Malware Attack Investigation Runbook

SOC & DFIR Operations Guide

Overview & Scope

This runbook provides standardised procedures for investigating malware-based attacks across the hybrid enterprise environment. It covers detection, triage, investigation, containment, eradication, and recovery workflows using Microsoft Defender XDR, Sentinel, and Palo Alto Prisma Access.

Malware Categories

Common Attack Vectors

Vector

Description

Primary Detection

Phishing Emails

Malicious attachments/links

MDO, EmailEvents

Drive-by Downloads

Compromised websites

MDE, Prisma URL filtering

Supply Chain

Compromised software updates

MDE, application allow-listing

Removable Media

USB-based infection

MDE, DeviceEvents

Exploitation

Vulnerability exploitation

MDE, DeviceEvents

Malvertising

Malicious advertisements

Prisma Access, MDE

Social Engineering

User manipulation

MDO, user reporting

Detection Sources & Data Mapping

Log Sources Matrix

Platform

Log Table

Key Data

Defender for Endpoint

DeviceEvents

Process creation, file operations, registry

Defender for Endpoint

DeviceProcessEvents

Process execution, command lines

Defender for Endpoint

DeviceNetworkEvents

Network connections, DNS queries

Defender for Endpoint

DeviceFileEvents

File creation, modification, deletion

Defender for Endpoint

DeviceRegistryEvents

Registry modifications

Defender for Endpoint

DeviceImageLoadEvents

DLL loads, driver loads

Defender for Endpoint

DeviceLogonEvents

Authentication events

Defender for Endpoint

AlertInfo, AlertEvidence

Correlated alerts and evidence

Defender for Office

EmailEvents, EmailAttachmentInfo

Email metadata, attachments

Defender for Office

EmailUrlInfo, UrlClickEvents

URLs in emails, click tracking

Sentinel

SecurityAlert

Aggregated alerts from all sources

Sentinel

ThreatIntelligenceIndicator

IOC matches

Prisma Access

PaloAltoPrismaAccess

Network threats, URL categories

Critical MDE Alert Categories

Alert Category

Description

Severity

Malware

Known malware detected

High-Critical

Ransomware

Ransomware behavior detected

Critical

Suspicious activity

Anomalous behavior patterns

Medium-High

Unwanted software

PUPs, adware, tools

Low-Medium

Exploit

Exploitation attempt detected

High-Critical

Persistence

Persistence mechanism detected

Medium-High

Lateral movement

Movement between systems

High

Command and control

C2 communication detected

High-Critical

Exfiltration

Data theft indicators

Critical

Defense evasion

Security tool tampering

High

Investigation Workflows

Malware Alert Triage

Objective: Quickly assess alert validity, determine scope, and prioritise response.

Step 1: Initial Alert Assessment

Review alert in Defender XDR incident queue
Check alert severity, category, and detection source
Identify affected device(s) and user(s)
Review MITRE ATT&CK techniques mapped to alert
Check if alert is part of larger incident (auto-correlated)

Step 2: Validate Detection

Review the specific file/process that triggered alert
Check file hash against VirusTotal and internal threat intel
Review file metadata: signer, compilation time, path
Examine parent-child process relationships
Determine if activity is expected (false positive check)

Step 3: Scope Assessment

Search for same IOCs across all endpoints
Check if other devices have similar alerts
Review user's recent email for delivery vector
Check network logs for related C2 traffic
Identify patient zero and initial access timeline

Step 4: Risk Classification

Risk Level

Criteria

Action

🔴 Critical

Ransomware, active C2, domain admin compromise

Immediate isolation

🟠 High

Confirmed malware, lateral movement, data staging

Isolate within 30 min

🟡 Medium

Suspicious activity, potential malware

Investigate within 4 hours

🟢 Low

PUP, adware, likely false positive

Next business day

Ransomware Investigation

Objective: Contain ransomware spread, identify scope, preserve evidence, and enable recovery.

Immediate Actions (First 15 Minutes)

Isolate affected devices via MDE device isolation
Disable compromised accounts if credentials suspected stolen
Block known IOCs at network perimeter (Prisma Access)
Alert incident response team and leadership
Preserve volatile evidence if possible

Step 1: Identify Ransomware Variant

Review ransom note filename and content
Check encrypted file extension
Submit sample to threat intel platforms
Identify known decryptors if available
Document ransomware family and known TTPs

Step 2: Determine Patient Zero

Query earliest file encryption events across environment
Identify initial infected device by timestamp
Review device timeline for initial access vector
Check email logs for phishing delivery
Examine network logs for exploitation attempts

Step 3: Map Lateral Movement

Query authentication events from patient zero
Identify all accessed systems and shares
Check for credential harvesting tools (Mimikatz, etc.)
Review network connections to other endpoints
Document full scope of compromise

Step 4: Identify Data Exfiltration

Check for large data transfers before encryption
Review cloud storage uploads (OneDrive, SharePoint)
Examine network traffic to unknown external IPs
Check for staging directories
Identify potentially exfiltrated data types

Step 5: Containment & Eradication

Extend isolation to all affected devices
Block all identified C2 infrastructure
Reset credentials for affected users
Remove persistence mechanisms
Scan and clean all affected systems

Fileless Malware Investigation

Objective: Detect and investigate memory-resident and LOLBin-based malware.

Detection Indicators

PowerShell with encoded commands (-enc, -e, -encodedcommand)
WMI/CIM for execution or persistence
Unusual parent-child process relationships
LOLBAS tool abuse (certutil, mshta, regsvr32, rundll32)
.NET assembly loading in memory
Reflective DLL injection
Process hollowing indicators

Investigation Steps

Review process command lines for obfuscation
Decode Base64/encoded PowerShell commands
Analyse script block logging events
Check for WMI subscriptions and persistence
Review scheduled tasks for suspicious entries
Examine registry run keys and startup locations
Analyse memory dumps if available

Key LOLBins to Monitor

Binary

Malicious Use

Detection

powershell.exe

Script execution, download cradles

Encoded commands, web requests

cmd.exe

Command execution

Unusual parent, obfuscation

mshta.exe

HTA execution, proxy execution

Network connections, child processes

certutil.exe

Download files, decode payloads

-urlcache, -decode flags

regsvr32.exe

Proxy execution, COM objects

/s /u /i: parameters

rundll32.exe

DLL execution, proxy

Unusual DLLs, network activity

wmic.exe

WMI queries, remote execution

/node:, process calls

msiexec.exe

MSI installation from URL

/q /i http://

bitsadmin.exe

File downloads

/transfer, /download

cscript/wscript

Script execution

Unusual scripts, network calls

Email-Based Malware Investigation

Objective: Investigate malware delivered via email, identify all recipients, and remediate.

Step 1: Identify Malicious Email

Query EmailEvents for the malicious message
Extract sender, subject, recipient(s), and timestamps
Identify attachment details or malicious URLs
Check if email passed or was caught by MDO
Determine delivery status to all recipients

Step 2: Recipient Analysis

List all recipients of the malicious email
Identify who opened/clicked the email
Check UrlClickEvents for link interactions
Review endpoint alerts for recipients
Prioritise users who interacted with content

Step 3: Email Artifact Analysis

Extract and analyse attachment hashes
Submit to sandbox for detonation
Review URL reputation and redirects
Check for known phishing kit indicators
Document all IOCs from email

Step 4: Remediation

Purge malicious email from all mailboxes
Block sender domain/address
Add URL/hash to block lists
Notify users who received email
Reset credentials if any user interacted

KQL Query Cheat Sheet

Device Process Analysis

Suspicious Process Execution

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("encodedcommand", "-enc", "-e ", "bypass", "hidden", "downloadstring", "iex", "invoke-expression")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc

Process Tree Analysis

let targetDevice = "WORKSTATION01";
let timeRange = 24h;
DeviceProcessEvents
| where Timestamp > ago(timeRange)
| where DeviceName =~ targetDevice
| project Timestamp, DeviceName, FileName, ProcessId, ProcessCommandLine, 
    InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine
| sort by Timestamp asc

Encoded PowerShell Detection

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine matches regex @"-[eE][nN]?[cC]?\s+[A-Za-z0-9+/=]{50,}"
| extend DecodedCommand = base64_decode_tostring(extract(@"-[eE][nN]?[cC]?\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine))
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, DecodedCommand

Malware Detection Queries

New/Rare Executables

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any ("temp", "appdata", "programdata", "users\\public")
| summarize 
    FirstSeen = min(Timestamp),
    DeviceCount = dcount(DeviceName),
    Devices = make_set(DeviceName, 10)
    by SHA256, FileName, FolderPath
| where DeviceCount < 3
| sort by FirstSeen desc

Suspicious File Drops

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName in~ ("outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".scr" or FileName endswith ".ps1" or FileName endswith ".vbs" or FileName endswith ".js" or FileName endswith ".hta"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SHA256

Ransomware Behaviour Detection

DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileModified" or ActionType == "FileRenamed"
| summarize 
    ModifiedCount = count(),
    UniqueExtensions = dcount(FileName),
    Extensions = make_set(tostring(split(FileName, ".")[-1]), 20)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where ModifiedCount > 100
| sort by ModifiedCount desc

Network & C2 Detection

Suspicious Outbound Connections

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "onedrive.exe")
| summarize 
    ConnectionCount = count(),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    RemoteIPs = make_set(RemoteIP, 10)
    by DeviceName, InitiatingProcessFileName, RemotePort
| where ConnectionCount > 10
| sort by ConnectionCount desc

Beaconing Detection

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| summarize 
    ConnectionCount = count(),
    ConnectionTimes = make_list(Timestamp, 1000)
    by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| where ConnectionCount > 20
| extend TimeDeltas = series_diff(array_sort_asc(ConnectionTimes), 1)
| extend AvgDelta = avgif(TimeDeltas, isnotnull(TimeDeltas))
| extend StdDevDelta = stdevif(TimeDeltas, isnotnull(TimeDeltas))
| where StdDevDelta < 60000 // Low variance = potential beaconing (in milliseconds)
| project DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, ConnectionCount, AvgDelta, StdDevDelta

DNS Anomaly Detection

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsQueryResponse"
| where RemoteUrl !endswith ".microsoft.com" and RemoteUrl !endswith ".windows.com"
| extend DomainLength = strlen(RemoteUrl)
| extend Entropy = -sum(dynamic_to_json(array_slice(to_utf8(RemoteUrl), 0, -1)) | mv-expand c to typeof(int) | summarize count() by c | project p = toreal(count_) / DomainLength | summarize sum(p * log2(p)))
| where DomainLength > 50 or Entropy > 4.0
| project Timestamp, DeviceName, RemoteUrl, DomainLength, InitiatingProcessFileName

Persistence Detection

Registry Persistence

DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (
    "CurrentVersion\\Run",
    "CurrentVersion\\RunOnce", 
    "CurrentVersion\\RunServices",
    "Winlogon\\Shell",
    "Winlogon\\Userinit",
    "Environment\\UserInitMprLogonScript")
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName

Scheduled Task Creation

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ScheduledTaskCreated" or ActionType == "ScheduledTaskUpdated"
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

Service Installation

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ServiceInstalled"
| project Timestamp, DeviceName, ActionType, 
    ServiceName = tostring(parse_json(AdditionalFields).ServiceName),
    ServicePath = tostring(parse_json(AdditionalFields).ServicePath),
    InitiatingProcessFileName
| where ServicePath !startswith "C:\\Windows\\System32"

WMI Persistence

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "WmiBindEventFilterToConsumer"
| project Timestamp, DeviceName, 
    FilterName = tostring(parse_json(AdditionalFields).FilterName),
    ConsumerName = tostring(parse_json(AdditionalFields).ConsumerName),
    InitiatingProcessFileName

Email Malware Queries

Malicious Attachment Hunt

EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in ("exe", "dll", "scr", "js", "vbs", "hta", "ps1", "bat", "cmd", "msi", "jar")
    or FileName endswith ".iso"
    or FileName endswith ".img"
    or FileName endswith ".vhd"
| join kind=inner EmailEvents on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, FileType, SHA256
| sort by Timestamp desc

URL Click Analysis

UrlClickEvents
| where Timestamp > ago(7d)
| where ActionType == "ClickAllowed"
| where Url !startswith "https://microsoft.com" and Url !startswith "https://*.sharepoint.com"
| summarize 
    ClickCount = count(),
    UniqueUsers = dcount(AccountUpn),
    Users = make_set(AccountUpn, 10)
    by Url
| where ClickCount > 5
| sort by ClickCount desc

Emails with Password-Protected Attachments

EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in ("zip", "7z", "rar")
| join kind=inner EmailEvents on NetworkMessageId
| where Subject has_any ("password", "pwd", "pass:", "code:", "protected")
    or SenderFromAddress !endswith "@yourdomain.com"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName

Threat Hunting Queries

Hunt for Cobalt Strike Indicators

// Named pipe indicators
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "NamedPipeCreated"
| where PipeName matches regex @"\\\\\.\\pipe\\(MSSE-|status_|msagent_|postex_|mojo\.|demoagent_|\\w{8}-\\w{4}-\\w{4})"
| project Timestamp, DeviceName, PipeName, InitiatingProcessFileName, InitiatingProcessCommandLine

// Process injection
union DeviceEvents, DeviceProcessEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "SetThreadContextRemoteApiCall")
| project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessFileName, ProcessCommandLine

Hunt for Mimikatz Activity

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
    "sekurlsa::logonpasswords",
    "sekurlsa::wdigest", 
    "lsadump::sam",
    "lsadump::dcsync",
    "kerberos::golden",
    "privilege::debug",
    "token::elevate")
    or FileName =~ "mimikatz.exe"
    or SHA256 in ((known_mimikatz_hashes))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine

Living Off the Land Detection

DeviceProcessEvents
| where Timestamp > ago(24h)
| where 
    (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("-urlcache", "-decode", "-encode"))
    or (FileName =~ "bitsadmin.exe" and ProcessCommandLine has_any ("/transfer", "/download"))
    or (FileName =~ "mshta.exe" and ProcessCommandLine has_any ("http://", "https://", "javascript:"))
    or (FileName =~ "regsvr32.exe" and ProcessCommandLine has_any ("/s", "/u", "/i:http"))
    or (FileName =~ "rundll32.exe" and ProcessCommandLine has_any ("javascript:", "http://", ".dll,"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName

Response Actions & Remediation

Immediate Containment Actions

Scenario

Action

Method

Active Malware

Isolate device

MDE → Device page → Isolate device

Ransomware

Network isolation

Isolate + disable network shares

C2 Communication

Block C2 IPs/domains

Prisma Access + MDE custom indicators

Compromised Account

Disable account

Entra ID + on-prem AD

Malicious Email

Purge from mailboxes

MDO → Threat Explorer → Soft/Hard delete

Malicious File

Block by hash

MDE → Indicators → Add file hash

MDE Live Response Commands

Evidence Collection

# Connect to device via Live Response in MDE portal

# Collect running processes
processes

# Get network connections  
connections

# Collect file for analysis
getfile "C:\Users\user\AppData\Local\Temp\malware.exe"

# Get file information
fileinfo "C:\Users\user\AppData\Local\Temp\malware.exe"

# Run script for memory dump
run MemoryDump.ps1

# Get autoruns
run GetAutoruns.ps1

Remediation Commands

# Kill malicious process
remediate kill [PID]

# Quarantine file
remediate quarantine "C:\path\to\malware.exe"

# Remove scheduled task
remediate scheduledtask remove "MaliciousTask"

# Remove registry key
remediate registry delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MaliciousValue"

# Undo isolation
unisolate

Network Containment (Prisma Access)

Action

Location

Details

Block malicious URL

URL Filtering → Custom Categories

Add URL to block category

Block C2 IP

Security Policy → External Dynamic Lists

Add IP to block list

Block file hash

Threat Prevention → Antivirus

Add to custom signature

Isolate user traffic

GlobalProtect → HIP Profiles

Quarantine non-compliant

Post-Incident Remediation Checklist

Eradication

[ ] Remove all malware files from affected systems
[ ] Delete persistence mechanisms (registry, scheduled tasks, services)
[ ] Remove malicious accounts created by attacker
[ ] Clear cached credentials on affected systems
[ ] Reset passwords for compromised accounts
[ ] Revoke all sessions for affected users
[ ] Block all identified IOCs at all layers

Recovery

[ ] Restore systems from clean backups if needed
[ ] Rebuild compromised systems if necessary
[ ] Verify integrity of restored data
[ ] Re-enable disabled accounts after password reset
[ ] Remove device isolation in phases
[ ] Monitor recovered systems closely for 72 hours

Hardening

[ ] Patch exploited vulnerabilities
[ ] Review and tighten application control policies
[ ] Enable ASR rules relevant to attack technique
[ ] Update email filtering rules
[ ] Review firewall rules and network segmentation
[ ] Conduct user awareness training if phishing-based

Quick Reference Cards

Malware Analysis Checklist

Step

Action

Tools

Collect file hash (SHA256)

MDE, PowerShell

Check reputation

VirusTotal, MDE TI

Analyze strings

FLOSS, strings

Sandbox detonation

MDE Deep Analysis, Any.Run, Joe Sandbox

Review network IOCs

Sandbox report, Wireshark

Extract config

Malware-specific tools

Document TTPs

MITRE ATT&CK mapping

File Hash Quick Check

# Get SHA256 hash of a file
Get-FileHash -Algorithm SHA256 "C:\path\to\file.exe"

# Get multiple hashes
Get-FileHash -Algorithm SHA256 "C:\path\to\file.exe" | Select-Object Hash, Path
Get-FileHash -Algorithm MD5 "C:\path\to\file.exe" | Select-Object Hash

# Check file signature
Get-AuthenticodeSignature "C:\path\to\file.exe"

Common Malware File Locations

Location

Typical Use

%TEMP%

Initial payload drops

%APPDATA%

User-level persistence

%LOCALAPPDATA%

User-level persistence

%PROGRAMDATA%

System-wide persistence

C:\Users\Public

Shared access drops

%WINDIR%\Temp

System temp drops

%WINDIR%\Tasks

Scheduled task abuse

Recycle Bin ($Recycle.Bin)

Hidden storage

Attack Stage Indicators

Stage

Indicators

Data Source

Delivery

Phishing email, malicious download

EmailEvents, DeviceNetworkEvents

Exploitation

Vulnerability trigger, macro execution

DeviceEvents, DeviceProcessEvents

Installation

File drops, registry changes

DeviceFileEvents, DeviceRegistryEvents

Beaconing, DNS queries

DeviceNetworkEvents

Actions

Data staging, lateral movement

DeviceFileEvents, DeviceLogonEvents

Exfiltration

Large transfers, cloud uploads

DeviceNetworkEvents, CloudAppEvents

Escalation Matrix

Severity Classification

Severity

Criteria

Response Time

🔴 Critical

Active ransomware, confirmed C2, data exfiltration in progress, wiper malware

Immediate - 15 min

🟠 High

Confirmed malware execution, lateral movement, credential theft tools

30 min - 1 hour

🟡 Medium

Suspicious execution blocked, potential malware, single endpoint

4 hours

🟢 Low

PUP detected, adware, blocked download attempt

Next business day

Escalation Triggers

Condition

Escalation Level

>5 endpoints with same malware

Tier 2 SOC

Any ransomware detection

Tier 2 SOC + DFIR

Domain controller affected

DFIR + Identity Team + Leadership

Confirmed data exfiltration

DFIR + Legal + Leadership

Supply chain compromise suspected

DFIR + Leadership + External IR

Critical business system affected

DFIR + Business Owner + Leadership

Communication Templates

Initial Notification (Internal)

SECURITY INCIDENT NOTIFICATION

Severity: [Critical/High/Medium/Low]
Time Detected: [Timestamp UTC]
Affected Systems: [Count and list]
Malware Family: [If known]
Current Status: [Investigating/Contained/Eradicated]

Summary:
[Brief description of what was detected]

Immediate Actions Taken:
- [Action 1]
- [Action 2]

Next Steps:
- [Planned action 1]
- [Planned action 2]

SOC Contact: [Name/Number]

MITRE ATT&CK Mapping

Initial Access

Technique

Detection

KQL Table

Phishing: Attachment

T1566.001

Malicious attachment detected

EmailAttachmentInfo

Phishing: Link

T1566.002

Malicious URL clicked

UrlClickEvents

Drive-by Compromise

T1189

Browser exploitation

DeviceProcessEvents

Supply Chain

T1195

Compromised software

DeviceFileEvents

External Remote Services

T1133

VPN/RDP compromise

DeviceLogonEvents

Execution

Technique

Detection

KQL Table

PowerShell

T1059.001

Encoded commands, download cradles

DeviceProcessEvents

Command Shell

T1059.003

Suspicious cmd.exe usage

DeviceProcessEvents

Windows Script Host

T1059.005

VBS/JS execution

DeviceProcessEvents

Mshta

T1218.005

HTA execution

DeviceProcessEvents

Regsvr32

T1218.010

Proxy execution

DeviceProcessEvents

Rundll32

T1218.011

DLL side-loading

DeviceProcessEvents

Persistence

Technique

Detection

KQL Table

Registry Run Keys

T1547.001

Run key modification

DeviceRegistryEvents

Scheduled Task

T1053.005

Task creation

DeviceEvents

Services

T1543.003

Service installation

DeviceEvents

WMI Subscription

T1546.003

WMI filter/consumer

DeviceEvents

Boot/Logon Scripts

T1037

Startup script

DeviceRegistryEvents

Defense Evasion

Technique

Detection

KQL Table

Process Injection

T1055

Remote thread creation

DeviceEvents

Masquerading

T1036

Renamed executables

DeviceProcessEvents

Obfuscated Files

T1027

Encoded payloads

DeviceProcessEvents

Disable Security Tools

T1562

AV/EDR tampering

DeviceEvents

Indicator Removal

T1070

Log clearing

DeviceEvents

Credential Access

Technique

Detection

KQL Table

LSASS Dump

T1003.001

LSASS access

DeviceEvents

SAM Dump

T1003.002

Registry SAM access

DeviceRegistryEvents

Credential Dumping

T1003

Mimikatz execution

DeviceProcessEvents

Keylogging

T1056.001

Keylogger installation

DeviceEvents

Command & Control

Technique

Detection

KQL Table

HTTP/HTTPS

T1071.001

Web traffic to C2

DeviceNetworkEvents

DNS

T1071.004

DNS tunneling

DeviceNetworkEvents

Non-Standard Port

T1571

Unusual ports

DeviceNetworkEvents

Encrypted Channel

T1573

SSL/TLS to C2

DeviceNetworkEvents

Exfiltration

Technique

Detection

KQL Table

Exfil Over C2

T1041

Large uploads to C2

DeviceNetworkEvents

Exfil Over Web

T1567

Cloud storage uploads

CloudAppEvents

Automated Exfil

T1020

Scheduled transfers

DeviceNetworkEvents

Appendix: Useful Commands

PowerShell Investigation

# Get running processes with command line
Get-CimInstance Win32_Process | Select-Object ProcessId, Name, CommandLine

# Find processes by name
Get-Process -Name "powershell" | Select-Object Id, ProcessName, Path, StartTime

# Get network connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

# Get DNS cache
Get-DnsClientCache | Select-Object Entry, Data, TimeToLive

# Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"} | Select-Object TaskName, TaskPath, State

# Review services
Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name, DisplayName, StartType

# Check startup items
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location

# Get recently modified files
Get-ChildItem -Path C:\Users -Recurse -File | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)} | Select-Object FullName, LastWriteTime

# Check for unsigned executables
Get-ChildItem -Path "C:\Users" -Recurse -Include *.exe | Get-AuthenticodeSignature | Where-Object {$_.Status -ne "Valid"}

MDE Advanced Hunting in PowerShell

# Connect to Security Center
Connect-MicrosoftDefender

# Run advanced hunting query
$query = @"
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "-enc"
| project Timestamp, DeviceName, ProcessCommandLine
"@

Invoke-MDATPQuery -Query $query

Network Analysis

# Get established connections with process names
Get-NetTCPConnection -State Established | ForEach-Object {
    $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        LocalAddress = $_.LocalAddress
        LocalPort = $_.LocalPort
        RemoteAddress = $_.RemoteAddress
        RemotePort = $_.RemotePort
        ProcessName = $process.Name
        ProcessPath = $process.Path
    }
}

# Check for listening ports
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess

# DNS queries from event log
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" -MaxEvents 100 | Select-Object TimeCreated, Message

Memory Analysis Prep

# Create memory dump using Windows built-in
# Requires procdump or similar tool
.\procdump.exe -ma lsass.exe lsass.dmp

# Or use PowerShell with comsvcs.dll (requires elevation)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full

Evidence Collection Script

# Quick triage script
$outputPath = "C:\IR_Evidence_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $outputPath -Force

# System info
systeminfo > "$outputPath\systeminfo.txt"

# Running processes
Get-Process | Export-Csv "$outputPath\processes.csv" -NoTypeInformation

# Network connections
Get-NetTCPConnection | Export-Csv "$outputPath\network.csv" -NoTypeInformation

# Services
Get-Service | Export-Csv "$outputPath\services.csv" -NoTypeInformation

# Scheduled tasks
Get-ScheduledTask | Export-Csv "$outputPath\scheduledtasks.csv" -NoTypeInformation

# Recent files
Get-ChildItem -Path C:\Users -Recurse -File -ErrorAction SilentlyContinue | 
    Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} | 
    Export-Csv "$outputPath\recentfiles.csv" -NoTypeInformation

# Compress for collection
Compress-Archive -Path $outputPath -DestinationPath "$outputPath.zip"

⚠️ Important: This runbook should be tested regularly through tabletop exercises and updated after each significant incident to incorporate lessons learned and emerging malware techniques.

PreviousIdentity Attack Investigation Runbook NextUnauthorised Access & Privilege Escalation Investigation Runbook

Last updated 7 days ago