8. Listing Network Connections and Sockets
Most malicious programs perform some network activity, either to download additional components, to receive commands from the attacker, to exfiltrate data, or to create a remote backdoor on the system. Inspecting the networking activity will help you determine the network operations of the malware on the infected system. In many cases, it is useful to associate the process running on the infected system with the activities detected on the network. To determine the active network connections on pre-vista systems (such as Windows XP and 2003), you can use the connections
plugin. The following command shows an example of using the connections
plugin to print the active connections from a memory dump infected with BlackEnergy malware. From the following output, you can see that the process with a process ID of 756
was responsible for the C2 communication on port 443
. After running the pslist
plugin, you can tell that the pid of 756
is associated with...