Investigate a Compromised Windows Server

This article helps you understand and identify indications of a compromised Windows® server. This is a very high-level document, which you can use as a resource in tracking down a potential issue rather than resolving a compromised server.

Types of Compromise

This article is concerned with two types of compromise: Application-level and System or root-level. These are quite serious and often require a robust disaster recovery plan to mitigate.

Application-level compromise

An Application-level compromise occurs when a low-level service or user is compromised. Typical compromises in this group include the following issues:

  • Site defacement
  • FTP tagging
  • FTP file manipulation
  • SQL injection

This type of compromise might alter data on the server. However, they never achieve administrative or root-level access on the server. In these cases, you might be able to identify and secure the vulnerability. Securing Application-level vulnerability could involve removing write access from an anonymous web user, removing viruses from a server, or securing an application through available patches. To repair any altered files, you need to restore from backup.

Administrative, system, or root-level compromise

This type of compromise takes place when an attacker gains administrative access to the system and can include the following issues:

  • Compromised service running as a System, LocalService, or Administrative user
  • Compromised user account that has Administrative rights
  • Access through a non-administrative user to a location restricted to Administrative users (such as System directories, and so on)
  • Virus found in System or Administrative directory
  • Visibly malicious outbound network activity
  • SQL Injection (includes command execution)

Important: When an attacker gains this level of access, you cannot determine any modifications that occurred during the course of compromise.

Windows tools you can use to look for a compromise

  • Tasklist: Command-line tool providing details on processes and services in the system
  • Task Manager: Graphical tool providing details on processes, resource statistics, and network activity in the system
  • Resource Manager: Graphical tool similar to Taskmanager but providing more details about resource use

Explore a Compromised Server

To explore a possible compromise situation, perform the following tasks, described in this section:

  • Identify the compromise
  • Review the processes
  • Review the services
  • Review the users

Identify the compromise

High sustained unexpected bandwidth utilization is often a common symptom. Because attackers usually compromise systems intending to run a network service on them, there might be a service running on the system, so listening to an odd port could indicate a compromised server.

  • To review network connections for TCP, run the following command:

NetStat -naop 'TCP'

  • To review network connections for UDP, run the following command:

NetStat** -naop 'UDP'

  • To count specific connections, run one of the following commands:

find /c ":<port>"

Note: The Sysinternal TCP view offers alternative graphical tools for this review.

Review the processes

Identify any suspicious process. A compromised server likely has one or more malicious processes running. You can sometimes identify these because they contain typos, grammar errors, or a suspicious description.

  • To list the processes running on the system, run the following command:

Tasklist /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"

  • To list of processes defined as a service, run the following command:

Tasklist /svc

  • To list a snapshot of the currently running process with the same output as the taskmanager process list, run the following command:

Get-Process

  • To list processes and what user they are running under, run one of the following commands:

gwmi win32_process

select Name, @{l="User name";e={$_.getowner().user}} `

Review the services

Look for typos, grammar errors, or suspicious descriptions. If a service looks questionable, examine the properties and dependencies. Also, determine if the file is executable. Use the Services GUI to view running services.

  • To list running Services, run the following command:

get-service | where-object {$_.Status -eq "Running"}

Review the users

To know if a server is compromised and identify bad configuration quickly, review basic user accounts.

  • To identify unknown or unusually named user accounts by listing configured users, run the following command:

net user

  • To identify unknown users in the local Administrators group by listing configured Administrators, run the following command:

net localgroup Administrators

  • To see if a guest account is enabled and in the Administrators group, run the following command:

net user guest

Tools Available from Microsoft Sysinternals

For more information, review the following sources:

Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.