Application related indicators for threats include things like unexpected outputs, unexpected outbound communication, and service interruptions. Website freezing are common and are usually not a threat, but it can be and it requires analysis to identify if it is truly a threat or not. Most common indicator for application-related threats is introduction of new accounts. Attackers create accounts with privileges to install persistence, so it’s important to monitor the account list with its attached metadata like login location/source.
Next indicator for application-related threats is unexpected output. You will see unexpected output result in weird pop-up messages that usually want to make changes or install something to your computer, unless that application already has full privilege. It’s important to not allow admin privileges for applications and review event logs for suspicious changes.
We also have unexpected outbound communication and this can be detected by a host based sensor or intrusion detection system. It’s best to identify what port and what application is making the connection, so you can add it to the approved/denied list.
Lastly we have service interruption, which involves starting/stopping/restarting/crashing applications. Most of the time, antivirus will block the application and you should see an icon that states that it blocked some or all of the functionalities of the application. If it doesn’t get blocked and you get this suspicious behavior that repeats, you may need to look at the resource manager and log files to determine if the symptoms are malicious or not.
HansITAcademy 