In many incidents, the first indication that a system is compromised is attempted or completed connections to external hosts. Detection mechanisms such as firewalls or web proxies may indicate that a system or systems are attempting to communicate with suspect external hosts. From this starting position, it may be possible to identify potential malware on a system:
- Suspicious network connections: Conducting a review of network connections on hosts that have been associated with external connections will often provide the process that is attempting to communicate.
- Process name: Examining the process from the network connections allows analysts to perform similar actions found within the SANS methodology. It ...