Template: Incident Response Runbook for Data Exfiltration by Desktop Agents

Hook: When a Desktop Agent Becomes a Data Leak — Fast, Practical Runbook

If an autonomous desktop assistant (think Anthropic Cowork or similar) has read, copied, or sent files from a user desktop, your incident response priorities are containment, evidence preservation, and a fast audit of what left the estate. In 2026, teams face a new class of threats: powerful local LLM agents with file-system and network privileges. This runbook template and checklist is designed for IR teams, Engineering, SOCs, and IT admins who must respond to data exfiltration by desktop agents with speed and forensic rigor.

Executive Summary (Most important actions first)

Follow these immediate high-impact steps on first contact:

• Isolate the host (network-level block) but do not power-cycle.
• Preserve memory (live memory dump) and collect volatile artifacts (token caches, active processes, open network sockets).
• Capture disk image or key files (user directories, agent config, local caches).
• Revoke credentials the agent may use (OAuth tokens, API keys, cloud IAM keys).
• Begin audit for outbound transfers (cloud storage, email, Slack, webhook endpoints) across both local and cloud logs.

Below you’ll find a full incident response checklist, a templated runbook with decision trees, forensic collection commands and SIEM queries, containment options, legal and communication guidance, and post-incident detection hardening specific to desktop agents and autonomous assistants.

Context: Why desktop agents change the IR playbook in 2026

Late 2025 through early 2026 saw rapid adoption of desktop LLM assistants (notably Anthropic's Cowork research preview) that request file system and network access to automate tasks for users. These agents:

• have native file read/write and process control privileges;
• use OAuth and long-lived tokens to call cloud APIs (S3, OneDrive, Google Drive, Slack, email APIs);
• can synthesize documents and push outputs directly to cloud services or via email/webhooks;
• introduce new attack surfaces: prompt injection leading to misbehavior, unvetted plugins, and local persistence.

That changes prioritization: artifacts are across the endpoint and identity systems and cloud audit logs. Your IR runbook must bridge host forensics and cloud audit forensics.

Incident Response Checklist: Data Exfiltration by Desktop Agents (Action-first)

Immediate (< 15 mins)

• Declare incident and set severity (use pre-defined SLA matrix).
• Isolate host: enforce network block at switch/NGFW, remove Wi-Fi, disable VPNs. Do not reboot.
• Take screenshots of agent UI, open windows, agent logs.
• Notify legal/DPO and your incident commander.

Within 1 hour

• Acquire live memory (use winpmem/FTKImager for Windows or LiME for Linux/macOS equivalents).
• Dump process list, open sockets, loaded DLLs, browser sessions, and open files.
• Export agent token stores, config files, and recent agent activity logs.
• Rotate/revoke exposed credentials and disable related cloud service keys.

Within 24 hours

• Create full disk image or targeted file copy (user profile, agent installation path, local caches).
• Search CloudTrail/Cloud Audit Logs, O365/GDrive audit logs, and email logs for transfers initiated from the suspect user agent.
• Collect proxy/firewall logs showing outbound endpoints and payload sizes.
• Begin artifact hashing and chain-of-custody documentation.

Containment & Remediation

• Uninstall/disable the agent application in a controlled manner only after volatile data is captured.
• Rotate credentials, re-issue tokens with new scope limits, and rotate service principals.
• Notify affected data owners and commence regulatory notification if necessary.

Runbook Template: Incident Response for Desktop Agent Exfiltration

Use this as a living template. Replace bracketed fields and integrate into your IR platform (PagerDuty, VictorOps, Jira).

1. Incident ID: [INC-YYYYMMDD-####]
2. Reported by: [name, team, timestamp]
3. Initial evidence: [screenshot, SIEM alert, user report]
4. Severity: [Critical / High / Medium / Low]
5. Affected assets:
   • Host: [hostname, IP, owner]
   • Agent: [agent name/version, vendor]
   • Cloud: [S3 buckets, GDrive IDs, Azure storage]
6. Immediate actions (by IR lead):
   • Isolate host (network block ID: [fw-rule])
   • Acquire memory and volatile artifacts
   • Revoke credentials with timestamps
7. Forensics checklist (assigned to Forensics team):
   • Win: winpmem / FTK Imager memory dump, Get-WinEvent export
   • Mac/Linux: LiME memory capture, ps, lsof, netstat / ss
   • Disk capture: dd/imaging or targeted copy of %USERPROFILE%, agent config dir
   • Browser artifacts: cookie/session export, history
8. Cloud audit actions (assigned to Cloud/SecOps):
   • Search CloudTrail/GCP Audit logs for access by user or API key
   • Search O365/GDrive audit logs for file downloads/uploads
   • Check Slack, Email, or webhook integrations for automated posts
9. Communications:
   • Notify DPO, legal, and affected business units
   • Follow pre-approved external communication templates
10. Eradication & recovery:
    • Remove agent and known malicious artifacts from host
    • Restore host from known-good image if integrity is in doubt
    • Rotate credentials and re-enroll users
11. Lessons learned:
    • Post-incident report, detection rule, and remediation tasks

Forensic Collection Recipes (commands and queries)

Below are tested commands and SIEM queries to accelerate evidence capture. Adjust to your environment and toolset.

Windows volatile data

rem Memory acquisition (using winpmem)
winpmem.exe --output C:\IR\memory-.raw

rem Process and network state
powershell -command "Get-Process | Select-Object Id, ProcessName, Path | Out-File C:\IR\processes.txt"
powershell -command "Get-NetTCPConnection | Out-File C:\IR\netconns.txt"

rem Event logs (last 7 days)
wevtutil qe Security /q:"*[System[(TimeCreated[timediff(@SystemTime) <= 604800000])]]" /f:text > C:\IR\security-events.txt

macOS / Linux volatile

# Memory (LiME - requires kernel module build)
insmod lime.ko "path=/IR/memory-.lime format=raw"

# Processes and open files
ps aux > /IR/processes.txt
lsof -nP > /IR/lsof.txt
ss -tunap > /IR/sockets.txt

Cloud audit quick-queries

Cloud providers expose different log formats. Examples to find uploads or token usage:

# AWS CloudTrail - find PutObject events by user or IP
fields @timestamp, eventName, userIdentity.userName, sourceIPAddress, requestParameters.bucketName
| filter eventName = 'PutObject' or eventName = 'UploadPart'
| filter sourceIPAddress = '' or userIdentity.userName = ''
| sort @timestamp desc

# Azure Sentinel (KQL) - OneDrive/SharePoint file operations
AuditLogs
| where OperationName has 'FileDownloaded' or OperationName has 'FileUploaded'
| where TimeGenerated > ago(7d)
| where AdditionalFields contains ''
| project TimeGenerated, OperationName, TargetResources, InitiatedBy

SIEM hunting queries (Elastic-style)

# Large outbound upload to cloud endpoint (heuristic)
network.transport: "tcp" and
destination.domain: ("api.anthropic.com" OR "s3.amazonaws.com" OR "drive.google.com" OR "graph.microsoft.com") and
source.bytes > 10485760

Indicators and Detection Rules

Look for these indicators of exfil by desktop agents:

• New agent process spawning child processes like curl, python, powershell, or rclone.
• Outbound HTTPS to known LLM control endpoints or to generic cloud-storage endpoints from user desktops.
• Access patterns: large read of user Document or Downloads folders followed by network transfers.
• Tokens or credentials in memory (OAuth access tokens, long-lived API keys found in agent caches).
• New scheduled tasks/launch agents that reference agent binaries or temp script directories.

Sample EDR detection rules:

# Heuristic rule (pseudocode)
IF process_parent = 'desktop-agent.exe' AND process_contains 'curl' OR 'powershell' AND network_total_bytes > 10MB WITHIN 1hr THEN alert 'Possible desktop-agent exfil'

Containment Options — Tradeoffs and Playbooks

Containment has to balance evidence preservation and business continuity. Use this decision tree:

• If host is critical and you need instant stop: Network isolation + disable user agent token + full memory dump ASAP.
• If host must remain online for remote evidence capture: apply NGFW rule to block agent-specific endpoints, enable packet capture on the host, and schedule controlled uninstall after collection.
• For broad risk: temporary block of agent vendor domains at proxy, require re-auth for all sensitive integrations, and throttle large outbound data transfers.

Audit Playbook: Tracing What Left the Estate

Follow an audit path across endpoint, identity, and cloud systems:

1. Endpoint artifacts: file hashes, timestamps, process command-lines.
2. Identity logs: OAuth issuance time, refresh token activity, client_id used by the agent.
3. Cloud logs: CloudTrail/GCP audit/Office365 audit for transfers, including IP, user-agent, and tool name.
4. Network logs: proxy logs and firewall logs show destination domains and payload sizes.

Example CloudTrail query to find API key usage across regions:

# AWS CloudTrail pseudo-query
SELECT eventTime, eventName, userIdentity.arn, sourceIPAddress, requestParameters.bucketName
FROM cloudtrail
WHERE eventName IN ('PutObject','PutObjectAcl','CompleteMultipartUpload')
AND userIdentity.arn LIKE '%%'

Legal, Compliance & External Notifications

Data exfiltration by agents can trigger multiple regulatory obligations. Immediately engage legal and the DPO to assess whether to notify customers or regulators. Consider:

• GDPR: personal data exfiltration may require 72-hour notification.
• HIPAA: PHI breaches have defined notification rules.
• State breach laws (US): thresholds vary by state.

Preserve evidence and maintain a privileged chain of custody. Careful documentation during containment helps if forensics are later used for legal or regulatory actions.

Post-Incident: Detection, Hardening, and Playbook Updates

After eradication, focus on preventing recurrence:

• Create new detection rules for the agent’s behavioral signatures and network endpoints.
• Harden agent installation policies: limit local file access scopes, use ephemeral tokens, restrict cloud scopes to least privilege.
• Enforce conditional access and MFA for desktop agent integrations.
• Implement continuous monitoring: EDR policies, Data Loss Prevention (DLP), and API-level logs retention for at least 90 days.

Include the incident in tabletop exercises. Simulate agent misuse scenarios often—vendors and models evolve rapidly, and model behavior or vendor integrations (plugins) may change without notice.

Advanced Strategies & 2026 Trends

Through 2025–2026 we saw three trends that should shape your defenses:

• Agent orchestration: Agents now chain tasks across local and cloud workloads. Block unapproved orchestration flows and monitor for cross-system API calls initiated by desktop agents.
• Fine-grained tokenization: Best practice is ephemeral, narrowly-scoped tokens that can be revoked quickly—adopt short-lived OAuth flows for agent-to-cloud access.
• Vendor accountability: Vendors (Anthropic and others) now publish recommended security controls—use their guidance and monitor vendor updates for CVEs or misconfiguration advisories.

Future-proofing steps for 2026:

• Require attestation of agent binaries and code signing enforcement across endpoints.
• Deploy DLP at proxy and at cloud API layers to detect PII leaving via agent actions.
• Use model-behavior baselining to detect anomalous instruction patterns (sudden file-aggregation or long-chain requests).

Sample Playbook Snippets (copy-paste)

Revoke OAuth refresh token via Google Admin SDK:

curl -X POST 'https://oauth2.googleapis.com/revoke' \
  -H 'Content-type: application/x-www-form-urlencoded' \
  -d 'token='

Search for S3 upload events by IP in AWS Athena (example):

SELECT eventtime, eventname, useridentity, sourceipaddress, requestparameters
FROM cloudtrail_logs
WHERE eventname = 'PutObject'
AND sourceipaddress = ''
ORDER BY eventtime DESC
LIMIT 100;

Checklist: Quick Reference (Printable)

• [ ] Isolate host (network)
• [ ] Capture memory
• [ ] Export processes, open sockets, browser sessions
• [ ] Preserve agent logs and config
• [ ] Revoke exposed tokens and rotate credentials
• [ ] Search CloudTrail / O365 / GDrive / Slack for transfers
• [ ] Notify legal/DPO and escalate per policy
• [ ] Implement detection rules and DLP controls

"In 2026, incident response teams must treat desktop agents as both local processes and remote identity actors — forensic triage requires endpoint, identity, and cloud log coordination."

Actionable Takeaways

• Start with isolation and live memory capture. Memory is the most likely place to find tokens and ephemeral evidence.
• Revoke and rotate early. Removing tokens stops further exfil while you investigate.
• Search cloud audit logs early. Desktop agents often use cloud APIs—cloud logs will show the destination of exfiltrated artifacts.
• Instrument detection for agent behaviors. Watch for large read operations on user directories followed by outbound transfers.

Call to Action

Use this runbook as your baseline: tailor it to vendor agents in use (e.g., Anthropic Cowork) and integrate the checklist into your SOC runbooks. Want a downloadable incident playbook and ready-to-import SIEM rules? Join the powerlabs.cloud community resources hub to get the runbook template, Splunk/KQL/Elastic rules, and a forum to discuss agent-specific detections with peers.

Related Reading

• SOPs for Handling Sudden Ingredient Substitutions When Commodities Spike
• From Stove to Stylish Shelf: How to Package Homemade Syrups for a Beautiful Bar Cart
• Host a Safe Watch Party: Tips for Streaming ‘The Pitt’ With Friends
• Nonprofit Survival Kit: Why You Need Both a Strategic Plan and a Tax-Savvy Business Plan
• Siri + Gemini: What Apple’s Model Choice Means for Voice-First Creator Products