IR
Ransomware Audit with Codex CLI Auditoria de Ransomware com Codex CLI
Recovery guide Guia de recuperacao Donate Doar

When ransomware hits, do not stand still.

Quando o ransomware chega, nao fique parado.

A community first-response guide for using Codex CLI to audit the infection, find the source, collect samples, trace IPs and ports, review logs, and apply safer containment steps.

Um guia colaborativo de primeira resposta para usar o Codex CLI na auditoria da infeccao, busca do foco, coleta de amostras, rastreio de IPs e portas, revisao de logs e contencao segura.

Core idea Ideia central

Most people cannot immediately hire expensive incident-response services. Codex CLI can help organize the first investigation so victims can preserve evidence and share useful findings with the community.

Muita gente nao consegue contratar resposta a incidentes cara imediatamente. O Codex CLI pode ajudar a organizar a primeira investigacao para preservar evidencias e compartilhar achados uteis com a comunidade.

What This Guide Is For

Para Que Serve Este Guia

This guide teaches a defensive way to use Codex CLI during a ransomware incident. The goal is not to break encryption by force. The goal is to investigate with method: find the infection focus, identify malicious artifacts, preserve samples, locate possible key material or configuration leftovers, and document what happened.

Este guia ensina uma forma defensiva de usar o Codex CLI durante um incidente de ransomware. O objetivo nao e quebrar criptografia na forca. O objetivo e investigar com metodo: encontrar o foco da infeccao, identificar artefatos maliciosos, preservar amostras, localizar possivel material de chave ou restos de configuracao e documentar o que aconteceu.

Important: Importante: never execute suspicious files. Do not clean before collecting evidence. Do not overwrite encrypted originals. nunca execute arquivos suspeitos. Nao limpe antes de coletar evidencias. Nao sobrescreva os originais criptografados.

What Codex CLI Can Help You Do

No Que o Codex CLI Pode Ajudar

Hunt the infection source Farejar o foco da infeccao Search recent folders, suspicious binaries, ransom notes, persistence, services, scheduled tasks, registry entries, and unusual files in Windows directories. Procurar pastas recentes, binarios suspeitos, notas de resgate, persistencia, servicos, tarefas agendadas, registro e arquivos incomuns em diretorios do Windows.
Trace network indicators Rastrear indicadores de rede Review IPs, ports, DNS, SMB, RDP, WinRM, AnyDesk, TeamViewer, firewall logs, failed logons, and outbound connections. Revisar IPs, portas, DNS, SMB, RDP, WinRM, AnyDesk, TeamViewer, firewall, falhas de logon e conexoes de saida.
Collect samples safely Coletar amostras com seguranca Copy malware-like files into quarantine folders, hash them, archive them, and avoid execution. Keep the chain of evidence understandable. Copiar arquivos suspeitos para quarentena, gerar hashes, arquivar e evitar execucao. Manter a cadeia de evidencias compreensivel.
Look for recovery clues Procurar pistas de recuperacao Search for local key material, config files, leaked logs, clean references, backups, shadow copies, partial files, file headers, and known decryptor matches. Procurar material local de chave, configs, logs vazados, referencias limpas, backups, shadow copies, arquivos parciais, cabecalhos e correspondencia com decryptors conhecidos.
Research hard on the internet Pesquisar forte na internet Compare hashes, filenames, extensions, ransom notes, IPs, and domains against trusted sources, vendor advisories, No More Ransom, and reputation databases. Comparar hashes, nomes, extensoes, notas, IPs e dominios em fontes confiaveis, advisories de fabricantes, No More Ransom e bases de reputacao.
Prepare safe blocking Preparar bloqueios seguros Suggest containment actions for exposed services, risky inbound/outbound traffic, malicious services, persistence, accounts, and remote access tools. Sugerir contencao para servicos expostos, trafego arriscado de entrada/saida, servicos maliciosos, persistencia, contas e ferramentas de acesso remoto.

Brief Codex CLI Setup

Instalacao Breve do Codex CLI

On Windows, install Codex from Microsoft Store with winget, authenticate, and verify the environment.

No Windows, instale o Codex pela Microsoft Store com winget, autentique e verifique o ambiente.

winget install Codex -s msstore
codex login
codex doctor

For a deep audit on copied evidence folders, full access may be useful. Use it only on an isolated analysis machine, not on a live infected production server.

Para auditoria profunda em pastas copiadas de evidencia, full access pode ajudar. Use apenas em uma maquina isolada de analise, nao em servidor infectado de producao.

codex --sandbox danger-full-access --ask-for-approval never
Safer default: Padrao mais seguro: start with normal permissions. Only increase access when Codex needs to read evidence folders or run trusted validators. comece com permissoes normais. Aumente acesso apenas quando o Codex precisar ler pastas de evidencia ou executar validadores confiaveis.

Ransomware First-Response Playbook

Roteiro de Primeira Resposta a Ransomware

  1. Isolate the affected host from the network when possible. Preserve power state if volatile evidence matters.
  2. Isole o host afetado da rede quando possivel. Preserve o estado ligado se evidencias volateis forem importantes.
  3. Do not format, reinstall, or mass-delete files before collecting evidence.
  4. Nao formate, reinstale ou apague arquivos em massa antes da coleta de evidencias.
  5. Copy ransom notes, encrypted samples, suspicious binaries, service lists, scheduled tasks, registry autoruns, and event logs.
  6. Copie notas de resgate, amostras criptografadas, binarios suspeitos, lista de servicos, tarefas agendadas, autoruns do registro e logs de eventos.
  7. Build a timeline around first encryption, first ransom note, remote logons, service creation, and unusual network activity.
  8. Monte uma linha do tempo em torno da primeira criptografia, primeira nota, logons remotos, criacao de servico e atividade de rede incomum.
  9. Identify exposed services and remote access: SMB, RDP, WinRM, SQL, Firebird, HTTP/HTTPS, AnyDesk, TeamViewer, PsExec, PAExec.
  10. Identifique servicos expostos e acesso remoto: SMB, RDP, WinRM, SQL, Firebird, HTTP/HTTPS, AnyDesk, TeamViewer, PsExec, PAExec.
  11. Hash every suspicious file and research the hashes, filenames, mutexes, paths, IPs, and domains.
  12. Gere hash de todo arquivo suspeito e pesquise hashes, nomes, mutexes, caminhos, IPs e dominios.
  13. Prepare blocking in stages: confirmed malicious artifacts first, risky exposure next, production dependencies last.
  14. Prepare bloqueios em etapas: artefatos maliciosos confirmados primeiro, exposicoes arriscadas depois, dependencias de producao por ultimo.
Good outcome: Bom resultado: a report with timeline, IOCs, likely vector, samples collected, safe containment steps, recovery opportunities, and open questions. um relatorio com timeline, IOCs, vetor provavel, amostras coletadas, contencao segura, oportunidades de recuperacao e perguntas em aberto.

Codex CLI Audit Prompt

Prompt de Auditoria para Codex CLI

Paste this prompt into Codex CLI inside an evidence-copy workspace. It tells Codex to act as a defensive incident-response analyst.

Cole este prompt no Codex CLI dentro de um workspace com copias de evidencias. Ele orienta o Codex a agir como analista defensivo de resposta a incidentes.

Act as a defensive ransomware incident-response analyst working in an authorized evidence-copy workspace.

Safety rules:
- Do not execute suspicious binaries, scripts, DLLs, ransomware samples, or unknown decryptors.
- Do not modify original evidence. Work only on copies.
- Do not delete anything unless I explicitly approve a removal plan.
- Prefer static analysis, hashes, metadata, strings, logs, timelines, and trusted vendor tools.
- Clearly separate confirmed evidence, strong suspicion, weak suspicion, and unknowns.

Mission:
Audit this ransomware incident and produce a practical report that helps victims and the community understand what happened, what was touched, and whether any recovery opportunity exists.

Tasks:
1. Create an AUDIT_WORKSPACE with subfolders:
   - EVIDENCE_COPY
   - HASHES
   - SAMPLES_QUARANTINE
   - LOGS
   - TIMELINE
   - NETWORK_IOCS
   - RECOVERY_CLUES
   - REPORTS

2. Inventory files:
   - List encrypted files, ransom notes, suspicious executables, DLLs, scripts, archives, config files, and unusual recent files.
   - Record full path, size, timestamps, SHA256, extension, and first bytes/magic signature.
   - Identify common ransomware markers: new extensions, ransom note names, dropped tools, lateral movement tools, and deletion tools.

3. Hunt the infection source:
   - Search Windows, System32, SysWOW64, ProgramData, Temp, user profiles, startup folders, public shares, and application folders.
   - Look for services, scheduled tasks, registry autoruns, startup entries, WMI persistence, PsExec/PAExec artifacts, WinRM usage, and remote access tools.
   - Highlight suspicious paths such as random names, fake system names, recently modified files, or files placed directly in C:\Windows.

4. Investigate logs:
   - Review Windows Event Logs when available: Security, System, Application, PowerShell, TerminalServices, SMBClient, WinRM, TaskScheduler, and service-control events.
   - Focus on logon IDs 4624/4625/4672, service creation 7045, process/service failures, remote sessions, SMB access, RDP, WinRM, AnyDesk, TeamViewer, and time near the first ransom note.
   - Build a chronological timeline with local time.

5. Trace IPs and ports:
   - Extract IP addresses, domains, ports, URLs, SMB paths, RDP/WinRM/SQL/Firebird/HTTP/HTTPS indicators, and outbound connections from logs and strings.
   - Mark private/local IPs separately from public IPs.
   - Prepare a CSV of network indicators with source file/log, timestamp, direction if known, service, port, and confidence.

6. Collect samples safely:
   - Copy suspicious files to SAMPLES_QUARANTINE without executing them.
   - Generate hashes and file metadata.
   - Extract strings and static indicators only.
   - If archives contain suspected malware, do not extract into a live system. Document contents safely.

7. Search for possible key or recovery clues:
   - Search for ransomware configuration files, public keys, local symmetric keys, logs, temp files, incomplete encryption markers, debug output, command-line arguments, and memory-dump artifacts if present.
   - Search for clean reference files, backups, shadow copies, database backups, temporary files, exported data, archive bodies, file headers, and partially encrypted files.
   - Do not claim decryption unless a recovered file validates with native tools.

8. Internet intelligence:
   - Research hashes, filenames, ransom note text, extensions, IPs, domains, and malware family names using trusted sources only.
   - Prefer official vendor advisories, No More Ransom, reputable security blogs, malware databases, and abuse/reputation services.
   - Do not download random decryptors from forums, YouTube descriptions, Telegram, or unknown sites.

9. Safe blocking recommendations:
   - Propose staged containment: confirmed malicious files/services/tasks/accounts first; exposed SMB/RDP/WinRM/remote access next; firewall inbound/outbound rules next.
   - Warn before blocking business-critical services.
   - Provide rollback notes for every suggested change.

10. Final deliverables:
   - EXECUTIVE_SUMMARY.txt: non-technical summary.
   - TECHNICAL_REPORT.txt: detailed findings.
   - TIMELINE.csv.
   - FILE_HASHES.csv.
   - NETWORK_IOCS.csv.
   - SUSPICIOUS_SERVICES_TASKS.csv.
   - RECOVERY_CLUES.txt.
   - SAFE_CONTAINMENT_PLAN.txt.
   - COMMUNITY_SHARE_SAFE.txt with only non-sensitive indicators that can help other victims.

Conclusion format:
- Confirmed facts.
- Likely infection vector.
- Known attacker infrastructure or suspicious IPs/ports.
- Samples preserved.
- Recovery opportunities.
- Actions that are safe now.
- Actions that require business approval.
- Unknowns and next steps.

What To Share With The Community

O Que Compartilhar Com a Comunidade

Victims should not publish private files, patient data, customer data, passwords, screenshots with secrets, or full logs containing sensitive information. But they can safely share technical patterns that help others.

Vitimas nao devem publicar arquivos privados, dados de pacientes, dados de clientes, senhas, prints com segredos ou logs completos com informacoes sensiveis. Mas podem compartilhar padroes tecnicos que ajudam outras pessoas.

  • Ransomware extension and ransom note filename.
  • Extensao do ransomware e nome da nota de resgate.
  • Hashes and filenames of confirmed malware samples.
  • Hashes e nomes de arquivos de amostras maliciosas confirmadas.
  • Suspicious service names, task names, registry paths, and process names.
  • Nomes de servicos, tarefas, caminhos de registro e processos suspeitos.
  • Public IPs/domains involved, ports, timestamps, and confidence level.
  • IPs/dominios publicos envolvidos, portas, horarios e nivel de confianca.
  • Recovery methods that worked or failed, including tool versions and validation steps.
  • Metodos de recuperacao que funcionaram ou falharam, incluindo versoes de ferramentas e validacoes.