Purpose
This document is for Tech Support staff to use for when they are first responder to any incident involving Cyber Security on an End Point Windows computer on the Plan network (Server or Workstation). This can be as simple as a Malware report through TrendMicro or someone saying they clicked on an unknown or suspicious link.
Process
For End Point incidents, the first responder process is always:
Using Process Explorer and TCPView
In Process Explorer, turn on “Verify Image Signatures” and “Check Virus Total” under Options:
Look for processes with “No Signature Present” or other processes that should not be running (e.g. cmd.exe or Powershell.exe). Also look for any processes that are marked red and have a finding under VirusTotal (eg. 10/67).
These processes can be examined by right clicking and choosing Properties. This will indicate where the process image is running from for further examination:
If suspicious, the process can be Killed in Process Explorer. However, well written Malware might spawn new processes when killed. If this occurs then the process will need further actions, including clean up in Windows Safe mode:
In TCPView, click the button to “Hide Unconnected End Points” then look for any suspicious connections that are not related to running processes:
Potential Malware Examples
Note: These examples show connections to Amazon AWS cloud servers. Many legitimate services use AWS and it is rare that AWS would host malware. An AWS server is just used here as an example of how a suspicious process connects to a server on the Internet.
Command And Control Example
Sometimes Malware is just a standalone executable performing damage locally which can be seen in Process Explorer. Malware can also takes the form of Command & Control (C&C) processes where the End Point makes a Reverse Shell to an attacker or service on the Internet so that the attacker/service can run commands and processes on the End Point from a remote location.
The C&C process will often disguise itself as a known executable but will not be signed or it might be just a strangely named executable. AntiVirus and VirusTotal might not pick this up because it is a custom, unknown variant:
Note: sophisticated malware can be injected into existing, signed processes and run as a “shadow” process. These can be difficult to pick up with anti-virus, Virus Total and Process Explorer but looking at the network connections can provide more information.
With any process observed in Process Explorer, the correlating process in TCPView can show a connection to a unique IP address or cloud service on a port that is likely to be available for this End Point to use (eg. http port 80):
The Process properties can be examined in Process Explorer to see where the EXE is running from. This is the best place to start to look at the underlying details of the suspicious process:
PowerShell Example
More recently, Malware can take the form of Powershell scripts. Process Explorer will see these as Signed because it is a core Microsoft process that is running the Malware.
The presence of Powershell running on an End Point is usually highly suspicious unless you know that there is a legitimate Powershell process that should be running. The Powershell process Properties can be examined to see if it is doing something like connecting to another computer:
As with the C&C example above, the Powershell might be connecting to a service on the Internet or another local host. This is suspicious if there is no known purpose for this:
