Discovering indicators of compromise

Reconnaissance

Process Monitor

Following Locard's Exchange Principle that attackers always leave something behind, it's only logical that when investigating a Windows system, you look for system processes that have been spawned. For that, I've always found that Process Monitor (Figure 1) is a terrific tool for tracking unknown activity on any Windows system, no matter how new or old. Useful features include the ability to identify and trace sub-processes, as well as filter the many thousands of processes running on any particular Windows host. You can download Process Monitor directly from Microsoft [6].

Figure 1: Process Monitor.

The following general principle is true: The more powerful the machine, the more powerful the potential shell or process. That's why Process Monitor is so useful. It allows me to investigate processes that have been spawned and tracks those processes right up the execution tree to the kernel. It also allows me to see whether these processes lead to a socket, which is where an IP address has been mapped to a port.

Wireshark: The Analyst's Best Friend

Wireshark is in many ways the best friend of a security analyst. Although I might be overstating this, because system logs and process logs are also vital for any analyst, if you really want to get into what's happening on the network, Wireshark is terrific. Once again, you can't simply expect an IDS such as Snort, Bro, SolarWinds, or Suricata to do this work for you. Wireshark is freely available online [7] and is preinstalled on many Linux operating systems.

Analyzing an Attack

A month or so ago, I was working with a security analyst who monitors Fortune 500 banks, as well as large oil companies. He showed me how many of these organizations still use older Windows and Linux systems to provide essential banking services and control physical systems, such as oil pipelines. I've had other security analysts confirm that many healthcare, manufacturing, and retail point of sale systems use older Windows hosts, so I thought I'd demonstrate how a security analyst identifies IoCs on these systems.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus