There are several host related indicators for potential malicious activities. These indicators include spikes in utilization of host components like memory, disk space, and CPU. Creating a normal baseline and finding anomalies is the most effective way, but you also need to have proactive measures like software black/whitelisting or change prevention. You have to find out what processes are causing the sudden consumption of the host resources, analyze it to determine what can be causing it since regular updates could cause a spike in consumption, and determine what you should do afterwards.
There are various tools that will detect and show host resource usage. Using netstat command will show which sockets belong to which processes and using task managers will show you CPU usage and running processes. Once you identify the process, you will need to analyze it and identify the cause. Depending on how severe the threat is, you may need to capture and isolate quickly. Collecting volatile memory and having the capability to analyze it is critical. Tools like FTK or memory grabber will help with capturing memory and file systems.
Certain threats can make unauthorized changes by getting ahold of unauthorized privileges, so there should be object access auditing and hash in place. Threats can also steal data, so having data loss prevention is critical. Suspicious registry and system file changes are critical indicators of compromise because it will most likely indicate persistence or backdoor and most antivirus won’t detect this. Analysts should know common persistence locations and analyze the data that it produces as well as high value areas as well. Within the registry, you will want to begin with analyzing registry run keys and scheduled tasks.
HansITAcademy 