Security Engineers often do not have the time to perform the in depth study of a system in order to determine if malware, Trojans and bot software has been installed on a PC. Given the limited amount of time we all have, we must find creative ways to determine if a breach of security on our systems have occurred. I suggest that one way to quickly determine if a system is actively compromised is through the use of the procmon.exe package included in Sysinternals.
1- Download Sysinternals from the Microsoft TechNet site at http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
2. I wanted to be able to execute any of the Sysinternals Suite right from my command line while I was anywhere on the system. So I extracted the entire suite to C:\Windows\Sysinternals and then updated my system path by going to my computer and right clicking then adding my path to the “path” setting in the environment settings and adding c:\Windows\sysinternals; to my path variable.
3. Once I’ve installed all the Sysinternals Suite, the next thing that you would need to do is run through a process of using the procmon.exe tool. Below, I’ll outline the steps someone might take to perform such an analysis.
1. First, you’d start by launching the tool. This can now be easily done by going to your start menu then down to the search box and typing procmon.exe then hitting enter as shown in Figure 1A.
2. Next, you’ll need to accept the EULA and possibly approve the security of the application by clicking Run on the event pop-up then the tool will launch as shown in Figure 2A.
3. You’ll immediately begin to get a substantial amount of information from the tool displayed right in front of you as shown in Figure 2A above. This means the tool is working and monitoring all the processes and the functions they are executing. Since this tool is a real-time tool, you will want to run procmon.exe for enough time that you feel you’ve captured most of the current running processes and their execution. One thing to remember is that often Trojans and their bots have certain intervals baked into their code such as “heartbeats” to the command and control nodes or communications to other bots in the network. To be effective, you’ll need to run procmon.exe for long enough that you feel you’ve obtained this information.
4. Once you feel you’ve collected enough information, simply go to “File—> Capture Events” and deselect it so that the tool stops monitoring as shown below in Figure 4A.
5. The next thing we’ll want to do is start looking for common everyday processes that we know are valid and not harmful to the system and filter them from our results. You can perform filtering, by highlighting an entry with a single click. Then right-click on the highlighted entry while your cursor is in the “Process Name” column and select “Exclude xxx.exe” where XXX is the name of the valid process we wish to eliminate from our results as shown in Figure 5A below.
6. Next, repeat this process until all of the known good processes have been excluded. One thing to remember is that sometimes malware can “mimic” the process names used on the system so you’ll want to ensure you take a close look at any entries that are performing outbound communications and evaluate whether it is normal activity or not. Network activity should be indicated in the “Operation” field and will be called “TCP Send” and “TCP Receive”. You can also filter each of the columns by placing the cursor over any of the columns and you can create a filter to remove any particular entries you wish to filter. As you gain experience using the tool you can get a feel for what you’ll want to eliminate and what you’ll want to look for.
7. For quick access to the network events during the trace, you can click on the “Tools” menu and then go to network summary to see the network activity present during the trace as shown in Figure 7A below. Double clicking an entry will create a filter automatically for you. There are also summaries of Process Activity, File Activity, Registry Activity, Stack Summary and Cross Reference Summary which can also be useful during your triage/investigation process.
8. So far, we’ve addressed a system which has already booted. Procmon.exe is also capable of generating audit logs upon system boot which can also be very useful to examine. To enable this feature, simply go to “Options –> Enable Boot Logging” (shown in Figure 8A below) and then reboot the system.