⚠ EDR ALERT — CRITICAL — HOST: WKSTN-014
IR-02
INCIDENT RESPONSE — MALWARE ON AN ENDPOINT
SUSPICIOUS PROCESS · UNKNOWN NETWORK BEACON · PERSISTENCE DETECTED
Mounting endpoint artifacts...

OBJECTIVES

Read the incident ticket
Find the malicious process
Identify the C2 IP address
Find the persistence mechanism
Identify the registry run key
Find the initial execution event in logs
Look up C2 IP in threat intel
Run PowerShell investigation commands
Submit the IR report
⚙️
Process Explorer
🌐
Network Monitor
🗂️
Registry Viewer
📋
Event Log
🛡️
Threat Intel
💻
PowerShell
📝
Notepad
📄
IR Report
SOC ANALYST
Processes
Network
Registry
Event Log
Threat Intel
PowerShell
Notepad
IR Report
--:--:--
PHASE 1 — TRIAGE
INCIDENT BRIEF
⚠ EDR ALERT — TICKET #IR-2026-0447

MALWARE ON ENDPOINT

HOST: WKSTN-014 · USER: james.porter · 11:34 UTC

INCIDENT SUMMARY

The EDR platform fired a CRITICAL alert on workstation WKSTN-014 assigned to James Porter (Sales Department). The alert flagged an unknown process making repeated outbound connections to an external IP. James reported his machine has been running slowly since yesterday morning and he noticed a brief command prompt window flash on screen when he logged in.

HOST DETAILS

PropertyValue
HostnameWKSTN-014
Userjames.porter
OSWindows 11 Pro 23H2
IP10.10.14.22
DeptSales
Last Login2026-05-08 08:47 UTC

EDR ALERT DETAILS

Alert Type: Suspicious Outbound Network Connection
Process: svchost32.exe (note: NOT the legitimate svchost.exe)
Connection: Repeated beaconing every 60 seconds to external IP
Severity: CRITICAL

YOUR TASKS

  • Open Process Explorer — find the malicious process and its parent
  • Open Network Monitor — identify the C2 IP and beacon interval
  • Open Registry Viewer — find the persistence mechanism
  • Open Event Log — trace the initial execution chain
  • Open Threat Intel — look up the C2 IP
  • Run PowerShell investigation commands
  • Complete the IR Report

HINT

Legitimate Windows svchost.exe always runs from C:\Windows\System32\ and is always a child of services.exe. Any deviation from this is a strong IOC.

PROCESS EXPLORER — WKSTN-014 — Live Snapshot 11:34:07 UTC
Auto-refresh: 5s · Snapshot: 11:34:07 UTC
Process Name
PID
CPU%
Mem
User
Description
PROCESS DETAIL
Click a process to inspect it
NETWORK MONITOR — WKSTN-014 — Active Connections
Total: 18
Established: 9
Listening: 7
⚠ Suspicious: 1
Beaconing detected · 60s interval
Process
Local Addr
L.Port
Remote Addr
R.Port
State
Notes
REGISTRY VIEWER — WKSTN-014
Name
Type
Data
Select a registry key from the tree to view its values
EVENT LOG VIEWER — WKSTN-014 — Windows Security + System
Showing 24 events
Event ID
Time (UTC)
Source
Message
EVENT DETAIL
Click an event to see details
THREAT INTELLIGENCE — IOC LOOKUP
LOOK UP IP, DOMAIN, OR HASH
Enter an IP, domain, or file hash
from your investigation to query threat feeds.
POWERSHELL 7 — WKSTN-014 (Remote Session)
Windows PowerShell 7.4.1
Establishing remote session to WKSTN-014...
Connected. Running as: analyst@APEXCORP
# Type "help" for available commands
PS C:\>
NOTEPAD — IR SCRATCHPAD
IR REPORT — TICKET #IR-2026-0447
MALWARE IDENTIFICATION
C2 INFRASTRUCTURE
PERSISTENCE & EXECUTION
RECOMMENDED ACTIONS
Score: 0 / 8