Malware Attack Investigation Runbook

SOC & DFIR Operations Guide

Environment: Windows AD | Microsoft 365 | Defender XDR | Sentinel | Entra ID | Palo Alto Prisma Access

---

Overview & Scope

This runbook provides standardised procedures for investigating malware-based attacks across the hybrid enterprise environment. It covers detection, triage, investigation, containment, eradication, and recovery workflows using Microsoft Defender XDR, Sentinel, and Palo Alto Prisma Access.

Malware Categories

Category	Description	Common Examples
Ransomware	Encrypts files, demands payment	LockBit, BlackCat, Cl0p, Play
Trojans	Disguised malicious software	Emotet, TrickBot, QakBot
RATs	Remote Access Trojans for persistent access	Cobalt Strike, AsyncRAT, RemcosRAT
Infostealers	Credential and data theft	RedLine, Raccoon, Vidar, Lumma
Loaders/Droppers	Initial access, downloads additional payloads	IcedID, BumbleBee, Gootloader
Rootkits	Deep system persistence, evasion	BlackLotus, various bootkits
Fileless Malware	Memory-resident, LOLBins abuse	PowerShell-based, WMI persistence
Worms	Self-propagating network threats	Various SMB/network worms
Cryptominers	Unauthorized cryptocurrency mining	XMRig variants
Wipers	Data destruction	HermeticWiper, CaddyWiper

Common Attack Vectors

Vector	Description	Primary Detection
Phishing Emails	Malicious attachments/links	MDO, EmailEvents
Drive-by Downloads	Compromised websites	MDE, Prisma URL filtering
Supply Chain	Compromised software updates	MDE, application allow-listing
Removable Media	USB-based infection	MDE, DeviceEvents
Exploitation	Vulnerability exploitation	MDE, DeviceEvents
Malvertising	Malicious advertisements	Prisma Access, MDE
Social Engineering	User manipulation	MDO, user reporting

---

Detection Sources & Data Mapping

Log Sources Matrix

Platform	Log Table	Key Data
Defender for Endpoint	DeviceEvents	Process creation, file operations, registry
Defender for Endpoint	DeviceProcessEvents	Process execution, command lines
Defender for Endpoint	DeviceNetworkEvents	Network connections, DNS queries
Defender for Endpoint	DeviceFileEvents	File creation, modification, deletion
Defender for Endpoint	DeviceRegistryEvents	Registry modifications
Defender for Endpoint	DeviceImageLoadEvents	DLL loads, driver loads
Defender for Endpoint	DeviceLogonEvents	Authentication events
Defender for Endpoint	AlertInfo, AlertEvidence	Correlated alerts and evidence
Defender for Office	EmailEvents, EmailAttachmentInfo	Email metadata, attachments
Defender for Office	EmailUrlInfo, UrlClickEvents	URLs in emails, click tracking
Sentinel	SecurityAlert	Aggregated alerts from all sources
Sentinel	ThreatIntelligenceIndicator	IOC matches
Prisma Access	PaloAltoPrismaAccess	Network threats, URL categories

Critical MDE Alert Categories

Alert Category	Description	Severity
Malware	Known malware detected	High-Critical
Ransomware	Ransomware behavior detected	Critical
Suspicious activity	Anomalous behavior patterns	Medium-High
Unwanted software	PUPs, adware, tools	Low-Medium
Exploit	Exploitation attempt detected	High-Critical
Persistence	Persistence mechanism detected	Medium-High
Lateral movement	Movement between systems	High
Command and control	C2 communication detected	High-Critical
Exfiltration	Data theft indicators	Critical
Defense evasion	Security tool tampering	High

---

Investigation Workflows

Malware Alert Triage

Objective: Quickly assess alert validity, determine scope, and prioritise response.

Step 1: Initial Alert Assessment

1. Review alert in Defender XDR incident queue

2. Check alert severity, category, and detection source

3. Identify affected device(s) and user(s)

4. Review MITRE ATT&CK techniques mapped to alert

5. Check if alert is part of larger incident (auto-correlated)

Step 2: Validate Detection

1. Review the specific file/process that triggered alert

2. Check file hash against VirusTotal and internal threat intel

3. Review file metadata: signer, compilation time, path

4. Examine parent-child process relationships

5. Determine if activity is expected (false positive check)

Step 3: Scope Assessment

1. Search for same IOCs across all endpoints

2. Check if other devices have similar alerts

3. Review user's recent email for delivery vector

4. Check network logs for related C2 traffic

5. Identify patient zero and initial access timeline

Step 4: Risk Classification

Risk Level	Criteria	Action
🔴 Critical	Ransomware, active C2, domain admin compromise	Immediate isolation
🟠 High	Confirmed malware, lateral movement, data staging	Isolate within 30 min
🟡 Medium	Suspicious activity, potential malware	Investigate within 4 hours
🟢 Low	PUP, adware, likely false positive	Next business day

---

Ransomware Investigation

Objective: Contain ransomware spread, identify scope, preserve evidence, and enable recovery.

Immediate Actions (First 15 Minutes)

1. Isolate affected devices via MDE device isolation

2. Disable compromised accounts if credentials suspected stolen

3. Block known IOCs at network perimeter (Prisma Access)

4. Alert incident response team and leadership

5. Preserve volatile evidence if possible

Step 1: Identify Ransomware Variant

1. Review ransom note filename and content

2. Check encrypted file extension

3. Submit sample to threat intel platforms

4. Identify known decryptors if available

5. Document ransomware family and known TTPs

Step 2: Determine Patient Zero

1. Query earliest file encryption events across environment

2. Identify initial infected device by timestamp

3. Review device timeline for initial access vector

4. Check email logs for phishing delivery

5. Examine network logs for exploitation attempts

Step 3: Map Lateral Movement

1. Query authentication events from patient zero

2. Identify all accessed systems and shares

3. Check for credential harvesting tools (Mimikatz, etc.)

4. Review network connections to other endpoints

5. Document full scope of compromise

Step 4: Identify Data Exfiltration

1. Check for large data transfers before encryption

2. Review cloud storage uploads (OneDrive, SharePoint)

3. Examine network traffic to unknown external IPs

4. Check for staging directories

5. Identify potentially exfiltrated data types

Step 5: Containment & Eradication

1. Extend isolation to all affected devices

2. Block all identified C2 infrastructure

3. Reset credentials for affected users

4. Remove persistence mechanisms

5. Scan and clean all affected systems

---

Fileless Malware Investigation

Objective: Detect and investigate memory-resident and LOLBin-based malware.

Detection Indicators

• PowerShell with encoded commands (-enc, -e, -encodedcommand)

• WMI/CIM for execution or persistence

• Unusual parent-child process relationships

• LOLBAS tool abuse (certutil, mshta, regsvr32, rundll32)

• .NET assembly loading in memory

• Reflective DLL injection

• Process hollowing indicators

Investigation Steps

1. Review process command lines for obfuscation

2. Decode Base64/encoded PowerShell commands

3. Analyse script block logging events

4. Check for WMI subscriptions and persistence

5. Review scheduled tasks for suspicious entries

6. Examine registry run keys and startup locations

7. Analyse memory dumps if available

Key LOLBins to Monitor

Binary	Malicious Use	Detection
powershell.exe	Script execution, download cradles	Encoded commands, web requests
cmd.exe	Command execution	Unusual parent, obfuscation
mshta.exe	HTA execution, proxy execution	Network connections, child processes
certutil.exe	Download files, decode payloads	-urlcache, -decode flags
regsvr32.exe	Proxy execution, COM objects	/s /u /i: parameters
rundll32.exe	DLL execution, proxy	Unusual DLLs, network activity
wmic.exe	WMI queries, remote execution	/node:, process calls
msiexec.exe	MSI installation from URL	/q /i http://
bitsadmin.exe	File downloads	/transfer, /download
cscript/wscript	Script execution	Unusual scripts, network calls

---

Email-Based Malware Investigation

Objective: Investigate malware delivered via email, identify all recipients, and remediate.

Step 1: Identify Malicious Email

1. Query EmailEvents for the malicious message

2. Extract sender, subject, recipient(s), and timestamps

3. Identify attachment details or malicious URLs

4. Check if email passed or was caught by MDO

5. Determine delivery status to all recipients

Step 2: Recipient Analysis

1. List all recipients of the malicious email

2. Identify who opened/clicked the email

3. Check UrlClickEvents for link interactions

4. Review endpoint alerts for recipients

5. Prioritise users who interacted with content

Step 3: Email Artifact Analysis

1. Extract and analyse attachment hashes

2. Submit to sandbox for detonation

3. Review URL reputation and redirects

4. Check for known phishing kit indicators

5. Document all IOCs from email

Step 4: Remediation

1. Purge malicious email from all mailboxes

2. Block sender domain/address

3. Add URL/hash to block lists

4. Notify users who received email

5. Reset credentials if any user interacted

---

KQL Query Cheat Sheet

Device Process Analysis

Suspicious Process Execution

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("encodedcommand", "-enc", "-e ", "bypass", "hidden", "downloadstring", "iex", "invoke-expression")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc

Process Tree Analysis

let targetDevice = "WORKSTATION01";
let timeRange = 24h;
DeviceProcessEvents
| where Timestamp > ago(timeRange)
| where DeviceName =~ targetDevice
| project Timestamp, DeviceName, FileName, ProcessId, ProcessCommandLine, 
    InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine
| sort by Timestamp asc

Encoded PowerShell Detection

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine matches regex @"-[eE][nN]?[cC]?\s+[A-Za-z0-9+/=]{50,}"
| extend DecodedCommand = base64_decode_tostring(extract(@"-[eE][nN]?[cC]?\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine))
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, DecodedCommand

---

Malware Detection Queries

New/Rare Executables

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any ("temp", "appdata", "programdata", "users\\public")
| summarize 
    FirstSeen = min(Timestamp),
    DeviceCount = dcount(DeviceName),
    Devices = make_set(DeviceName, 10)
    by SHA256, FileName, FolderPath
| where DeviceCount < 3
| sort by FirstSeen desc

Suspicious File Drops

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where InitiatingProcessFileName in~ ("outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".scr" or FileName endswith ".ps1" or FileName endswith ".vbs" or FileName endswith ".js" or FileName endswith ".hta"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SHA256

Ransomware Behaviour Detection

DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileModified" or ActionType == "FileRenamed"
| summarize 
    ModifiedCount = count(),
    UniqueExtensions = dcount(FileName),
    Extensions = make_set(tostring(split(FileName, ".")[-1]), 20)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where ModifiedCount > 100
| sort by ModifiedCount desc

---

Network & C2 Detection

Suspicious Outbound Connections

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "onedrive.exe")
| summarize 
    ConnectionCount = count(),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    RemoteIPs = make_set(RemoteIP, 10)
    by DeviceName, InitiatingProcessFileName, RemotePort
| where ConnectionCount > 10
| sort by ConnectionCount desc

Beaconing Detection

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| summarize 
    ConnectionCount = count(),
    ConnectionTimes = make_list(Timestamp, 1000)
    by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| where ConnectionCount > 20
| extend TimeDeltas = series_diff(array_sort_asc(ConnectionTimes), 1)
| extend AvgDelta = avgif(TimeDeltas, isnotnull(TimeDeltas))
| extend StdDevDelta = stdevif(TimeDeltas, isnotnull(TimeDeltas))
| where StdDevDelta < 60000 // Low variance = potential beaconing (in milliseconds)
| project DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, ConnectionCount, AvgDelta, StdDevDelta

DNS Anomaly Detection

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsQueryResponse"
| where RemoteUrl !endswith ".microsoft.com" and RemoteUrl !endswith ".windows.com"
| extend DomainLength = strlen(RemoteUrl)
| extend Entropy = -sum(dynamic_to_json(array_slice(to_utf8(RemoteUrl), 0, -1)) | mv-expand c to typeof(int) | summarize count() by c | project p = toreal(count_) / DomainLength | summarize sum(p * log2(p)))
| where DomainLength > 50 or Entropy > 4.0
| project Timestamp, DeviceName, RemoteUrl, DomainLength, InitiatingProcessFileName

---

Persistence Detection

Registry Persistence

DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (
    "CurrentVersion\\Run",
    "CurrentVersion\\RunOnce", 
    "CurrentVersion\\RunServices",
    "Winlogon\\Shell",
    "Winlogon\\Userinit",
    "Environment\\UserInitMprLogonScript")
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName

Scheduled Task Creation

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ScheduledTaskCreated" or ActionType == "ScheduledTaskUpdated"
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

Service Installation

DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ServiceInstalled"
| project Timestamp, DeviceName, ActionType, 
    ServiceName = tostring(parse_json(AdditionalFields).ServiceName),
    ServicePath = tostring(parse_json(AdditionalFields).ServicePath),
    InitiatingProcessFileName
| where ServicePath !startswith "C:\\Windows\\System32"

WMI Persistence

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "WmiBindEventFilterToConsumer"
| project Timestamp, DeviceName, 
    FilterName = tostring(parse_json(AdditionalFields).FilterName),
    ConsumerName = tostring(parse_json(AdditionalFields).ConsumerName),
    InitiatingProcessFileName

---

Email Malware Queries

Malicious Attachment Hunt

EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in ("exe", "dll", "scr", "js", "vbs", "hta", "ps1", "bat", "cmd", "msi", "jar")
    or FileName endswith ".iso"
    or FileName endswith ".img"
    or FileName endswith ".vhd"
| join kind=inner EmailEvents on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, FileType, SHA256
| sort by Timestamp desc

URL Click Analysis

UrlClickEvents
| where Timestamp > ago(7d)
| where ActionType == "ClickAllowed"
| where Url !startswith "https://microsoft.com" and Url !startswith "https://*.sharepoint.com"
| summarize 
    ClickCount = count(),
    UniqueUsers = dcount(AccountUpn),
    Users = make_set(AccountUpn, 10)
    by Url
| where ClickCount > 5
| sort by ClickCount desc

Emails with Password-Protected Attachments

EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in ("zip", "7z", "rar")
| join kind=inner EmailEvents on NetworkMessageId
| where Subject has_any ("password", "pwd", "pass:", "code:", "protected")
    or SenderFromAddress !endswith "@yourdomain.com"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName

---

Threat Hunting Queries

Hunt for Cobalt Strike Indicators

// Named pipe indicators
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "NamedPipeCreated"
| where PipeName matches regex @"\\\\\.\\pipe\\(MSSE-|status_|msagent_|postex_|mojo\.|demoagent_|\\w{8}-\\w{4}-\\w{4})"
| project Timestamp, DeviceName, PipeName, InitiatingProcessFileName, InitiatingProcessCommandLine

// Process injection
union DeviceEvents, DeviceProcessEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "SetThreadContextRemoteApiCall")
| project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessFileName, ProcessCommandLine

Hunt for Mimikatz Activity

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
    "sekurlsa::logonpasswords",
    "sekurlsa::wdigest", 
    "lsadump::sam",
    "lsadump::dcsync",
    "kerberos::golden",
    "privilege::debug",
    "token::elevate")
    or FileName =~ "mimikatz.exe"
    or SHA256 in ((known_mimikatz_hashes))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine

Living Off the Land Detection

DeviceProcessEvents
| where Timestamp > ago(24h)
| where 
    (FileName =~ "certutil.exe" and ProcessCommandLine has_any ("-urlcache", "-decode", "-encode"))
    or (FileName =~ "bitsadmin.exe" and ProcessCommandLine has_any ("/transfer", "/download"))
    or (FileName =~ "mshta.exe" and ProcessCommandLine has_any ("http://", "https://", "javascript:"))
    or (FileName =~ "regsvr32.exe" and ProcessCommandLine has_any ("/s", "/u", "/i:http"))
    or (FileName =~ "rundll32.exe" and ProcessCommandLine has_any ("javascript:", "http://", ".dll,"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName

---

Response Actions & Remediation

Immediate Containment Actions

Scenario	Action	Method
Active Malware	Isolate device	MDE → Device page → Isolate device
Ransomware	Network isolation	Isolate + disable network shares
C2 Communication	Block C2 IPs/domains	Prisma Access + MDE custom indicators
Compromised Account	Disable account	Entra ID + on-prem AD
Malicious Email	Purge from mailboxes	MDO → Threat Explorer → Soft/Hard delete
Malicious File	Block by hash	MDE → Indicators → Add file hash

MDE Live Response Commands

Evidence Collection

# Connect to device via Live Response in MDE portal

# Collect running processes
processes

# Get network connections  
connections

# Collect file for analysis
getfile "C:\Users\user\AppData\Local\Temp\malware.exe"

# Get file information
fileinfo "C:\Users\user\AppData\Local\Temp\malware.exe"

# Run script for memory dump
run MemoryDump.ps1

# Get autoruns
run GetAutoruns.ps1

Remediation Commands

# Kill malicious process
remediate kill [PID]

# Quarantine file
remediate quarantine "C:\path\to\malware.exe"

# Remove scheduled task
remediate scheduledtask remove "MaliciousTask"

# Remove registry key
remediate registry delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MaliciousValue"

# Undo isolation
unisolate

Network Containment (Prisma Access)

Action	Location	Details
Block malicious URL	URL Filtering → Custom Categories	Add URL to block category
Block C2 IP	Security Policy → External Dynamic Lists	Add IP to block list
Block file hash	Threat Prevention → Antivirus	Add to custom signature
Isolate user traffic	GlobalProtect → HIP Profiles	Quarantine non-compliant

Post-Incident Remediation Checklist

Eradication

• [ ] Remove all malware files from affected systems

• [ ] Delete persistence mechanisms (registry, scheduled tasks, services)

• [ ] Remove malicious accounts created by attacker

• [ ] Clear cached credentials on affected systems

• [ ] Reset passwords for compromised accounts

• [ ] Revoke all sessions for affected users

• [ ] Block all identified IOCs at all layers

Recovery

• [ ] Restore systems from clean backups if needed

• [ ] Rebuild compromised systems if necessary

• [ ] Verify integrity of restored data

• [ ] Re-enable disabled accounts after password reset

• [ ] Remove device isolation in phases

• [ ] Monitor recovered systems closely for 72 hours

Hardening

• [ ] Patch exploited vulnerabilities

• [ ] Review and tighten application control policies

• [ ] Enable ASR rules relevant to attack technique

• [ ] Update email filtering rules

• [ ] Review firewall rules and network segmentation

• [ ] Conduct user awareness training if phishing-based

---

Quick Reference Cards

Malware Analysis Checklist

Step	Action	Tools
1	Collect file hash (SHA256)	MDE, PowerShell
2	Check reputation	VirusTotal, MDE TI
3	Analyze strings	FLOSS, strings
4	Sandbox detonation	MDE Deep Analysis, Any.Run, Joe Sandbox
5	Review network IOCs	Sandbox report, Wireshark
6	Extract config	Malware-specific tools
7	Document TTPs	MITRE ATT&CK mapping

File Hash Quick Check

# Get SHA256 hash of a file
Get-FileHash -Algorithm SHA256 "C:\path\to\file.exe"

# Get multiple hashes
Get-FileHash -Algorithm SHA256 "C:\path\to\file.exe" | Select-Object Hash, Path
Get-FileHash -Algorithm MD5 "C:\path\to\file.exe" | Select-Object Hash

# Check file signature
Get-AuthenticodeSignature "C:\path\to\file.exe"

Common Malware File Locations

Location	Typical Use
%TEMP%	Initial payload drops
%APPDATA%	User-level persistence
%LOCALAPPDATA%	User-level persistence
%PROGRAMDATA%	System-wide persistence
C:\Users\Public	Shared access drops
%WINDIR%\Temp	System temp drops
%WINDIR%\Tasks	Scheduled task abuse
Recycle Bin ($Recycle.Bin)	Hidden storage

Attack Stage Indicators

Stage	Indicators	Data Source
Delivery	Phishing email, malicious download	EmailEvents, DeviceNetworkEvents
Exploitation	Vulnerability trigger, macro execution	DeviceEvents, DeviceProcessEvents
Installation	File drops, registry changes	DeviceFileEvents, DeviceRegistryEvents
C2	Beaconing, DNS queries	DeviceNetworkEvents
Actions	Data staging, lateral movement	DeviceFileEvents, DeviceLogonEvents
Exfiltration	Large transfers, cloud uploads	DeviceNetworkEvents, CloudAppEvents

---

Escalation Matrix

Severity Classification

Severity	Criteria	Response Time
🔴 Critical	Active ransomware, confirmed C2, data exfiltration in progress, wiper malware	Immediate - 15 min
🟠 High	Confirmed malware execution, lateral movement, credential theft tools	30 min - 1 hour
🟡 Medium	Suspicious execution blocked, potential malware, single endpoint	4 hours
🟢 Low	PUP detected, adware, blocked download attempt	Next business day

Escalation Triggers

Condition	Escalation Level
>5 endpoints with same malware	Tier 2 SOC
Any ransomware detection	Tier 2 SOC + DFIR
Domain controller affected	DFIR + Identity Team + Leadership
Confirmed data exfiltration	DFIR + Legal + Leadership
Supply chain compromise suspected	DFIR + Leadership + External IR
Critical business system affected	DFIR + Business Owner + Leadership

Communication Templates

Initial Notification (Internal)

SECURITY INCIDENT NOTIFICATION

Severity: [Critical/High/Medium/Low]
Time Detected: [Timestamp UTC]
Affected Systems: [Count and list]
Malware Family: [If known]
Current Status: [Investigating/Contained/Eradicated]

Summary:
[Brief description of what was detected]

Immediate Actions Taken:
- [Action 1]
- [Action 2]

Next Steps:
- [Planned action 1]
- [Planned action 2]

SOC Contact: [Name/Number]

---

MITRE ATT&CK Mapping

Initial Access

Technique	ID	Detection	KQL Table
Phishing: Attachment	T1566.001	Malicious attachment detected	EmailAttachmentInfo
Phishing: Link	T1566.002	Malicious URL clicked	UrlClickEvents
Drive-by Compromise	T1189	Browser exploitation	DeviceProcessEvents
Supply Chain	T1195	Compromised software	DeviceFileEvents
External Remote Services	T1133	VPN/RDP compromise	DeviceLogonEvents

Execution

Technique	ID	Detection	KQL Table
PowerShell	T1059.001	Encoded commands, download cradles	DeviceProcessEvents
Command Shell	T1059.003	Suspicious cmd.exe usage	DeviceProcessEvents
Windows Script Host	T1059.005	VBS/JS execution	DeviceProcessEvents
Mshta	T1218.005	HTA execution	DeviceProcessEvents
Regsvr32	T1218.010	Proxy execution	DeviceProcessEvents
Rundll32	T1218.011	DLL side-loading	DeviceProcessEvents

Persistence

Technique	ID	Detection	KQL Table
Registry Run Keys	T1547.001	Run key modification	DeviceRegistryEvents
Scheduled Task	T1053.005	Task creation	DeviceEvents
Services	T1543.003	Service installation	DeviceEvents
WMI Subscription	T1546.003	WMI filter/consumer	DeviceEvents
Boot/Logon Scripts	T1037	Startup script	DeviceRegistryEvents

Defense Evasion

Technique	ID	Detection	KQL Table
Process Injection	T1055	Remote thread creation	DeviceEvents
Masquerading	T1036	Renamed executables	DeviceProcessEvents
Obfuscated Files	T1027	Encoded payloads	DeviceProcessEvents
Disable Security Tools	T1562	AV/EDR tampering	DeviceEvents
Indicator Removal	T1070	Log clearing	DeviceEvents

Credential Access

Technique	ID	Detection	KQL Table
LSASS Dump	T1003.001	LSASS access	DeviceEvents
SAM Dump	T1003.002	Registry SAM access	DeviceRegistryEvents
Credential Dumping	T1003	Mimikatz execution	DeviceProcessEvents
Keylogging	T1056.001	Keylogger installation	DeviceEvents

Command & Control

Technique	ID	Detection	KQL Table
HTTP/HTTPS	T1071.001	Web traffic to C2	DeviceNetworkEvents
DNS	T1071.004	DNS tunneling	DeviceNetworkEvents
Non-Standard Port	T1571	Unusual ports	DeviceNetworkEvents
Encrypted Channel	T1573	SSL/TLS to C2	DeviceNetworkEvents

Exfiltration

Technique	ID	Detection	KQL Table
Exfil Over C2	T1041	Large uploads to C2	DeviceNetworkEvents
Exfil Over Web	T1567	Cloud storage uploads	CloudAppEvents
Automated Exfil	T1020	Scheduled transfers	DeviceNetworkEvents

---

Appendix: Useful Commands

PowerShell Investigation

# Get running processes with command line
Get-CimInstance Win32_Process | Select-Object ProcessId, Name, CommandLine

# Find processes by name
Get-Process -Name "powershell" | Select-Object Id, ProcessName, Path, StartTime

# Get network connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

# Get DNS cache
Get-DnsClientCache | Select-Object Entry, Data, TimeToLive

# Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"} | Select-Object TaskName, TaskPath, State

# Review services
Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name, DisplayName, StartType

# Check startup items
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location

# Get recently modified files
Get-ChildItem -Path C:\Users -Recurse -File | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)} | Select-Object FullName, LastWriteTime

# Check for unsigned executables
Get-ChildItem -Path "C:\Users" -Recurse -Include *.exe | Get-AuthenticodeSignature | Where-Object {$_.Status -ne "Valid"}

MDE Advanced Hunting in PowerShell

# Connect to Security Center
Connect-MicrosoftDefender

# Run advanced hunting query
$query = @"
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "-enc"
| project Timestamp, DeviceName, ProcessCommandLine
"@

Invoke-MDATPQuery -Query $query

Network Analysis

# Get established connections with process names
Get-NetTCPConnection -State Established | ForEach-Object {
    $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        LocalAddress = $_.LocalAddress
        LocalPort = $_.LocalPort
        RemoteAddress = $_.RemoteAddress
        RemotePort = $_.RemotePort
        ProcessName = $process.Name
        ProcessPath = $process.Path
    }
}

# Check for listening ports
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess

# DNS queries from event log
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" -MaxEvents 100 | Select-Object TimeCreated, Message

Memory Analysis Prep

# Create memory dump using Windows built-in
# Requires procdump or similar tool
.\procdump.exe -ma lsass.exe lsass.dmp

# Or use PowerShell with comsvcs.dll (requires elevation)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full

Evidence Collection Script

# Quick triage script
$outputPath = "C:\IR_Evidence_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $outputPath -Force

# System info
systeminfo > "$outputPath\systeminfo.txt"

# Running processes
Get-Process | Export-Csv "$outputPath\processes.csv" -NoTypeInformation

# Network connections
Get-NetTCPConnection | Export-Csv "$outputPath\network.csv" -NoTypeInformation

# Services
Get-Service | Export-Csv "$outputPath\services.csv" -NoTypeInformation

# Scheduled tasks
Get-ScheduledTask | Export-Csv "$outputPath\scheduledtasks.csv" -NoTypeInformation

# Recent files
Get-ChildItem -Path C:\Users -Recurse -File -ErrorAction SilentlyContinue | 
    Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} | 
    Export-Csv "$outputPath\recentfiles.csv" -NoTypeInformation

# Compress for collection
Compress-Archive -Path $outputPath -DestinationPath "$outputPath.zip"

---

⚠️ Important: This runbook should be tested regularly through tabletop exercises and updated after each significant incident to incorporate lessons learned and emerging malware techniques.