3 Important Things

Critical Questions in Compromise Analysis

When investigating a potentially compromised system, focusing on the following three critical questions ensures a comprehensive and effective response:

1. Is There Malware Actively Running in the System?

Why It Matters:

Active malware can indicate how the attacker gained initial access and what actions they are currently performing, such as data exfiltration or system manipulation.

Key Indicators:

  • Unusual Processes:

    • Processes with names mimicking legitimate ones (e.g., svch0st.exe).

    • Known legitimate processes behaving abnormally, such as powershell.exe being executed by excel.exe.

  • Suspicious Parent-Child Relationships:

    • System utilities spawned by non-standard applications.

    • Example: cmd.exe or powershell.exe spawned from outlook.exe or winword.exe.

  • Processes in Suspicious Locations:

    • Executables running from temporary directories, e.g., /tmp, /dev/shm, C:\Temp, or C:\Users\Public.

Actions:

  • Process Analysis:

    • Linux: Use ps aux, top, pstree, and lsof.

    • Windows: Use Task Manager, PowerShell (Get-Process), or Sysinternals tools like Process Explorer.

  • Identify Process Details:

    • Command: ps aux | grep [process_name]

    • Investigate parent processes and arguments.

  • Backtrace the Entry Point:

    • Check logs (e.g., syslog, Windows Event Logs) to see when and how the process was initiated.

2. Is There Any Suspicious Internal or External Communication?

Why It Matters:

Malware often communicates with external systems for command-and-control (C2), exfiltrating data, or downloading additional payloads.

Key Indicators:

  • Connections to Known Malicious IPs or Domains:

    • Compare external connections with threat intelligence feeds.

  • Unusual Data Transfers:

    • High-volume data transfers to a single external IP.

    • Unusual transfer protocols (e.g., FTP on non-standard ports).

  • Non-Standard Ports:

    • Connections over uncommon ports, such as 4444, 8081, or high-numbered ports.

Actions:

  • Network Connection Analysis:

    • Linux: netstat -antp, ss -tuln, tcpdump, or iftop.

    • Windows: netstat -ano, PowerShell (Get-NetTCPConnection), or Sysinternals TCPView.

  • Log Review:

    • Review logs for outbound traffic:

      • Linux: /var/log/syslog, /var/log/messages.

      • Windows: Event Logs (look for ID 5156 - network connections).

  • Threat Intelligence Cross-Check:

    • Compare suspicious IPs/domains against threat databases like VirusTotal or AbuseIPDB.

3. Is There Any Persistence?

Why It Matters:

Persistence mechanisms enable attackers to maintain access, even after system reboots or disconnection from the network.

Key Indicators:

  • Scheduled Tasks or Cron Jobs:

    • Malicious tasks set to execute periodically.

    • Example: /etc/cron.d/malicious_job or hidden entries in Task Scheduler.

  • Startup Modifications:

    • Malicious programs configured to start at boot via:

      • Windows: Registry entries under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

      • Linux: .bashrc, .bash_profile, or rc.local.

  • Hidden Backdoors or Services:

    • Custom scripts or executables set up as services.

    • Example: malicious_service running under /lib/systemd/system/.

Actions:

  • Scheduled Tasks/Cron Jobs:

    • Linux: crontab -l, cat /etc/crontab, ls /etc/cron.*.

    • Windows: schtasks /query /fo LIST.

  • Startup Entries:

    • Linux: Inspect .bashrc, .bash_profile, rc.local.

    • Windows: Use regedit or tools like Autoruns.

  • Services:

    • Linux: systemctl list-units --type=service.

    • Windows: Get-Service or services.msc.

Why These Questions Matter

  • Detect Active Threats: Identifying running malware enables immediate containment and neutralization.

  • Stop Unauthorized Communication: Blocking suspicious network activity prevents data exfiltration and disrupts C2 communication.

  • Eliminate Persistence: Removing persistence mechanisms ensures attackers cannot easily regain access after remediation.

Immediate Actions Based on Findings

  1. Active Malware Detected:

    • Containment: Isolate the infected system from the network.

    • Eradication: Terminate malicious processes and remove associated files.

  2. Suspicious Communications:

    • Block IPs: Add malicious IPs/domains to the firewall blocklist.

    • Network Monitoring: Increase surveillance of unusual outbound traffic.

  3. Persistence Mechanisms Found:

    • Disable and Remove: Stop and delete malicious scheduled tasks, startup entries, or services.

    • System Hardening: Apply security patches, enforce least privilege, and monitor for re-entry attempts.

By addressing these three critical questions, incident responders can systematically uncover malicious activity, disrupt ongoing attacks, and secure the system against future compromise.

PreviousIncident Response ProcedureNextFree Tools That Can Be Used

Last updated