Incident Response Playbooks

Welcome to the Operational Playbooks section of the Hermes Codex.

This repository contains battle-tested procedures for responding to various cyber incidents. Each playbook is designed to be actionable, providing specific steps from identification to recovery, complete with hunting queries and forensic artifact locations.

⚡ Triage & Proactive Hunting

Methodologies for rapid alert qualification and proactive threat discovery.

EDR Alert Triage 15-minute methodology for analyzing process lineage and alert criticality.

Threat Hunting for Persistence Proactive SIEM/EDR hunting for Run Keys, Services, and WMI subscriptions.

🛡️ Threat-Specific Response

Step-by-step investigation and containment procedures for critical incident types.

Ransomware Investigation Containment, patient zero identification, and extortion tracking.

Insider Threat Exfiltration Tracking unauthorized data movement, staging, and USB/Cloud egress.

Suspicious Email Analysis Header analysis, SPF/DKIM/DMARC verification, and payload triage.

Business Email Compromise (BEC) Differentiating domain spoofing from true Email Account Compromise (EAC).

🏛️ Active Directory Security

Comprehensive guides to detecting and mitigating the most critical AD attack vectors.

Credential & Password Attacks Analyze Password Spraying, AS-REP Roasting, and Kerberoasting.

Lateral Movement Detecting Pass-the-Hash and Pass-the-Ticket techniques.

Persistence & Domination Technical breakdown of Golden Ticket, Silver Ticket, and DCSync.

Operational Ready

These playbooks are optimized for use during live incidents. Use the search bar (Ctrl+K) to jump directly to specific detection rules, event IDs, or mitigation steps.