Background Image

Identify Malware: Process Explorer

Look at running processes with Process Explorer and identify indicators of compromise:

  • Items with no icon Items with no description or company name

  • Unsigned Microsoft images (First add Verified Signer column under View tab->Select Columns,then go to Options tab and choose Verify Image Signatures)

  • Check all running process hashes in Virus Total (Go to Options tab and select Check VirusTotal.com)

  • Suspicious files are in Windows directories or user profile

  • Purple items that are packed or compressed Items with open TCP/IP endpoints

Strings Check

  • Right click on suspicious process in Process Explorer and on pop up window choose Strings tab and review for suspicious URLs. Repeat for Image and Memory radio buttons.

  • Look for any IP addresses

  • Look for strange URLs in strings

  • Also while you are here in this pop up window, click on the TCP/IP tab. Here you can see connections a program is making.

DLL View

  • Pop open with Ctrl+D

  • Look for suspicious DLLs or services

  • Look for no description or no company name

  • Look at VirusTotal Results column

Stop and Remove Malware

  • Right click and select Suspend for any identified suspicious processes

  • Right click and select Terminate Previous Suspended processes

Clean up where malicious files Auto start

  • Launch Autoruns

  • Under Options, Check the boxes Verify Code Signatures and Hide Microsoft entries

  • Look for suspicious process file from earlier steps on the everything tab and uncheck. Safer to uncheck than delete, in case of error.

  • Press F5, to refresh Autoruns, and confirm malicious file has not recreated the malicious entry into the previous unchecked auto start location.

Key Questions to Answer

  • What was the initial attack vector? (i.e., How did the adversary gain initial access to the network?)

  • How is the adversary accessing the environment?

  • Is the adversary exploiting vulnerabilities to achieve access or privilege?

  • How is the adversary maintaining command and control?

  • Does the actor have persistence on the network or device?

  • What is the method of persistence (e.g., malware backdoor, webshell, legitimate credentials, remote tools, etc.)?

  • What accounts have been compromised and what privilege level (e.g., domain admin, local admin, user account, etc.)?

  • What method is being used for reconnaissance? (Discovering the reconnaissance method may provide an opportunity for detection and to determine possible intent.)

  • Is lateral movement suspected or known? How is lateral movement conducted (e.g., RDP, network shares, malware, etc.)?

  • Has data been exfiltrated and, if so, what kind and via what mechanism?

    • This chart shows how to answer these questions. It shows the specific techniques used
    at each stage of the attack, as well as indicators of each style of compromise, and most
    importantly, where to find artifacts and evedence.

Checklist for Investigation

This checklist should be run against every machine suspected of being compromised.

Network Connections

Open cmd.exe in administrator mode and type the command: netstat -nob this will provide a list of all network connections the device is making. Keep an eye out for unusual ports, or suspicious IP addresses.

Auto Runs

Check the auto run processes, this is a common place attackers use to maintain persistence. Make sure to check the triggers tab and take note of how often the task is being run, and the conditions that trigger it to run. Check the actions tab of all suspicious auto runs, this can often tell you the exact command or script that is being used by the attacker. Some other thinigs to note:

  • Check login tab and Scheduled tasks

  • Yellow is suspicious, it means can't be located

  • Pink unverified

  • Check explorer and service tabs

  • Check drivers tab to look for suspicious drivers

Removeable Media

  • USB, CD, network drives

  • Check common folders

Email

  • Email clients / Email server

  • Check web history

Email

  • Email clients / Email server

  • Check web history

Modified Files & Folders from the Time of Attack

Go into the file explorer and go to the root of the C: drive. In the search bar type: ‘datemodified:today’ replacing 'today' with the day of the attack.

Processes: Task manager, Process Explorer, Process Monitor

  • check if process has a publisher and its verified

  • check where the process is running from

  • check parent process

  • check virus total

  • check web

  • check TCP/IP tab for connections

  • check strings, look for IP's commands and IOC's

Logs: Event Viewer

  • How many systems are still unknown, clear, suspicious, or infected?

  • Networking device(s) changes. (Switches, Routers, Firewalls, IPS, NAC, Wi-Fi, etc.).

  • Active Directory OU isolation of suspected systems.

  • c Active Directory - User account restrictions and resets.

  • Active Directory policies to prohibit threats from running and/or access.

  • Firewall blocks.

  • DNS blocks (null route malware site(s).

  • Web filtering blocks.