In many incidents, the first indication that a system has been compromised is attempted or completed connections to external hosts. Detection mechanisms such as firewalls or web proxies may indicate that a system or systems are attempting to communicate with suspect external hosts. From this starting position, it may be possible to identify potential malware on a system:
- Suspicious network connections: Conducting a review of network connections on hosts that have been associated with external connections will often provide the process that is attempting to communicate.
- Process name: Examining the process from the network connections allows analysts to perform similar actions found within the SANS methodology. It is advisable for the analyst to also determine whether the identified process is one that often requires a network connection.
- Parent process ID: Further insight into the parent process is useful for determining whether the process is legitimate and has a legitimate need to communicate via a network connection.
- Associated entities: Finally, examining the associated DLLs and other artifacts brings us to the stage where they can be acquired and analyzed.
Let's now look at some memory analysis tools.