Windows Malware Detection Playbook

Introduction

In today’s rapidly evolving threat landscape, malware remains one of the most persistent and dangerous threats to enterprise security. Cybercriminals continuously develop sophisticated malware variants that evade traditional security controls, exploit vulnerabilities, and compromise sensitive data. As organisations increasingly adopt cloud-based infrastructures, hybrid environments, and remote work models, the attack surface expands, making proactive malware detection more critical than ever.

Effective malware detection capabilities and processes are essential for identifying and mitigating threats before they escalate into full-scale security incidents. A robust detection framework combines behavioural analytics, endpoint monitoring, threat intelligence, and machine learning to detect known and unknown malware strains. Additionally, integrating advanced security solutions such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), and Security Information and Event Management (SIEM) solutions enhances visibility and response capabilities.

To stay ahead of adversaries, security teams must adopt a proactive approach by leveraging threat-hunting methodologies, forensic analysis, and automation-driven incident response. A well-defined malware detection process not only minimises the risk of operational disruptions and data breaches but also strengthens an organisation’s overall cybersecurity posture.

Table of Contents

1. Initial Malware Detection

   • Detect Unusual Process Executions

   • Detect Processes Launched from Temporary Directories

   • Advanced Suspicious Command Detection

2. Persistence Mechanisms

   • Registry Key Modifications

   • Scheduled Tasks Creation

   • Advanced Startup Folder Monitoring

3. Privilege Escalation and Credential Theft

   • Suspicious LSASS Access

   • Mimikatz-Style Activities

   • Advanced Credential Dumping Detection

4. Lateral Movement Detection

   • Remote Execution Using PsExec

   • Network Shares Access

   • Lateral Movement via WMI

5. Data Exfiltration Indicators

   • Large Data Transfers to External Destinations

   • Use of File Compression Tools

   • DNS Tunneling Detection

6. Post-Incident Investigation

   • Correlation of File Hashes

   • Compromised User Accounts

   • Incident Timeline Reconstruction

7. Conclusion

---

This playbook provides a structured approach to investigating malware compromises in a Windows enterprise environment using KQL (Kusto Query Language) queries. Each section focuses on a specific detection and analysis phase with multiple query options and detailed descriptions.

1. Initial Malware Detection

The initial phase involves identifying potential signs of compromise, such as suspicious file execution or network activities.

Query Option 1: Detect Unusual Process Executions

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine contains "-EncodedCommand" or ProcessCommandLine contains "Invoke-WebRequest"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName

Description: This query looks for encoded or obfuscated commands executed by common scripting tools. The expected result includes timestamps, device names, and command lines associated with the execution.

Query Option 2: Detect Processes Launched from Temporary Directories

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath startswith "C:\\Users\\" and FolderPath contains "Temp"
| project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine

Description: Identifies processes launched from temporary directories, which are commonly used by malware. The expected result highlights potential malicious file execution paths.

Query Option 3: Advanced Suspicious Command Detection

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"(\\b(base64|encoded|bypass|invoke|iex|new-object)\\b)"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountDomain

Description: Uses regex matching for advanced detection of suspicious commands often seen in malware activities. Results include details on command-line patterns and associated accounts.

---

2. Persistence Mechanisms

Malware often establishes persistence to survive reboots or logoffs.

Query Option 1: Registry Key Modifications

DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKeyPath has_any ("Run", "RunOnce", "Services")
| project Timestamp, DeviceName, RegistryKeyPath, RegistryValueName, RegistryValueData

Description: Detects modifications to common registry keys used for persistence. Results show changes in specific keys, including the associated device and value data.

Query Option 2: Scheduled Tasks Creation

DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine contains "schtasks"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName

Description: Searches for the creation of scheduled tasks, a frequent persistence method. Results display task creation commands with the initiating process details.

Query Option 3: Advanced Startup Folder Monitoring

DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath contains "\\Startup"
| where FileName endswith ".exe" or FileName endswith ".bat"
| project Timestamp, DeviceName, FolderPath, FileName

Description: Monitors files added to startup folders, which can indicate persistence attempts. Results display suspicious files with paths and timestamps.

---

3. Privilege Escalation and Credential Theft

Detecting attempts to elevate privileges or steal credentials.

Query Option 1: Suspicious LSASS Access

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName == "lsass.exe" and InitiatingProcessFileName in ("procdump.exe", "rundll32.exe")
| project Timestamp, DeviceName, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine

Description: Detects tools attempting to access LSASS for credential dumping. The result highlights the initiating processes targeting LSASS.

Query Option 2: Mimikatz-Style Activities

DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine contains_any ("sekurlsa::logonpasswords", "privilege::debug")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName

Description: Flags process commands associated with Mimikatz. Results include timestamps, devices, and command details.

Query Option 3: Advanced Credential Dumping Detection

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "wmiexec.exe") and ProcessCommandLine contains_any ("DumpCreds", "ExtractPasswords")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName

Description: Expands detection to include custom tools for credential theft. Results show command lines and related accounts.

---

4. Lateral Movement Detection

Malware may attempt to move laterally within the environment.

Query Option 1: Remote Execution Using PsExec

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Private" and InitiatingProcessFileName == "PsExec.exe"
| project Timestamp, DeviceName, RemoteIPAddress, InitiatingProcessCommandLine

Description: Identifies the use of PsExec for remote execution. Results include IP addresses and command lines used.

Query Option 2: Network Shares Access

DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".exe" and FolderPath startswith "\\\\"
| project Timestamp, DeviceName, FolderPath, FileName

Description: Detects executable files accessed on network shares. Results highlight potential lateral movement activities.

Query Option 3: Lateral Movement via WMI

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "wmic" and ProcessCommandLine contains "/node:"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Description: Detects usage of WMI for remote execution across systems. Results display command-line details and initiating accounts.

---

5. Data Exfiltration Indicators

Detecting signs of data exfiltration is critical for assessing impact.

Query Option 1: Large Data Transfers to External Destinations

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public" and Direction == "Outbound" and BytesSent > 1000000
| project Timestamp, DeviceName, RemoteIPAddress, BytesSent, InitiatingProcessCommandLine

Description: Flags large data transfers to public IP addresses. Results include data volume, destination IPs, and associated processes.

Query Option 2: Use of File Compression Tools

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in ("7z.exe", "winrar.exe", "powershell.exe") and ProcessCommandLine contains_any ("compress", "archive")
| project Timestamp, DeviceName, FileName, ProcessCommandLine

Description: Detects the use of compression tools, often used before exfiltration. Results show the execution details of compression commands.

Query Option 3: DNS Tunneling Detection

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where Protocol == "DNS" and strlen(RemoteDnsDomain) > 50
| summarize Count = count() by RemoteDnsDomain, DeviceName
| where Count > 100

Description: Identifies potential DNS tunneling by analysing unusually long domain names with high query counts. Results display devices and domains.

---

6. Post-Incident Investigation

Once the malware activity is contained, investigate further to understand its scope and origin.

Query Option 1: Correlation of File Hashes

DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("<known-malicious-hash-1>", "<known-malicious-hash-2>")
| project Timestamp, DeviceName, FolderPath, FileName, SHA256

Description: Identifies devices where known malicious files were present. Results show file hashes, paths, and timestamps.

Query Option 2: Compromised User Accounts

DeviceLogonEvents
| where Timestamp > ago(30d)
| where AccountName in ("<compromised-user-1>", "<compromised-user-2>")
| project Timestamp, DeviceName, AccountName, LogonType, LogonStatus

Description: Tracks activity related to compromised accounts. Results include login types, statuses, and device associations.

Query Option 3: Incident Timeline Reconstruction

union DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, DeviceLogonEvents
| where Timestamp > ago(30d)
| where DeviceName in ("<compromised-device-1>", "<compromised-device-2>")
| project Timestamp, EventType = $table, DeviceName, InitiatingProcessCommandLine, FolderPath, RemoteIPAddress, AccountName
| order by Timestamp asc

Description: Combines multiple data sources to create a timeline of activities on compromised devices. Results provide a holistic view of the incident.

---

Conclusion

The playbook offers a good approach to detecting and analysing malware compromises in a Windows enterprise network. However, its usefulness depends on the environment and tools at your disposal. For an environment where KQL is an option, the queries may require some adaptation to specific data sources and infrastructure setup.