CREST CSIRNIS2

Incident Response FAQ

Frequently asked
questions.

questions
answered

How quickly can your team respond to an active incident?

Retainer clients receive a 1-hour SLA for initial analyst engagement, 24/7/365. Emergency activations — including weekend and holiday callouts — are covered under all retainer tiers. Non-retainer emergency engagements are typically scoped and mobilised within 4 hours of initial contact, subject to availability.

Do you handle ransomware negotiations?

We advise on negotiation strategy and can facilitate communication, but we strongly prioritise restoration from backup where viable — avoiding ransom payment entirely. Our playbook includes a pay-vs-restore decision matrix that evaluates backup integrity, decryptor availability, exfiltration risk, and business continuity impact before any negotiation is considered.

How is forensic evidence collected and chain of custody maintained?

Evidence is acquired following ACPO/NIST 800-86 guidelines — disk images are created with write-blockers, memory dumps are captured using validated tooling, and all artefacts are SHA-256 hashed on collection. A timestamped chain-of-custody ledger is maintained throughout and provided with the final report to support any legal or regulatory proceedings.

What does an IR retainer include?

Retainer tiers include a reserved analyst block (hours/year), defined SLAs by severity (P1–P4), annual tabletop exercises, quarterly threat briefings, and access to our playbook library for your top threat scenarios. Unused retainer hours roll over on annual renewal, and additional hours can be drawn at a pre-agreed rate without new procurement cycles.

What is the scope of a typical IR engagement?

A standard engagement covers initial triage and scoping, evidence collection and preservation, attacker timeline reconstruction, containment and eradication, recovery validation, and a written post-incident report. Scope expands based on environment size, number of affected hosts, presence of data exfiltration, and regulatory notification requirements.

How do you prevent containment actions from disrupting business continuity?

Every containment action is risk-tiered before execution. Host quarantine, VLAN isolation, and credential revocation are staged in order of blast-radius impact, and each step includes a documented rollback path. For critical production systems, analysts execute containment in coordination with your operations team to minimise unplanned downtime.

Can you help if we don't have EDR or SIEM deployed?

Yes. For environments without existing telemetry, our team deploys lightweight forensic collection agents to affected hosts within hours of engagement. We collect Windows event logs, prefetch, USN journals, browser history, and network flow data. While response times are faster with mature tooling in place, we can operate effectively from native OS artefacts alone.

How do you determine if an incident requires regulatory notification?

We assess notification obligations in parallel with technical response. Our team maps confirmed or suspected data access against applicable regulations — GDPR, PCI DSS, HIPAA, NIS2, CCPA — based on data classification, affected systems, and evidence of exfiltration. Where required, we produce regulator-ready breach notification drafts within the applicable disclosure window.

Still have questions?

Our security engineers answer within one business day.

Ask a question

Build a CTEM Program That Actually Works

Stay Ahead of Threats

Contain breaches.Eliminate adversaries.Restore operational control.

Incident Response
Command Center

ContainmentNetwork Isolation

End-to-End Incident Response. Every Minute Measured.

Severity Classification. Zero Guesswork.

IR Readiness Framework

Signal. Not noise.

Entra ID / Azure AD Signal Intelligence

Isolate. Neutralize. Preserve.

EDR-Driven Host Quarantine

Containment Actions. Executed in Seconds.

Remove Persistence. Eliminate Root Cause.

Malware Removal

Rebuild Trust. Restore Integrity.

Restore from Verified Clean Backup (T-72h)

Ransomware Response. Step-by-Step. Time-Bound.

Evidence Chain. Timeline Reconstruction.

Spearphishing Attachment

Live Lab Analysis. Artifact Intelligence.

Board-Ready. Regulator-Aligned.

Executive Summary

Frequently asked
questions.

Build a CTEM Program That Actually Works

Stay Ahead of Threats

Contain breaches.Eliminate adversaries.Restore operational control.

Incident ResponseCommand Center

ContainmentNetwork Isolation

End-to-End Incident Response. Every Minute Measured.

Severity Classification. Zero Guesswork.

IR Readiness Framework

Signal. Not noise.

Entra ID / Azure AD Signal Intelligence

Isolate. Neutralize. Preserve.

EDR-Driven Host Quarantine

Containment Actions. Executed in Seconds.

Remove Persistence. Eliminate Root Cause.

Malware Removal

Rebuild Trust. Restore Integrity.

Restore from Verified Clean Backup (T-72h)

Ransomware Response. Step-by-Step. Time-Bound.

Evidence Chain. Timeline Reconstruction.

Spearphishing Attachment

Live Lab Analysis. Artifact Intelligence.

Board-Ready. Regulator-Aligned.

Executive Summary

Frequently askedquestions.

Incident Response
Command Center

Frequently asked
questions.