Endpoint Analysis & Incident Handling Procedures for IOC IP Connection Detection

Endpoint Analysis & Incident Handling Procedures for IOC IP Connection Detection

Executive Summary

This playbook provides operational guidance for detecting, triaging, investigating, containing, and remediating endpoint communications involving known malicious or suspicious IP addresses (Indicators of Compromise — IOC IPs).

The playbook is designed for:

• SOC Analysts
• Detection Engineers
• Threat Hunters
• DFIR Teams
• Security Operations Teams
• Security Engineers
• Incident Responders

The document focuses on enterprise-grade operational procedures for handling:

• Outbound connections to malicious IPs
• Inbound connections from hostile infrastructure
• Command-and-Control (C2) communication
• Malware beaconing
• Data exfiltration attempts
• Initial access infrastructure
• Phishing payload infrastructure
• Threat actor staging servers
• Botnet communications
• Cryptomining infrastructure
• Ransomware-associated infrastructure

The guidance includes:

• Investigation procedures
• Alert triage workflows
• Detection engineering guidance
• Threat hunting techniques
• SIEM detection examples
• EDR analysis methodologies
• Containment procedures
• Validation and tuning recommendations

Scope

This playbook applies to:

Asset Type Coverage Windows Endpoints Yes Linux Servers Yes macOS Systems Partial Cloud Workloads Yes VPN Clients Yes Remote Endpoints Yes VDI Environments Yes Kubernetes Nodes Optional Threat Context

Connections to known malicious IP addresses are one of the most common indicators associated with:

• Malware execution
• Remote access trojans (RATs)
• Commodity malware
• Ransomware staging
• Credential theft
• Data exfiltration
• Web shells
• Post-exploitation frameworks
• Persistence mechanisms
• Lateral movement infrastructure
• Cloud compromise

Threat actors commonly leverage:

• VPS providers
• Bulletproof hosting
• TOR exit nodes
• Residential proxies
• Compromised servers
• Fast-flux infrastructure
• Dynamic DNS services
• CDN abuse
• Cloud-hosted redirectors

Detection of IOC IP communication is highly valuable because:

• It often represents active compromise
• It provides high-confidence pivot points
• It can reveal malware staging
• It may indicate hands-on-keyboard activity
• It can identify lateral movement
• It enables rapid scoping of affected systems

MITRE ATT&CK Mapping Technique ID Description Application Layer Protocol T1071 Malware communication over HTTP/S, DNS, SMB Ingress Tool Transfer T1105 Downloading payloads from attacker infrastructure Command and Scripting Interpreter T1059 Malicious execution after C2 communication Remote Services T1021 Remote access and lateral movement Exfiltration Over Web Services T1567 Data exfiltration over HTTP/S Dynamic Resolution T1568 Dynamic DNS and rotating infrastructure Proxy T1090 Traffic relay and obfuscation Non-Application Layer Protocol T1095 Raw socket communication Encrypted Channel T1573 TLS encrypted C2 traffic Severity Classification Severity Conditions Critical Confirmed malware C2, ransomware infrastructure, active beaconing High Repeated communication to known malicious IOC IP Medium Single outbound connection with suspicious context Low Historical IOC hit with no process attribution Informational Threat intelligence enrichment only Detection Sources

Endpoint Telemetry

• Sysmon
• Windows Security Logs
• EDR telemetry
• CrowdStrike Falcon
• Microsoft Defender for Endpoint
• SentinelOne
• Carbon Black
• Wazuh
• osquery

Network Telemetry

• Firewall logs
• NetFlow
• Zeek
• Suricata
• IDS/IPS telemetry
• DNS logs
• Proxy logs
• TLS inspection logs

Cloud Sources

• AWS VPC Flow Logs
• Azure NSG Flow Logs
• GCP VPC Flow Logs
• CloudTrail
• Defender for Cloud
• Microsoft 365 Defender

Logging Requirements

Required Endpoint Logging

Sysmon Configuration Recommendations

Required Event IDs:

Sysmon Event ID Description 1 Process Creation 3 Network Connection 7 Image Loaded 11 File Create 13 Registry Value Set 22 DNS Query

Example Sysmon Network Event:

<EventData>
  <Data Name="UtcTime">2026-05-25 11:23:14.987</Data>
  <Data Name="ProcessGuid">{8F6A0B1D-1111-2222-3333-000000000001}</Data>
  <Data Name="ProcessId">4120</Data>
  <Data Name="Image">C:\Users\Public\svchost.exe</Data>
  <Data Name="User">CORP\\jdoe</Data>
  <Data Name="Protocol">tcp</Data>
  <Data Name="Initiated">true</Data>
  <Data Name="SourceIp">10.10.44.21</Data>
  <Data Name="DestinationIp">185.193.127.12</Data>
  <Data Name="DestinationPort">443</Data>
</EventData>

DNS Logging

Required fields:

• Query Name
• Query Type
• Source Host
• Source IP
• Response Code
• Resolved IP
• Timestamp

Firewall Logging

Required fields:

• Source IP
• Destination IP
• Destination Port
• Protocol
• Action
• Bytes Transferred
• Session Duration
• NAT Details
• User Attribution

Initial Alert Triage

Triage Objectives

The analyst should determine:

1. Is the IOC reliable?
2. Was the connection successful?
3. Which process initiated the connection?
4. Is malware execution confirmed?
5. Is lateral movement occurring?
6. Is containment required immediately?
7. Are additional hosts affected?

IOC Validation Procedures

Threat Intelligence Validation

Validate IOC IP against:

• Commercial threat intelligence
• Internal IOC repositories
• AbuseIPDB
• VirusTotal
• GreyNoise
• Recorded Future
• MISP
• CrowdStrike Intelligence
• Palo Alto Unit42
• Microsoft Threat Intelligence

IOC Confidence Scoring

Confidence Criteria High Active malware C2 infrastructure Medium Suspicious infrastructure with malware association Low Shared hosting / weak attribution

Important Operational Considerations

Do not immediately escalate solely because an IP appears malicious.

Potential false positives include:

• CDN infrastructure
• Shared VPS hosting
• Previously malicious but reclaimed IPs
• Research sandboxes
• Security scanning infrastructure
• Proxy services
• Cloud provider overlap

Investigation Workflow Step 1 — Validate Alert Authenticity

Confirm:

• Timestamp accuracy
• Correct asset attribution
• IOC enrichment validity
• Telemetry integrity
• Sensor health

Example validation checks:

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {$_.Id -eq 3}

Step 2 — Identify Process Responsible for Connection

Critical questions:

• What process initiated the connection?
• Was it user-driven?
• Was PowerShell involved?
• Was LOLBIN abuse observed?
• Was the process unsigned?

High-Risk Process Indicators

Process Risk powershell.exe High cmd.exe Medium rundll32.exe High regsvr32.exe High mshta.exe High wscript.exe High cscript.exe High certutil.exe High curl.exe Medium bitsadmin.exe High Step 3 — Review Process Lineage

Determine:

• Parent process
• Child processes
• Execution chain
• Persistence mechanisms

Example suspicious lineage:

winword.exe
 └── powershell.exe
      └── rundll32.exe
           └── outbound connection to IOC IP

Potential implications:

• Malicious Office macro
• Phishing execution chain
• Loader deployment
• In-memory malware

Step 4 — Determine Communication Characteristics

Review:

Attribute Investigation Goal Destination Port Standard vs non-standard Frequency Beaconing behavior Data Volume Exfiltration indicators TLS Usage Encrypted C2 JA3 Fingerprints Malware fingerprinting HTTP User-Agent Malware signatures DNS Requests DGA indicators

Beaconing Indicators

Common signs:

• Consistent interval communication
• Small packet sizes
• Long-duration sessions
• Periodic DNS requests
• Idle encrypted traffic

Step 5 — Assess Host Impact

Investigate:

• Scheduled tasks
• Registry persistence
• Services
• Startup folders
• New user accounts
• Credential dumping
• Lateral movement
• LSASS access
• RDP activity
• SMB activity

Windows Persistence Checks

Get-ScheduledTask
Get-RunKey
Get-Service

Linux Persistence Checks

crontab -l
systemctl list-units --type=service
cat ~/.bashrc

Step 6 — Scope the Incident

Determine:

• Additional affected endpoints
• Shared IOC activity
• User overlap
• VPN overlap
• Shared hashes
• Shared domains
• Shared parent processes

Example Splunk Scoping Query

index=sysmon EventCode=3 DestinationIp=185.193.127.12
| stats count by Computer, User, Image, DestinationPort

Example KQL Scoping Query

DeviceNetworkEvents
| where RemoteIP == "185.193.127.12"
| summarize count() by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine

Endpoint Analysis Procedures Windows Endpoint Analysis

Key Artifacts

Artifact Purpose Prefetch Execution evidence ShimCache Historical execution Amcache Application inventory Registry Run Keys Persistence Scheduled Tasks Persistence PowerShell Logs Script execution Browser History User-driven activity SRUM Network usage

PowerShell Investigation

Review:

• EncodedCommand
• DownloadString
• Invoke-WebRequest
• IEX patterns
• Base64 usage
• AMSI bypass indicators

Example suspicious command:

powershell.exe -nop -w hidden -enc SQBFAFgA

Linux Endpoint Analysis

Key Artifacts

Artifact Purpose bash_history Command execution auth.log Authentication events crontab Persistence systemd services Persistence netstat/ss output Active connections .ssh directory SSH persistence /tmp execution Malware staging

Network Review

ss -antp
lsof -i
netstat -plant

EDR Investigation Guidance

Core Questions

• Was malware execution confirmed?
• Was credential theft observed?
• Was the host isolated previously?
• Were defense evasion techniques used?
• Was tampering detected?
• Was lateral movement attempted?

Recommended EDR Actions

Action Recommendation Isolate Host High confidence compromise Collect Memory Suspected in-memory malware Kill Process Active malicious execution Retrieve File Malware sample collection Acquire Timeline DFIR analysis Detection Engineering Guidance Sigma Rule Example

title: Outbound Connection to Known Malicious IOC IP
id: 2d0dcf84-bf55-4f8f-b14e-111111111111
status: experimental
logsource:
  category: network_connection
  product: windows

detection:
  selection:
    DestinationIp:
      - '185.193.127.12'
      - '91.243.44.122'
  condition: selection

level: high

tags:
  - attack.command_and_control
  - attack.t1071

Detection Logic Considerations

The rule should:

• Support IOC list updates
• Handle CIDR ranges
• Support threat intelligence feeds
• Include allowlisting capability
• Support internal exclusions

Splunk Detection Example

index=sysmon EventCode=3
| lookup malicious_ips ip as DestinationIp OUTPUT description severity
| search severity=high
| stats count values(Image) values(User) by Computer DestinationIp

Splunk Tuning Recommendations

Exclude:

• Vulnerability scanners
• Security appliances
• Sandboxes
• Threat intel platforms
• Internal scanners

Microsoft Sentinel KQL Example

let IOC_IPs = dynamic([
"185.193.127.12",
"91.243.44.122"
]);

DeviceNetworkEvents
| where RemoteIP in (IOC_IPs)
| project Timestamp,
          DeviceName,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          RemoteIP,
          RemotePort,
          InitiatingProcessParentFileName

Elastic Detection Example

{
  "query": {
    "bool": {
      "must": [
        {
          "terms": {
            "destination.ip": [
              "185.193.127.12",
              "91.243.44.122"
            ]
          }
        }
      ]
    }
  }
}

Wazuh Rule Example

<group name="malicious_ioc_connection">
  <rule id="100700" level="12">
    <if_sid>61612</if_sid>
    <field name="dstip">185.193.127.12</field>
    <description>Connection to known malicious IOC IP</description>
    <mitre>
      <id>T1071</id>
    </mitre>
  </rule>
</group>

CrowdStrike Query Example

#event_simpleName=NetworkConnectIP4
| RemoteAddressIP4=185.193.127.12
| table ComputerName, ImageFileName, CommandLine, UserName

Suricata Detection Example

alert ip any any -> 185.193.127.12 any (
msg:"Known malicious IOC IP connection";
sid:100001;
rev:1;
)

Threat Hunting Methodology

Hunt Objective

Identify:

• Undetected malware
• C2 infrastructure usage
• Beaconing patterns
• Shared malware families
• Staging infrastructure
• Lateral movement indicators

Threat Hunting Queries

Splunk Beaconing Hunt

index=network sourcetype=sysmon EventCode=3
| bucket _time span=5m
| stats count by _time, Computer, DestinationIp
| eventstats avg(count) as avg by Computer, DestinationIp
| where avg < 3

KQL Beaconing Hunt

DeviceNetworkEvents
| summarize ConnectionCount=count() by DeviceName, RemoteIP, bin(Timestamp, 5m)
| summarize AvgConnections=avg(ConnectionCount) by DeviceName, RemoteIP
| where AvgConnections < 3

DNS Hunting Query

index=dns
| stats count by query
| where len(query) > 40

Potential indicators:

• DGA activity
• Malware-generated domains
• Exfiltration over DNS

Realistic Attack Scenario Scenario: Phishing Payload with C2 Beaconing

Initial Access

User receives phishing email containing malicious Word document.

Execution

Macro launches:

powershell.exe -EncodedCommand <base64>

Payload Retrieval

PowerShell downloads loader from:

185.193.127.12

Persistence

Malware creates:

• Scheduled task
• Registry Run key
• Startup folder entry

Command and Control

Beacon every 60 seconds over HTTPS.

Detection Opportunities

Stage Detection Macro Execution Office spawning PowerShell Download Activity PowerShell outbound network IOC Connection Known malicious IP Persistence Registry modification Beaconing Repeating HTTPS sessions Example Log Analysis

Sysmon Event Example

<Event>
  <System>
    <EventID>3</EventID>
  </System>
  <EventData>
    <Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
    <Data Name="DestinationIp">185.193.127.12</Data>
    <Data Name="DestinationPort">443</Data>
    <Data Name="User">CORP\\jdoe</Data>
  </EventData>
</Event>

Analyst Interpretation

What Happened

PowerShell initiated outbound HTTPS communication to a known malicious IP.

Why It Matters

PowerShell is commonly abused for:

• Malware staging
• Payload execution
• C2 communication
• Living-off-the-land activity

Suspicious Indicators

• PowerShell network activity
• Known malicious IP
• HTTPS encrypted traffic
• Potential phishing execution

Recommended Investigation

1. Retrieve full process command line
2. Review parent process
3. Check PowerShell ScriptBlock logs
4. Search for additional affected hosts
5. Review persistence artifacts
6. Evaluate credential theft activity

Containment Procedures

Immediate Containment

Recommended actions:

Action Priority Isolate host High Block IOC IP High Disable compromised accounts High Stop malicious process High Block domain indicators Medium Force password reset Medium

Network-Level Containment

Block:

• IOC IPs
• Related domains
• ASN ranges if validated
• C2 protocols
• TOR traffic if relevant

Endpoint-Level Containment

• EDR isolation
• Host firewall rules
• Removal of persistence
• Quarantine malware files

Eradication Guidance

Remove Malware Components

• Persistence artifacts
• Scheduled tasks
• Malicious services
• Registry entries
• Startup items
• Payload files
• Malicious scripts

Validate Removal

Confirm:

• No outbound IOC communication
• No malicious processes
• No suspicious scheduled tasks
• No persistence mechanisms
• No unauthorized accounts

Recovery Procedures

Recovery Validation Checklist

Validation Item Status Host reimaged if necessary Password reset completed IOC blocking verified EDR operational Security patches applied Persistence removed Monitoring enhanced False Positive Analysis

Common False Positive Sources

Source Explanation Shared cloud hosting Multiple unrelated services CDN overlap Shared edge infrastructure Threat feed staleness Outdated IOC feeds Security tooling Sandboxes or scanners Proxy infrastructure Shared IP reuse

Tuning Recommendations

• Maintain allowlists
• Expire stale IOC entries
• Add confidence scoring
• Correlate with process execution
• Correlate with DNS telemetry
• Require repeated beaconing before escalation

Detection Maturity Recommendations Maturity Level Capability Level 1 Static IOC matching Level 2 IOC + process correlation Level 3 Behavioral beacon detection Level 4 Threat-informed analytics Level 5 Automated enrichment and response Purple Team Validation

Atomic Red Team Testing

Example simulation:

Invoke-WebRequest http://185.193.127.12/test

Validate:

• Sysmon Event ID 3
• Firewall telemetry
• EDR detection
• SIEM alert generation
• IOC enrichment

Operational Recommendations

SOC Recommendations

• Automate IOC enrichment
• Integrate threat intelligence feeds
• Correlate network + process telemetry
• Build host isolation workflows
• Maintain IOC aging policies
• Track recurring infrastructure

Detection Engineering Recommendations

• Prioritize process-attributed network telemetry
• Build beaconing analytics
• Detect rare external connections
• Monitor LOLBIN network activity
• Detect unsigned binaries communicating externally

Infrastructure Recommendations

• Enable TLS inspection where legally permissible
• Enable full DNS logging
• Retain EDR telemetry minimum 90 days
• Deploy Sysmon enterprise-wide
• Centralize network telemetry

Escalation Guidance

Escalate Immediately If

• Ransomware infrastructure detected
• LSASS access observed
• Domain controller communication observed
• Multiple hosts affected
• Data exfiltration suspected
• Persistence confirmed
• Lateral movement observed
• Cobalt Strike indicators identified

Post-Incident Activities

Required Actions

• IOC feed updates
• Detection tuning
• Threat hunt execution
• Lessons learned review
• Playbook updates
• Control gap analysis
• Executive reporting
• Metrics collection

Recommended Metrics

Metric Purpose Mean Time to Detect SOC efficiency Mean Time to Contain Response maturity IOC hit volume Threat visibility False positive rate Detection quality Hosts affected Incident scope Common Analyst Mistakes Mistake Impact Trusting IOC feeds blindly False escalations Ignoring process context Missed compromise Failing to scope laterally Partial containment Not validating telemetry Incorrect assumptions Overlooking DNS telemetry Missed infrastructure Ignoring encrypted traffic patterns Missed beaconing References

MITRE ATT&CK

• T1071 — Application Layer Protocol
• T1105 — Ingress Tool Transfer
• T1090 — Proxy
• T1573 — Encrypted Channel

Recommended Tools

Tool Purpose Sysmon Endpoint telemetry Zeek Network visibility Suricata IDS detection Velociraptor DFIR collection osquery Endpoint investigation Chainsaw EVTX hunting Hayabusa Windows log analysis KAPE Triage collection Appendix A — Quick Triage Checklist

Analyst Quick Actions

Validate

• Confirm IOC reputation
• Confirm timestamp
• Confirm telemetry source

Investigate

• Identify process
• Review command line
• Review parent process
• Check persistence
• Review DNS activity

Scope

• Search for additional hosts
• Identify shared users
• Search for related hashes

Contain

• Isolate host
• Block IOC IP
• Disable accounts if needed

Eradicate

• Remove persistence
• Remove malware
• Reimage if necessary

Recover

• Validate telemetry
• Restore operations
• Increase monitoring

Appendix B — Example SOC Escalation Notes

Example Escalation Summary

Host WIN10-445 initiated repeated outbound HTTPS connections to known malicious IOC IP 185.193.127.12.

Associated process:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Suspicious parent process:
WINWORD.EXE

Observed behavior indicates likely phishing-based malware execution with outbound C2 beaconing.

Persistence indicators identified:
- Scheduled Task
- Registry Run Key

Recommended actions:
- Immediate host isolation
- Credential reset
- Enterprise IOC sweep
- Memory acquisition

Conclusion

IOC IP connection alerts remain one of the highest-value operational detection opportunities when combined with:

• Process attribution
• Behavioral analytics
• DNS telemetry
• Threat intelligence
• Endpoint visibility
• Correlation logic

High-quality investigation procedures, strong telemetry coverage, and disciplined tuning significantly improve:

• Detection fidelity
• Incident response speed
• Threat containment effectiveness
• Enterprise visibility
• SOC operational maturity