🦠 Endpoint Detection Playbook β€” Workflow & Tactical Playbook

Panduan operasional untuk incident detection & response di endpoint: detection lifecycle penuh dari alert hingga lessons learned, konfigurasi EDR tools, detection scenarios dengan playbook taktis, Sigma rules, live response procedure, dan case studies nyata. BUKAN ulasan arsitektur endpoint security β€” fokus di sini adalah bagaimana mendeteksi dan merespons ancaman di endpoint secara operasional.

Hubungan ke Vault

Melengkapi endpoint-security (CPU Ring & boot chain) dan blueteam-detection-matrix (C2 per level). Beririsan dengan blueteam-vs-enterprise-c2 untuk lateral movement & persistence. Detection kernel terkait ebpf-kernel-security. Semua skenario mengikuti purple-team-osi-killchain.


Daftar Isi


Detection Lifecycle

Setiap insiden endpoint mengikuti 7 fase:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚              ENDPOINT DETECTION LIFECYCLE                     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Fase 1   β”‚ ALERT β€” Rule/sensor fires (Sysmon/EDR/Sigma)      β”‚
β”‚ Fase 2   β”‚ TRIAGE β€” Validasi process tree, cmdline, IOC      β”‚
β”‚ Fase 3   β”‚ INVESTIGATE β€” Memory dump, timeline, artifacts    β”‚
β”‚ Fase 4   β”‚ CONTAIN β€” Network isolate, kill process, block C2 β”‚
β”‚ Fase 5   β”‚ ERADICATE β€” Remove persistence, delete binaries   β”‚
β”‚ Fase 6   β”‚ RECOVER β€” Golden image rebuild, rotate creds      β”‚
β”‚ Fase 7   β”‚ LESSONS LEARNED β€” Update rules, purple team       β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Alert Severity Matrix

SeverityContohSLA TriageSLA Contain
CRITICALRansomware, LSASS dump, Golden Ticket5 menit15 menit
HIGHProcess injection, service/scheduled task15 menit1 jam
MEDIUMLOLBin, registry persistence, unusual outbound1 jam4 jam
LOWUser agent anomaly, USB insertion24 jamβ€”

Decision Tree β€” TP vs FP

[ALERT FIRES]
β”œβ”€β”€ Proses child legitimate dari parent? Yesβ†’FP, Noβ†’lanjut
β”œβ”€β”€ Cmdline normal? ex: -enc <base64> β†’ MALICIOUS (TP)
β”œβ”€β”€ Hash file dikenal malicious? (VirusTotal, Threat Intel)
β”œβ”€β”€ Network connection ke known-bad IP/domain?
└── Jika ragu β†’ isolate dulu, investigasi lanjutan

EDR Tools Breakdown

Perbandingan EDR Tools

ToolTipeDetectionKelebihanKelemahanBiaya
SysmonOS-native sensorETW + kernel driverGratis, native Windows, extremely configurableButuh SIEM, no built-in responseFree
VelociraptorForensic + EDRVQL, artifact collectionLive response built-in, fleksibelNo real-time alertingFree
WazuhSIEM + XDRLog + FIM + rootcheckFull stack gratis, complianceAgent overheadFree
Elastic SecuritySIEM + EDRBehavioral + ML + SigmaStack terintegrasi, ML jobsResource-heavyFree/Enterprise
CrowdStrike FalconCloud-native EDRCloud ML + IOA + IOCDetection terbaik, zero-trustMahal ($10-15/endpoint)Commercial

Sysmon β€” Event ID Penting

IDDeskripsiUse Case
1Process creationLOLBin, unusual parent-child
3Network connectionBeaconing, C2, data exfil
6Driver loadedBYOVD, kernel rootkit
7Image loadedDLL hijacking, reflective load
8CreateRemoteThreadProcess injection
10Process accessLSASS dump, token theft
11File createRansomware ext, dropper
12-14Registry eventRun key persistence
19-21WMI eventWMI persistence
22DNS queryDNS exfil, C2 lookup
25Process tamperingProcess hollowing

Sysmon Config Minimal

<Sysmon schemaversion="4.90">
  <EventFiltering>
    <ProcessCreate onmatch="exclude">
      <Image condition="is">C:\Windows\System32\conhost.exe</Image>
    </ProcessCreate>
    <NetworkConnect onmatch="include">
      <DestinationPort condition="is">443</DestinationPort>
      <DestinationPort condition="is">80</DestinationPort>
    </NetworkConnect>
    <DriverLoad onmatch="include">
      <Signature condition="not contains">Microsoft</Signature>
    </DriverLoad>
    <ProcessAccess onmatch="include">
      <TargetImage condition="contains">lsass.exe</TargetImage>
      <TargetImage condition="contains">winlogon.exe</TargetImage>
    </ProcessAccess>
    <CreateRemoteThread onmatch="include">
      <SourceImage condition="not contains">C:\Windows\System32\</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

Velociraptor β€” VQL Hunting

-- Proses dengan parent-child tidak wajar
LET p = SELECT Pid, Ppid, Name, CommandLine FROM pslist()
WHERE Name =~ 'cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe'
   AND Ppid NOT IN (0, 4, 536, 876)
SELECT * FROM p
-- Process hollowing: svchost.exe di path salah
SELECT Pid, Name, Exe FROM pslist()
WHERE Name = 'svchost.exe' AND NOT Exe =~ 'C:\\\\Windows\\\\System32\\\\svchost\.exe'

Elastic Security β€” EQL

// Office app spawns shell (macro β†’ execution)
process where event.type == "start" and
  process.parent.name : ("winword.exe","excel.exe","powerpnt.exe") and
  process.name : ("cmd.exe","powershell.exe","wscript.exe","cscript.exe")
// LSASS access anomaly
api where process.name != "lsass.exe" and winlog.event_id == 10 and
  winlog.event_data.TargetImage : "*\\lsass.exe" and
  winlog.event_data.GrantedAccess : ("0x1F0FFF","0x1F1FFF")

CrowdStrike β€” IOA Classes

IOA ClassScenario
ProcessInjectionCreateRemoteThread, APC, hollowing
CredentialTheftLSASS dump via DLL load pattern
RansomwareBehaviorMass file mod + shadow copy delete
PersistenceNew autorun, WMI, service install
LateralMovementWMI/WinRM exec, remote scheduled task
BypassAttemptETW patch, AMSI bypass, driver unload

Process Injection Detection

1. CreateRemoteThread

OpenProcess β†’ VirtualAllocEx β†’ WriteProcessMemory β†’ CreateRemoteThread

title: CreateRemoteThread in LSASS
status: stable
logsource:
  product: windows
  category: create_remote_thread
detection:
  selection:
    EventID: 8
    TargetImage|endswith: '\lsass.exe'
  filter_legit:
    SourceImage|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Program Files\'
  condition: selection and not filter_legit
level: critical
tags: [attack.defense_evasion, attack.t1055.001]

2. APC Injection

QueueUserAPC β†’ shellcode di antrian thread, eksekusi saat alertable state.

title: APC Injection via QueueUserAPC
status: experimental
logsource:
  product: windows
  category: create_remote_thread
detection:
  selection:
    EventID: 8
    StartModule|contains: "Unknown"
    SourceImage|endswith: ['\powershell.exe', '\wmic.exe', '\mshta.exe']
  condition: selection
level: high
tags: [attack.defense_evasion, attack.t1055.004]

3. Process Hollowing

CreateProcess(suspended) β†’ NtUnmapViewOfSection β†’ VirtualAllocEx β†’ WriteProcessMemory β†’ SetThreadContext β†’ ResumeThread

title: Process Hollowing
status: experimental
logsource:
  product: windows
  category: process_tampering
detection:
  selection:
    EventID: 25
    Type: "ProcessTampering"
  condition: selection
level: high
tags: [attack.defense_evasion, attack.t1055.012]

Heuristics: svchost.exe 1 thread, path β‰  System32, tidak punya service entry di registry.

Playbook β€” Process Injection

StepActionTool
1Full memory dumpWinPmem
2Process + DLL listVelociraptor pslist()
3YARA scan memory regionsYARA
4Dump target processVolatility memdump
5Analyze injected codeVolatility malfind/hollowfind
6Extract payloadVolatility procdump + strings
7Kill + isolateEDR isolate / taskkill

Persistence Mechanisms Detection

Registry Run Keys

title: Suspicious Run Key Created
status: stable
logsource:
  product: windows
  category: registry_event
detection:
  selection:
    EventID: 13
    TargetObject|contains: ['\CurrentVersion\Run', '\CurrentVersion\RunOnce']
  filter_legit:
    Image|startswith: ['C:\Program Files\', 'C:\Windows\System32\']
  condition: selection and not filter_legit
level: high
tags: [attack.persistence, attack.t1547.001]

Scheduled Tasks

title: Scheduled Task by Non-Admin
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\schtasks.exe'
    CommandLine|contains: "/create"
  filter_legit:
    User: ['NT AUTHORITY\SYSTEM', 'DOMAIN\Administrator']
  condition: selection and not filter_legit
level: high
tags: [attack.persistence, attack.t1053.005]

WMI Event Subscription

title: WMI Event Subscription Created
status: stable
logsource:
  product: windows
  category: wmi_event
detection:
  selection:
    EventID: [19, 20, 21]
  condition: selection
level: critical
tags: [attack.persistence, attack.t1546.003]

Service Installation

title: New Service Installed (Non-SYSTEM)
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\sc.exe'
    CommandLine|contains: "create"
  filter_legit:
    User: 'NT AUTHORITY\SYSTEM'
  condition: selection and not filter_legit
level: high
tags: [attack.persistence, attack.t1543.003]

Persistence Playbook

StepActionTool
1Autoruns baselineautorunsc64.exe -a * -c -h -s -v
2Scheduled tasksschtasks /query /fo CSV /v
3WMI subscriptionsGet-WmiObject __EventFilter
4Service auditsc query state= all
5Boot executebcdedit /enum

Lateral Movement Detection

RDP

title: Inbound RDP from Unusual Source
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4624
    LogonType: 10
  filter_legit:
    WorkstationName|startswith: ["ADMIN-PC", "JUMP-BOX"]
  condition: selection and not filter_legit
level: medium
tags: [attack.lateral_movement, attack.t1021.001]

SMB/WMI Exec

title: WMI Process Create β€” Lateral Movement
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    EventID: 4688
    ParentProcessName|endswith: ['\wmiprvse.exe', '\WmiPrvSE.exe']
    LogonId: "0x3e7"
  condition: selection
level: high
tags: [attack.lateral_movement, attack.t1047]

Pass-the-Hash

title: PtH via NTLM Logon
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4624
    LogonType: 3
    AuthenticationPackageName: "NTLM"
    TargetUserName|endswith: "$"
  filter_admin:
    TargetUserName: ["DC01$", "SQL01$"]
  condition: selection and not filter_admin
level: medium
tags: [attack.lateral_movement, attack.t1550.002]

Lateral Movement Playbook

StepAction
1Event 4624 LogonType 3/10 β†’ source IP, account
2Service creation across hosts
3Remote scheduled tasks (schtasks /create /s)
4WMI activity (WMIPRVSE.EXE as parent)
5NTLM auth logs Event 4776

Privilege Escalation Detection

UAC Bypass

title: UAC Bypass via Event Viewer
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\eventvwr.exe'
    Image|endswith: '\cmd.exe'
  condition: selection
level: high
tags: [attack.privilege_escalation, attack.t1548.002]
---
title: UAC Bypass via CMSTPLUA
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\cmstp.exe'
    Image|endswith: '\powershell.exe'
  condition: selection
level: high
tags: [attack.privilege_escalation, attack.t1548.002]

BYOVD Detection

title: Known Vulnerable Driver Load
status: experimental
logsource:
  product: windows
  category: driver_load
detection:
  selection:
    EventID: 6
    ImageLoaded|contains:
      - "gdrv.sys"
      - "capcom.sys"
      - "aswbidsh.sys"
      - "rzpnk.sys"
      - "iqvw64.sys"
  condition: selection
level: critical
tags: [attack.privilege_escalation, attack.t1068]

Token Theft

Detection: Event 8 + proses source punya SeImpersonatePrivilege. Monitoring AdjustTokenPrivileges call.

PrivEsc Playbook

StepAction
1whoami /priv
2Enumerate writable services (sc query + icacls)
3Check UAC level via registry
4Scan loaded drivers (DriverQuery /SI)
5Block vulnerable driver paths (loldrivers.io)

Credential Access Detection

LSASS Dump

Deteksi via Sysmon Event 10 β€” proses non-legitimate mengakses LSASS dengan GrantedAccess full control.

title: LSASS Access for Credential Dumping
status: stable
logsource:
  product: windows
  category: process_access
detection:
  selection:
    EventID: 10
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess: ["0x1F0FFF", "0x1F1FFF", "0x40"]
  filter_legit:
    SourceImage|startswith:
      - 'C:\Windows\System32\lsass.exe'
      - 'C:\Windows\System32\svchost.exe'
  condition: selection and not filter_legit
level: critical
tags: [attack.credential_access, attack.t1003.001]

Heuristics: rundll32 β†’ comsvcs.dll,MiniDump (dump tanpa procdump). Proses 32-bit akses LSASS 64-bit β†’ suspicious.

SAM Registry Dump

title: SAM Registry Save
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\reg.exe'
    CommandLine|contains: ["save", 'hklm\sam']
  condition: selection
level: critical
tags: [attack.credential_access, attack.t1003.002]

Credential Access Playbook

StepAction
1Event 10 Sysmon/Security β†’ LSASS access
2comsvcs.dll MiniDump calls
3reg save hklm\sam activity
4Enable PPL: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /d 1
5Deploy Credential Guard via GPO
6Immediate password reset if dumping confirmed

Ransomware Behavior Detection

Timeline Serangan

T-15min: Recon (network scan, service enum)
T-5min:  Defense evasion (kill EDR, stop backup)
T-0:     ENCRYPTION START
T+0:     Shadow copy delete (vssadmin.exe)
T+1min:  File ext change (.encrypted)
T+2min:  Ransom note dropped

Mass File Encryption

title: Mass File Modification β€” Ransomware
status: stable
logsource:
  product: windows
  category: file_event
detection:
  selection:
    EventID: 11
  timeframe: 5m
  condition: selection | count() by Image > 100
  filter_legit:
    Image|startswith: ['C:\Program Files\', 'C:\Windows\']
  filter_system:
    User: 'NT AUTHORITY\SYSTEM'
  condition: selection and not filter_legit and not filter_system
level: critical
tags: [attack.impact, attack.t1486]

Shadow Copy Deletion

title: Volume Shadow Copy Deletion
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: ["delete shadows", "Delete Shadows"]
  condition: selection
level: critical
tags: [attack.impact, attack.t1490]

Additional Indicators

IndicatorSeverity
vssadmin delete shadows /allCritical
bcdedit /set {default} recoveryenabled NoCritical
wbadmin delete catalog -quietCritical
wmic shadowcopy deleteCritical
Mass file writes > 100/minCritical
EDR agent terminationCritical

Ransomware Playbook

StepActionTimeline
1Network isolate via EDRImmediate
2Kill encryptor process tree< 30 detik
3Block C2 (firewall + DNS sinkhole)Immediate
4Check shadow copy (vssadmin list shadows)Immediate
5Verify offline/immutable backupImmediate
6Memory dump before reboot5 menit
7Scan lateral movement (same IOC)15 menit
8Restore from clean backupAfter eradication

Sigma Rules

Format Dasar

title: <Name>
status: stable | experimental
logsource:
  product: windows
  category: process_creation | file_event | registry_event | network_connection
detection:
  selection: { Field: "value" }
  condition: selection
level: critical | high | medium | low
tags: [attack.<tactic>, attack.<technique_id>]

Sigma β€” WMI Suspicious Parent

title: WMI Process Create with Suspicious Parent
id: 2f8e5a9c-1b3d-4e7f-9a2b-5c3d7e8f1a2b
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: ['\WmiPrvSE.exe', '\wmiprvse.exe']
  filter_user:
    User: ['NT AUTHORITY\SYSTEM', 'NT AUTHORITY\LOCAL SERVICE', 'NT AUTHORITY\NETWORK SERVICE']
  filter_admin:
    Image|startswith: ['C:\Windows\System32\', 'C:\Windows\SysWOW64\']
    CommandLine|contains: "-Embedding"
  condition: selection and not filter_user and not filter_admin
level: high
tags: [attack.execution, attack.t1047]

Sigma β€” Pastebin/Gist Download

title: Script Download from Pastebin/GitHub Gist
status: stable
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    CommandLine|contains:
      - "pastebin.com"
      - "gist.githubusercontent.com"
      - "gist.github.com"
      - "paste.ee"
      - "rentry.co"
  condition: selection
level: high
tags: [attack.command_and_control, attack.t1105]

Sigma β€” Office Network Connection

title: Office Application Outbound Connection
status: stable
logsource:
  product: windows
  category: network_connection
detection:
  selection:
    Image|endswith: ['\WINWORD.EXE', '\EXCEL.EXE', '\POWERPNT.EXE', '\OUTLOOK.EXE']
  filter_internal:
    DestinationIp|cidr: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
  condition: selection and not filter_internal
level: high
tags: [attack.execution, attack.t1204.002]

Sigma β€” Unquoted Service Path

title: Unquoted Service Path (PrivEsc)
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\sc.exe'
    CommandLine|contains: "binPath="
  filter_quoted:
    CommandLine|contains: '"'
  filter_system:
    User: 'NT AUTHORITY\SYSTEM'
  condition: selection and not filter_quoted and not filter_system
level: medium
tags: [attack.privilege_escalation, attack.t1574.009]

Live Response Procedure

Phase 1 β€” Memory Acquisition

winpmem_mini_x64.exe --output memdump.raw
velociraptor.exe collect Windows.Memory.Acquisition

Phase 2 β€” Process Tree

tasklist /v /fo csv
wmic process get Name,ProcessId,ParentProcessId,CommandLine /format:csv

Phase 3 β€” Autoruns

autorunsc64.exe -a * -c -h -s -v -o autoruns.csv
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
schtasks /query /fo CSV /v | findstr "Ready"
wmic startup list full

Phase 4 β€” Prefetch

# C:\Windows\Prefetch\*.pf β€” record of executed binaries
# Velociraptor:
LET p = SELECT * FROM glob(globs='C:\\Windows\\Prefetch\\*.pf')
SELECT Name, Size, ModTime FROM p

Phase 5 β€” Event Logs

wevtutil epl Security C:\logs\security.evtx
wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\logs\sysmon.evtx
wevtutil epl "Windows PowerShell" C:\logs\powershell.evtx
wevtutil epl System C:\logs\system.evtx

Phase 6 β€” Network

netstat -anob > connections.txt
ipconfig /displaydns > dnscache.txt
arp -a > arp_table.txt
route print > routing_table.txt

Live Response Kit

ItemToolPriority
MemoryWinPmem / VelociraptorP0
Process treepslistP0
Networknetstat -anobP0
AutorunsSysinternals AutorunsP1
PrefetchVelociraptorP1
Event logswevtutilP1
Registry hivesreg saveP1
YARA scanYARAP2

Correlation & FP Handling

Alert Prioritization Matrix

Priority = Severity Teknikal + Asset Criticality + Threat Intel

KriteriaSkor
Severity: Critical (Ransomware/LSASS)100
High (Injection/Persistence)50
Medium (LOLBin)20
Low5
Asset: Domain Controller50
Email/File Server30
Workstation10
TI: Known IOC match30
No context0

Priority: 120-180 β†’ P0 immediate, 80-119 β†’ P1 high, 40-79 β†’ P2 medium, 0-39 β†’ P3 low.

Common False Positives

PatternCauseFix
AV scans trigger file eventsScheduled scansExclude AV path in Sysmon
SCCM/PDQ deploymentSYSTEM installersFilter by Company field
Windows UpdateLegitimate MS activityFilter wuauclt.exe
Office DNS lookupsAuto-updateThreshold > 5/min
Developer PowerShellAuthorized adminTrack by user

Whitelist Strategy

Whitelist approach: baseline semua proses legitimate 2-4 minggu, hanya alert di luar whitelist.

# Baseline mingguan
Get-WmiObject Win32_Process | Select Name, ExecutablePath, ProcessId,
   @{N="ParentPID";E={$_.ParentProcessId}},
   @{N="User";E={$_.GetOwner().User}}
| Export-Csv baseline_$(Get-Date -Format 'yyyy-MM-dd').csv

Case Studies

Case 1: SolarWinds Supply Chain (2020)

Attribution: APT29 (Cozy Bear / Russian SVR).

IndicatorDetail
DLLSolarWinds.Orion.Core.BusinessLayer.dll β€” modified
PersistenceSolarWinds service auto-start
C2*.appsync-api.eu-west-1.avsvmcloud.com
BeaconHTTP POST /WebResources/SCRIPT, 12h interval
JA351c64c77e60f3980eea90869b68c58a8

Lessons: Supply chain > signature detection. Behavioral detection (parent-child, DNS anomaly, file integrity) lebih penting. Sysmon Event 11 & 7 kritis.

Case 2: Log4j Post-Exploitation (Dec 2021)

[1] LDAP: ldap://attacker:1389/Exploit.class
[2] JNDI redirect β†’ Java class download
[3] JVM: download Cobalt Strike / PowerShell Empire
[4] Persistence: Run keys, fake "OneDrive Updater" task
[5] Post: whoami β†’ systeminfo β†’ net group
title: Log4Shell JNDI LDAP Outbound
status: stable
logsource: { product: windows, category: network_connection }
detection: { selection: { Image|endswith: '\java.exe', DestinationPort: 1389 } }
level: critical
tags: [attack.initial_access, attack.t1190]
---
title: Suspicious Command via Java
status: experimental
logsource: { product: windows, category: process_creation }
detection:
  selection:
    ParentImage|endswith: '\java.exe'
    Image|endswith: ['\powershell.exe', '\cmd.exe']
level: high
tags: [attack.execution, attack.t1059]

Lessons: Java parent shell = red flag. LDAP 1389/389 outbound harus dimonitor.

Case 3: Phishing-to-Beachhead

T+0min: WINWORD spawns cmd.exe (Sysmon E1)
T+1min: cmd.exe β†’ C2 185.x.x.x:443 (Sysmon E3)
T+2min: notepad.exe loads malicious DLL (Sysmon E7)
T+3min: PROCESS_ACCESS ke lsass.exe (Sysmon E10)
T+5min: EDR isolate + block C2 IP
T+7min: Kill tree + remove persistence

Learnings: (1) Parent-child = sinyal paling awal, (2) Office + netconn = high-fidelity, (3) Attacker dumps creds < 3 menit, (4) SOAR diperlukan untuk response < 5 menit.


Koneksi ke Vault


References

  1. SwiftOnSecurity Sysmon Config
  2. Sigma Rules
  3. Velociraptor Docs
  4. Elastic Detection Rules
  5. MITRE ATT&CK
  6. loldrivers.io
  7. SolarWinds β€” Mandiant
  8. Log4j β€” NCSC
  9. Volatility 3

Bottom Line

Kunci endpoint detection: (1) Sysmon + Windows Event Log sebagai foundation sensor termurah dan paling efektif, (2) Sigma rules untuk detection-as-code portable, (3) EDR behavioral (CrowdStrike/Elastic) untuk advanced scenarios, (4) Live response terstandardisasi siap pakai. Tanpa triage baik, EDR terbaik tenggelam dalam false positive. Detection tanpa response hanyalah noise.

Endpoint Detection Playbook | v1.0 β€” 2026 | Operational | 6 detection scenarios, 15+ Sigma rules, 3 case studies