Systems behaving abnormally may be a result of it becoming compromised by an attacker. Abnormal could mean the system has high memory or CPU consumption or large number of network connections originating from the system. Something noticeable out of the ordinary. Too often it is System Administrators or Operations teams that initially investigate these systems. They may conclude the best course of action is to reboot the system in hopes of resolving the issue which can lead to critical evidence being lost.
The good news is there are a number of tools and knowledge Incident Response teams can share with front line IT staff or first responders on how to look for suspicious events. They can then notify Security teams and work with them during the investigation, One example is imparting on Operations teams and Systems Administrators on what to look for when a system is behaving abnormally. I always err on the side of paranoia when this occurs and begin looking for unusual artifacts on systems. SANS came up with a cheat sheets for intrusion investigation including one for Windows Intrusion Discovery. They provide effective methods for first responders to look for signs of an intrusion on a system. I have noted down, what I feel, are the most important tools to use within the cheat sheet when investigating systems.
1. Unusual Processes
Backdoors, malware, and other malicious code that attackers run on the infected system have a process name and number tied to it. It is always prudent to check what processes are running on the system, its process ID is and the parent process. The parent process is very useful when a process which may look normal for a Windows system has an unusual parent process. An example being cmd.exe being run from a process named svcchost.exe under C:\Windows.
There are number of ways to retrieve this information but it is ideal to use tools that natively exist in Windows.
wmic get name, parentprocessid, processid
2. Unusual Services
It is important to look for unusual services on Windows systems created by intruders. Remote Access Tools and other malware can maintain persistence by creating services therefor understanding what services are running on the system is an important area to investigate when looking for intruders.
net start -> shows all the running services
tasklist /SVC -> ties the service to the process
3. Unusual Network Activity
Looking for network activity which deviates from normal network traffic is important to identify. A compromised system may be part of a bot network sending DOS traffic to another target. Or, the system may be communicating with a Command and Control system awaiting further instruction. You also want to examine what traffic is being sent out of the network from a suspicious system in the case that sensitive information is being exfiltrated. This is difficult to determine when the data is encrypted but one can still investigate the network metadata such as IP addresses used in the communication and size of the payload. The point I am trying to make is that examining network traffic on a suspect system is important. It can quickly tell first responders if suspicious network activity is occurring which can then be brought to the attention of incident responders for further investigation.
netstat -anob -> Shows the source and destination IP in the connection along with the Process ID and the executable involved in each connection.
4. Unusual Scheduled Tasks
Creating scheduled tasks is another method criminals use to remain persistent on a compromised system. Understanding what scheduled tasks are running on the system helps identify unauthorized scheduled tasks. Specifically look for tasks running as a user on the system.
schtasks -> Shows all scheduled tasks running on the system
5. Unusual entries in the registry
Registries are a common place for intruders to configure malware to remain persistent across reboots. The malware is also, more often than not, configured to run on system start up in the registry. Analyzing portions of the registry must be a standard operating procedure when looking for indicators of compromise. There are 6 areas in the registry which should be investigated immediately.
HKLMSoftwareMicrosoftWindowsCurrentVersionRunonceEx -> for systems older than Windows 7 and 2008
HKLU\Software\Microsoft\Windows\CurrentVersion\RunonceEx -> for systems older than Windows 7 and 2008
You can use the regdit GUI to manually look in the above locations or script it using the following commands.
reg query \path\to\key
reg query hklm\software\microsoft\windows\currentversion\run
reg query hklm\software\microsoft\windows\currentversion\runonce
6. Unusual accounts
Intruders may create accounts on the compromised system therefor for it is prudent to ensure no unexpected accounts exist on the systems.
net users -> shows a list of all local accounts on the system
net localgroup administrators -> shows all users in the local administrator group
7. Startup Items
In addition to the examining the registry and services, there are other commands first responders can use to view what is running at system start up.
i) GUI method
Open a powershell command window and type msconfig. Check the Startup tab to review what services run at startup.
ii) Command Line
wmic startup list full
There are other tools which can achieve the same results I demonstrated on this page. I prefer these tools because they run natively on the Windows system. Precious time is not wasted looking for 3rd party tools to get the necessary information needed to determine if an intruder may have compromised the system. Share this with your first responders and System Administrators so they have the tools and knowledge on what to look for when investigating a system.