Based on the exhibit, what is the best immediate action for the SOC or IR team?
A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.
Exhibit
Host: finance-lap07 10:22:11 winword.exe spawned powershell.exe -enc <redacted> 10:22:14 powershell.exe created C:\Users\ana\AppData\Roaming\rclone.exe 10:24:02 file rename activity: 184 files changed to *.locked 10:24:09 outbound SMB connections to 10.20.4.18 and 10.20.4.19 10:25:01 EDR status: endpoint still connected to corporate VPN User report: 'My shared files stopped opening and the folder names changed.'
Trap 1: Restore the workstation from backup immediately before preserving…
Immediate restoration could destroy forensic evidence and does not stop the attacker from continuing lateral movement elsewhere.
Trap 2: Run a vulnerability scan against the subnet to see whether the…
That may help later in root cause analysis, but it is not the priority while the compromise is still active.
Trap 3: Notify users to ignore the issue until the next maintenance window…
The logs show ongoing malicious activity, so waiting would increase business impact and spread risk significantly.
- A
Isolate the host from the network and revoke its remote access to stop further spread.
The workstation shows active compromise with file encryption behavior and outbound lateral movement. Immediate containment should stop additional SMB propagation and protect neighboring systems before deeper analysis begins.
- B
Restore the workstation from backup immediately before preserving any evidence.
Why wrong: Immediate restoration could destroy forensic evidence and does not stop the attacker from continuing lateral movement elsewhere.
- C
Run a vulnerability scan against the subnet to see whether the malware exploited an unpatched service.
Why wrong: That may help later in root cause analysis, but it is not the priority while the compromise is still active.
- D
Notify users to ignore the issue until the next maintenance window because the incident is likely self-limiting.
Why wrong: The logs show ongoing malicious activity, so waiting would increase business impact and spread risk significantly.