Cheat Sheet

Start with file type, hashes, strings, entropy, imports, sections, suspicious APIs, and obvious IOCs.

Record what is directly observed before assigning confidence or making a malware-family claim.

Separate public IPs, domains, URLs, hashes, file paths, registry paths, and email indicators by actionability.

Use manual pivots for reputation checks and avoid submitting sensitive artifacts unless authorized.

Treat generated YARA, Sigma, Splunk, Defender KQL, Elastic, and blocklist output as drafts.

Tune detections against known-good data and validate behavior with approved dynamic analysis when needed.