SOC Investigation Playbooks

When a phishing email is reported or detected, investigate by analyzing email headers for spoofing indicators, inspecting URLs against threat intelligence, checking if any user clicked or submitted credentials, and correlating across SIEM logs for other recipients. Escalate if credentials were submitted or malware was executed. Contain by resetting passwords and blocking malicious domains.

When financial staff receive urgent payment requests from executives or vendors, or when email rules are discovered forwarding messages to external accounts, investigate for Business Email Compromise. Check authentication logs for account takeover, review email rules for unauthorized forwarding, inspect payment request details for social engineering patterns, and trace the communication chain. BEC caused $2.9 billion in losses in 2023 according to the FBI IC3, making it the most financially damaging cybercrime category.

When authentication logs show repeated failed login attempts against one or more accounts, investigate by identifying the source IP, determining if any attempts succeeded, checking for credential stuffing patterns, and assessing whether the account is now compromised. Block the source IP at the firewall and enforce account lockout policies. Escalate if any login succeeded after the brute force attempt.

When authentication logs show a user logging in from two geographically distant locations within a timeframe that makes physical travel impossible, investigate by verifying the user identity, checking for VPN or proxy use, reviewing the device fingerprint, and determining if credentials were compromised. This technique was central to the Scattered Spider campaigns (2023-2024) where attackers used stolen credentials from distant locations to bypass geographic anomaly detection.

When authentication logs show repeated MFA push notifications sent to a user in rapid succession, especially outside business hours, investigate for MFA fatigue attacks where an attacker with valid credentials repeatedly triggers push notifications hoping the user will approve one out of frustration or confusion. This technique was used in the Uber breach (September 2022) by the Lapsus$ group, where a contractor approved a push notification after receiving over 100 requests.

When alerts indicate unusual internal connections, RDP to servers from workstations, PsExec executions, or SMB access to file shares from unexpected hosts, investigate by mapping the movement path, identifying the initial compromise point, checking for credential harvesting, and assessing the scope of accessed systems. Lateral movement is almost always part of a larger attack chain and warrants immediate escalation.

When SIEM detects an unusual volume of Kerberos TGS ticket requests (Event ID 4769) with RC4 encryption from a single account, investigate for Kerberoasting. This Active Directory attack requests service tickets for accounts with Service Principal Names, then cracks them offline to obtain plaintext passwords. Used by APT29 (Cozy Bear), FIN7, and virtually every ransomware group that operates in Active Directory environments. The cracked service account passwords often provide domain admin access.

When indicators suggest ransomware, mass file encryption, suspicious process behavior, ransom notes, or shadow copy deletion, immediately isolate affected systems to prevent lateral spread. Investigate the attack timeline to determine initial access, scope of encryption, data exfiltration evidence, and which backups are intact. Ransomware investigations are time-critical; every minute of delay means more encrypted files.

When monitoring detects large outbound data transfers, unusual cloud storage uploads, or archive file creation on sensitive systems, investigate for data exfiltration. The MOVEit Transfer vulnerability exploitation by the Cl0p ransomware group (May-June 2023) resulted in data theft from over 2,600 organizations affecting 77 million individuals, demonstrating that exfiltration can be massive, automated, and completed before detection. Identify what data was taken, how it left the network, and the full scope of exposure.

When XDR or EDR alerts on suspicious process execution, unusual parent-child relationships, encoded command lines, or processes spawning from unexpected locations, investigate by analyzing the full process tree, checking the binary hash against threat intelligence, examining command-line arguments for malicious intent, and determining if the execution is part of a larger attack chain. Look at what happened before and after the process executed.

When network or endpoint detection tools alert on periodic HTTP/HTTPS beaconing, named pipe creation, or process injection consistent with Cobalt Strike, investigate immediately. Cobalt Strike is the most commonly used post-exploitation framework by both penetration testers and threat actors. It was used in the SolarWinds SUNBURST attack (2020), the Colonial Pipeline ransomware (2021), and by APT29 (Cozy Bear) campaigns. Confirm the beacon, identify the C2 server, map all infected hosts, and contain before lateral movement begins.

When XDR detects a Microsoft Office process spawning scripting interpreters, Word launching PowerShell, Excel spawning cmd.exe, or similar, investigate for macro-based malware delivery. This remains one of the most prolific initial access methods despite Microsoft disabling macros by default in 2022. Emotet, the most successful malware distribution network (disrupted 2021, resurrected 2022-2023), relied almost exclusively on macro-enabled documents to infect over 1.6 million systems globally.

When trusted software updates or third-party tools exhibit unexpected behavior, making unusual network connections, spawning unexpected processes, or accessing sensitive data, investigate for supply chain compromise. The SolarWinds SUNBURST attack (2020) and the 3CX supply chain attack (March 2023) demonstrated that even signed, legitimate software can be weaponized. These attacks are exceptionally dangerous because the malicious code arrives through trusted update channels, bypassing most security controls.

When network monitoring detects periodic outbound connections to suspicious external hosts, unusual DNS patterns, or traffic matching known C2 signatures, investigate for command and control communications. The SolarWinds SUNBURST backdoor (discovered December 2020) communicated with its C2 via DNS queries to avsvmcloud.com, demonstrating that C2 can hide in normal-looking traffic for months. Identify the protocol, map all communicating hosts, and contain before the attacker can execute their objectives.

When DNS monitoring detects anomalous query patterns, high-entropy subdomains, unusually long query strings, excessive TXT record requests, or high query volume to a single domain, investigate for DNS tunneling. Attackers encode data in DNS queries and responses to exfiltrate data or maintain C2 channels that bypass firewalls and web proxies. The APT34 (OilRig) group and the DNSMessenger backdoor are notable real-world examples of DNS tunneling for espionage and persistent access.