For most people it is difficult to determine what is “normal” when looking for signs that reveal a compromised host. This is easily one of the biggest problems that digital forensics specialists face, as it affects the level of response to the incident, as well as the identification of an attack.
Some of the most reliable tools for incident response are integrated into Windows and Linux. This article focuses primarily on Windows, but in a very general way, even though it is a good starting point. Windows has an extremely powerful tool called Windows Management Instrumentation Command (WMIC). WMIC is extremely useful in incident response as well as for penetration testing. It is likely that using this tool is sufficient to notice some of the host infection indicator signals.
According to specialists in digital forensics, the most important thing about these tools is to recognize what is not normal. The best way to do this is to get acquainted with the results of the tools. Look at the associated DLL files for common processes such as svchost so that you can determine if it is actually a malicious executable.
Windows Incident Response Commands
Event Log
Event logs can be a great source of information. Some of the records that may be useful are security logs that indicate changes or additions to the user account, failed user logon attempts, or service state changes.
Netstat
Netstat is a tool included with Windows and Linux. Allows you to display active TCP connections, listening ports, and many other statistics, including which process ID the connection is associated With. This command will show all active TCP connections, as well as listening to TCP and UDP ports:
netstat – anob
Tasklist
The Task list displays a list of applications and services with its process ID. It is very useful to determine which process is associated with a PID. For example, if you see a strange connection in the output of netstat, you can determine the process with this Tool. The following command will show the associated task, as well as the associated DLLs:
tasklist / m / fi “pid eq <Insert process ID here, without the brackets>”
NET
Net commands have a variety of uses. This function has multiple similarities. They are all useful for identifying system information as well as active network activity.
These commands show open sessions with your host:
net session
net use
net user
net view
WMIC
WMIC is an extremely useful tool, as reported by digital forensics experts from the International Institute of Cyber Security. It’s like having a toolbox that can greatly accelerate the process of system analysis.
This command will display the name and ID of the main process of a given process ID. This would be the next step after determining which process is performing a strange network activity:
wmic process get name,processid,parentprocessid|find “<Insert the PID here, without the brackets>”
You can then continue to execute the same command with the main process ID to determine the name of the main process.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
