EDR and XDR Investigations

Purpose and Scope

EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) platforms provide deep visibility into endpoint activity. This playbook covers investigation workflows using this telemetry to analyze suspected compromises.

Prerequisites

• EDR/XDR console access: CrowdStrike, Microsoft Defender, SentinelOne, Carbon Black, or similar
• Endpoint telemetry: Process trees, file activity, network connections, registry changes
• Investigation permissions: Ability to query historical data and isolate endpoints if needed
• Baseline understanding: Normal processes, scheduled tasks, and user behavior in your environment

Detection Goals

EDR/XDR investigations help identify:

• Malicious process execution and command line arguments
• Persistence mechanisms (services, scheduled tasks, registry run keys)
• Lateral movement between endpoints
• Data collection and staging
• Command and control communications

Investigation Workflow

1. Initial Alert Triage

When an EDR alert fires:

• Review the detection name and severity
• Check the affected endpoint and user
• Note the timestamp and triggering activity
• Determine if this is an isolated event or part of a pattern

2. Process Tree Analysis

Examine the process hierarchy to understand execution context:

• What was the parent process? (e.g., explorer.exe, outlook.exe, cmd.exe)
• What child processes were spawned?
• Are the parent child relationships expected?
• Look for suspicious lineage: email client spawning PowerShell, browser spawning cmd.exe

3. Command Line Inspection

Review command line arguments for indicators:

• Encoded commands (base64, hex)
• Download cradles (certutil, bitsadmin, PowerShell WebClient)
• Reconnaissance commands (whoami, ipconfig, net user)
• File paths to unusual locations (temp, appdata, public)

4. File Activity Review

Check what files were created, modified, or accessed:

• Were executables dropped to disk?
• Were scripts created in temp directories?
• Were sensitive files accessed (password stores, documents)?
• Check file hashes against threat intelligence

5. Network Connection Analysis

Review outbound connections from the endpoint:

• What external IPs or domains were contacted?
• Were connections made on unusual ports?
• Do connection patterns suggest beaconing?
• Cross reference with threat intelligence feeds

6. Persistence Check

Look for mechanisms that maintain access:

• New scheduled tasks or services
• Registry run keys modified
• Startup folder changes
• WMI subscriptions

7. Timeline Reconstruction

Build a chronological view of activity:

• When did the first suspicious activity occur?
• What was the initial access vector?
• How did the attack progress over time?
• Were other endpoints affected?

Key Fields to Examine

• Process name and path: Is the binary expected in that location?
• Parent process: Is this parent child relationship normal?
• Command line: Are there suspicious arguments?
• User context: Did this run as SYSTEM, admin, or standard user?
• File hash: Does it match known malware?
• Network destination: Is the IP/domain malicious?
• Digital signature: Is the binary signed by a trusted publisher?

Common Attack Patterns

Phishing Based Compromise

Email client or browser spawns Office application, which spawns cmd/PowerShell, which downloads and executes payload.

Living off the Land

Attackers use built-in tools (PowerShell, certutil, mshta, wmic) to avoid dropping custom malware.

Credential Theft

Processes accessing LSASS memory, SAM database, or credential stores. Look for tools like Mimikatz patterns.

Response Actions

• Isolate endpoint: Use EDR network isolation to contain active threats
• Kill malicious processes: Terminate suspicious execution chains
• Collect forensic artifacts: Memory dumps, disk images if needed
• Block indicators: Add hashes, IPs, domains to blocklists
• Reset credentials: If credential theft is suspected

References

• MITRE ATT&CK: attack.mitre.org
• LOLBAS Project: lolbas-project.github.io
• Atomic Red Team: github.com/redcanaryco/atomic-red-team