Checking Systems for Signs of Compromise

Anyone who manages a significant number of servers or workstations will eventually face the question of whether or not there has been a compromise of one of their systems. The following guidelines will help you look for and identify suspicious activity.

If you suspect a compromise or need help examining a system, contact Information Assurance (IA) at security@umich.edu. This is especially important if the system may store or process sensitive university data.

Do not install or alter software on your system while waiting for IA to respond! Disconnect the system from any networks by unplugging the ethernet cord or turning off the WiFi.

Check the following items, particularly during times when you know that either suspicious activity has occurred or there was increased vulnerability, such as during a failure of a network firewall or security appliance.

CrowdStrike Falcon and Detection on U-M Computers

If the system in question is a UM-owned computer and has CrowdStrike Falcon endpoint protection installed, contact your unit's Falcon administrator. Your unit's Falcon admin can check for detections or incidents for the system and may also suggest a course of action and contact ITS Information Assurance (IA) for more assistance.

If you have U-M systems that do not yet have Falcon installed, contact your unit Falcon administrator or ITS IA for assistance getting it installed. Not sure who your Falcon admin is? Contact your Security Unit Liaison (SUL) to find out.

Check Running Process

A quick check of the processes running on your system can sometimes find malware as well as resource-consuming processes that are simply unneeded and hinder performance. When looking at running processes, you should:

  • Do an internet search for that process name. Many necessary processes have names that do not describe their purpose. Do not assume that if you don't recognize it it's not needed for the system to function.
  • Check where a process is running from (the location of its executable file). For example, malware that is downloaded by the user of a computer will often run from space that user can access, such as the temp  or downloads folders. Any unexpected processes running from "temp" or similar space should be checked.
  • Remember that if malicious software is running from within a user's profile, you may not see the same process running when logged in as another user account. If a problem only appears when a particular user logs in, be sure to check their profile/user space.

Check Antivirus and Malware-Detection Software

Check to make sure antivirus and other malware-detection software is installed, running, and has not had recent configuration changes (such as exempting files or folders from scans). Scan your system and look for any reported issues.

Check Network Activity

The first signs of compromise on a computer are often increased network activity, problems maintaining connectivity, or similar network performance issues. You can use TCPView from the Sysinternals Suite for Windows or the netstat command on unix/linux to look at the network connections to and from the system.

Check Logs

Examine any application or operating system logs to look for signs of unauthorized access, such as:

  • Successful logins from unknown or unexpected accounts.
  • Logging setting changes, such as logging being disabled or logs having been "cleared" unexpectedly.
  • Remote or off-campus connections (if those are not normal for your system).
  • Unexpected changes in service status (startup, shutdown).
  • Unexpected installation or removal of software.

IA provides guidance for configuring logging on U-M IT systems, including how to meet requirements for specific classifications of U-M data:

Check for Unexpected Changes

Look for the following types of unexpected changes as possible indicators that a system may have been compromised:

  • Local user accounts that have been added, especially privileged accounts such as admin accounts or accounts in the admin group for that system.
  • Services and processes that have been added or removed.
  • Active network connections to unfamiliar or unexpected networks.
  • File system changes, such as data missing or added, or new directories being created.
  • Drastic changes in available space on a drive (sudden loss of free space).
  • Local firewall rules that have changed, particularly new firewall openings.
  • Unexpected scheduled tasks (Windows) or cron jobs (unix).

Report Suspicious Activity

Report any suspicious activity that you find to: security@umich.edu. Report suspicious or unexpected successful logins, or access to data or applications immediately.