Skip to main content

Response playbook

Immediate: Enable Block Mode for command injection on the affected application

Immediate: Use EDR to kill the malicious process tree if still active

Review EDR process tree: what commands were executed? Any persistence mechanisms?

Check for lateral movement: did the attacker pivot to other hosts?

Block outbound connections to the attacker’s infrastructure (C2 IPs/domains) at the firewall

Preserve evidence: ADR logs (injection vector) + EDR logs (process tree, file drops)

Escalate to AppSec: provide the exact function ( subprocess.run() in app.py:test_connection() ) and payload

Threat hunt: search ADR + EDR for the same payload or indicators across all applications and hosts

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.