Suspicious Network & Endpoint Activity Investigation Guide
This guide combines a structured documentation checklist with an actionable toolkit in PowerShell and Python to help rapidly investigate and respod to suspicious activity on a Windows-based endpoint. It includes tutorials for all tools and programs mentioned.Documentation, Triage/Remediation & Reporting Structure
1. Initial Triage & Observation
Symptoms Observed:
- Unexpected outbound connections
- CPU/disk spikes
- Unknown open ports
- Software behaving erratically
- System slowdown
- Time & Date Logged
- System(s) Affected: IP address / Hostname
- Alert Source Verficication/Review:
- User report
- SIEM
- EDR alert
- IDS/IPS
- Valid Security Alert (OS/AV)
- Etc.
