| Step | Action | Tools Used | Findings |
|——|——–|————|———-|
| 1. Alert Validation | Verify MDI alert | Microsoft Defender for Identity | Confirmed malicious GPO modification |
| 2. Immediate Action | Remove logon script from GPO | Group Policy Management Console | Script removed; GPO reverted |
| 3. Script Analysis | Analyze healthcheck.vbs | Sandbox, Manual Review | VBS downloads and runs PowerShell from malicious URL |
| 4. User Investigation | Check kjohnson account activity | Azure AD, CrowdStrike | kjohnson’s credentials compromised; account used from unusual IP |
| 5. Account Remediation | Reset kjohnson password | Azure AD, AD | Password reset; MFA enforced |
| 6. Affected Users | Identify users who logged on during window | AD Logs, VPN Logs | 347 users logged on and executed script |