This is my recommendation regarding a malware critical controls SOP for the compromise/malware suspicion on Windows boxes use case.
All main steps of the SOP may not be always required: as soon as there is a detection, security analysts may want to stop there and have the sample analyzed (or do the analysis on their own). But depending on the context, one may want to go through the end of the SOP anyhow after a detection, or not.
- Force the update of the locally installed AV
- Start a full scan with locally installed AV.
- Run a third-party lightweight antimalware
- My recommendation: ESET Online Scanner or WithSecure Online Scanner
- My recommendation: Microsoft Safety Scanner or ESET Online Scanner or Sophos virus removal tool
- My recommendation: Windows Defender Offline or ESET SysRescue Live
- Try not to delete the file, and grab the sample;
- Send the sample to the support of the AV solution that was not detecting it;
- Add the IOC (file hash) to your TIP.
- My recommendation: Thor Lite
- Don't forget to extract your own IOC that are stored and updated within your TIP (either MISP or OpenCTI), and add them to Thor Lite
- Try not to delete the file, and grab the sample;
- Send the sample to the support of the AV solution that was not detecting it;
- Add the IOC (file hash) to your TIP.
- My recommendations: Process Explorer, Autoruns, TCPView
- you may also want to leverage Process Monitor, but be aware it will consume quite some resources on the machine being analyzed, and the trace is likely to take time to analyze (hours if not days)
-
Run the recommended SysInternals tools (as local admin);
-
Check for suspicious activity in ProcessExplorer:
- enable VirusTotal (see Process Explorer options) for all binaries (exe/dll), but you may not want to submit unknown samples to VT right away;
- verify all items for which VT score > 0
- check all images of running processes and DLL:
- you may want to leverage a knowledge base of known legit Windows system files, like EchoTrail
- binaries signature check:
- double check unsigned binaries;
- double check binaries with expired or incorrect certificate;
- abnormal execution paths:
- pay attention to paths that should not be containing binaries: "programdata", "appdata" (except for Google Chrome and MS Teams), "documents", etc.
- pay attention to paths that should not be containing long-term running binairies: "temp", "downloads", etc.
- verify every command line, above all for applications that load documents and scripting/shell components (cmd.exe, cscript.exe, powershell.exe, etc.);
- you may want to leverage a knowledge base of malicious command lines like Threat Hunting keywords.
- suspicious process tree:
- parent process no longer existing;
- scripting component processes (cmd.exe, cscript.exe, powershell.exe, etc.) as uncommon childs of other processes (eg. MS Office, web browsers, Explorer, file viewers, etc.);
- check all network activity (destination IP);
- pay attention to network traffic associated to the kernel;
- check reputation of every contacted IP (you may want to leverage OpenCTI/MISP, or tools like CyberGordon)
- check for suspicious persistance items (using Autoruns);
- check for suspicious filesystem activity.
- enable VirusTotal (see Process Explorer options) for all binaries (exe/dll), but you may not want to submit unknown samples to VT right away;
-
Check for suspicious activity in TCPView:
- check all network activity (destination IP);
- pay attention to network traffic associated to the kernel: it is likely related to drivers activity, but might be malicious even so;
- double check unknown ("unnamed") processes that open connections (this may be stealth processes, covered by rootkit capability);
- double check recurring network traffic (same destination IP / same TCP port) ;
- double check long-living TCP connections;
- double check that all process TCPview show are also being displayed in ProcessExplorer
- (because TCPView leverages a driver to enumerate the TCP endpoints, and then the associated processes, so it may reveal stealth processes)
- check reputation of every contacted IP (you may want to leverage OpenCTI/MISP, or tools like CyberGordon)
- check all network activity (destination IP);
-
Check for suspicious activity in Autoruns:
- keep in mind there are filters to filter out the results that are being displayed!
- Enable VirusTotal checks;
- verify all items for which VT score > 0
- check all images of registered processes and DLL:
- binaries signature check:
- double check unsigned binaries;
- double check binaries with expired or incorrect certificate;
- abnormal execution paths:
- pay attention to paths that should not be containing binaries: "programdata", "appdata" (except for Google Chrome and MS Teams), "documents", etc.
- pay attention to paths that should not be containing running binairies after post-install reboot: "temp", "downloads", etc.
- verify every command line, above all for applications that load documents and scripting/shell components (cmd.exe, cscript.exe, powershell.exe, etc.);
- verify every non-Microsoft service.
- binaries signature check:
- Grab the sample and send it to the support of the AV vendor that was not detecting it;
- Add the IOC (file hash) to your TIP (MISP/OpenCTI, etc.)
- My recommendation: GMER
- Do a full memory dump with the tool of your choosing
- Run an analysis of the memory dump
- My recommendation: Volatility
Be aware that this analysis step may require hours if not days, and is quite non-predictable in terms of required time!