Investigate a compromised Windows server
This article helps you understand and identify indications of a compromised
Windows® server. This is a very high-level document, which you can use as
a resource in tracking down a potential issue rather than resolving a
compromised server.
Types of compromise
This article is concerned with two types of compromise: Application-level
and System or root-level. These are quite serious and often require a robust
disaster recovery plan to mitigate.
Application-level compromise
An Application-level compromise occurs when a low-level service or user is
compromised. Typical compromises in this group include the following issues:
- Site defacement
- FTP tagging
- FTP file manipulation
- SQL injection
This type of compromise might alter data on the server. However, they never achieve
administrative or root-level access on the server. In these cases, you might be able
to identify and secure the vulnerability. Securing Application-level vulnerability
could involve removing write access from an anonymous web user, removing viruses
from a server, or securing an application through available patches. To repair any
altered files, you need to restore from backup.
Administrative, system, or root-level compromise
This type of compromise takes place when an attacker gains administrative access to
the system and can include the following issues:
- Compromised service running as a
System
,LocalService
, orAdministrative
user - Compromised user account that has Administrative rights
- Access through a non-administrative user to a location restricted to
Administrative users (such as System directories, and so on) - Virus found in System or Administrative directory
- Visibly malicious outbound network activity
- SQL Injection (includes command execution)
Important: When an attacker gains this level of access, you cannot determine any
modifications that occurred during the course of compromise.
Windows tools you can use to look for a compromise
- Tasklist: Command-line tool providing details on processes
and services in the system - Task Manager: Graphical tool providing details on processes,
resource statistics, and network activity in the system - Resource Manager: Graphical tool similar to Taskmanager but
providing more details about resource use
Explore a compromised server
To explore a possible compromise situation, perform the following tasks, described in this section:
- Identify the compromise
- Review the processes
- Review the services
- Review the users
Identify the compromise
High sustained unexpected bandwidth utilization is often a common symptom.
Because attackers usually compromise systems intending to run a network
service on them, there might be a service running on the system, so listening
to an odd port could indicate a compromised server.
-
To review network connections for TCP, run the following command:
NetStat -naop 'TCP'
-
To review network connections for UDP, run the following command:
NetStat** -naop 'UDP'
-
To count specific connections, run one of the following commands:
NetStat** -naop 'TCP' find /c ":<port>"
Note: The Sysinternal TCP view offers alternative graphical tools
for this review.
Review the processes
Identify any suspicious process. A compromised server likely has one or
more malicious processes running. You can sometimes identify these because
they contain typos, grammar errors, or a suspicious description.
-
To list the processes running on the system, run the following command:
Tasklist /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
-
To list of processes defined as a service, run the following command:
Tasklist /svc
-
To list a snapshot of the currently running process with the same output
as the taskmanager process list, run the following command:Get-Process
-
To list processes and what user they are running under, run one of the following commands:
gwmi win32_process select Name, @{l="User name";e={$_.getowner().user}}
Review the services
Look for typos, grammar errors, or suspicious descriptions. If a service looks
questionable, examine the properties and dependencies. Also, determine if the file
is executable. Use the Services GUI to view running services.
-
To list running Services, run the following command:
get-service | where-object {$_.Status -eq "Running"}
Review the users
To know if a server is compromised and identify bad configuration quickly, review
basic user accounts.
-
To identify unknown or unusually named user accounts by listing
configured users, run the following command:net user
-
To identify unknown users in the local Administrators group by listing
configured Administrators, run the following command:net localgroup Administrators
-
To see if a guest account is enabled and in the Administrators group, run
the following command:net user guest
Tools available from Microsoft Sysinternals
For more information, review the following sources:
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.
Updated 10 months ago