Hacked Machine: When to Know

TL;DR

An unpatched machine isn’t automatically hacked just because it’s vulnerable. You need evidence of compromise – unusual activity, malware, or data breaches. Focus on detecting these signs rather than simply checking patch levels.

Identifying a Compromised Unpatched Machine

It’s common to have unpatched machines in any environment. However, determining if one is actually hacked requires looking for specific indicators. Patching reduces risk, but doesn’t guarantee security. Here’s how to tell if an unpatched machine has been compromised:

1. Define ‘Unpatched’

1. Inventory: First, know what you have. Create a complete list of all machines on your network (servers, desktops, laptops).
2. Patch Status: Regularly scan for missing patches using tools like Nessus, OpenVAS, or the built-in scanners in Windows Server Update Services (WSUS) or Microsoft Endpoint Manager.
3. Critical vs. Non-Critical: Prioritise critical vulnerabilities (those with known exploits actively used ‘in the wild’). A machine missing a patch for a rarely exploited bug is less of an immediate concern than one missing a patch for a widely abused vulnerability like Log4Shell.

2. Monitor Network Activity

Look for unusual behaviour that suggests someone else is using the machine:

1. Unexpected Outbound Connections: Machines should generally only connect to known, legitimate servers. Use a firewall or intrusion detection system (IDS) to flag connections to unfamiliar IP addresses or domains.

   # Example using netstat on Linux
   netstat -tulnp | grep ESTABLISHED

2. High Network Traffic: A sudden spike in network activity, especially at odd hours, could indicate data exfiltration.
3. DNS Requests: Monitor DNS requests for suspicious domains (e.g., those associated with malware or command-and-control servers).

3. Check System Logs

System logs record events on the machine. Analyse them for signs of intrusion:

1. Failed Login Attempts: Repeated failed login attempts, especially from unusual locations, are a red flag.

   # Example using last command on Linux
   last -a | grep Failed

2. New User Accounts: Unexpected new user accounts should be investigated immediately.
3. Privilege Escalation: Look for attempts to gain higher-level access (e.g., from a standard user to administrator).
4. Unusual Process Activity: Processes running that you don’t recognise or that shouldn’t be present.

   # Example using ps command on Linux
   ps aux | grep suspicious_process

4. Scan for Malware

Run a full system scan with up-to-date anti-malware software:

1. Regular Scans: Schedule regular scans, even on patched machines.
2. Multiple Engines: Consider using multiple anti-malware engines for better detection rates.
3. Rootkits: Use a rootkit scanner to detect hidden malware.

   # Example using rkhunter (Linux)
   rkhunter --checkall

5. Data Integrity Checks

If you suspect data has been compromised:

1. File Hashes: Compare the hashes of critical system files to known good values. Changes indicate tampering.
2. Data Loss Prevention (DLP): Implement DLP tools to monitor and prevent sensitive data from leaving the machine.

6. Behavioural Analysis

Endpoint Detection and Response (EDR) solutions can provide advanced behavioural analysis:

1. Detect Anomalous Activity: EDR tools learn normal behaviour and flag deviations that could indicate a cyber security incident.
2. Automated Response: Some EDR solutions can automatically isolate compromised machines to prevent further damage.

When to Declare a Machine ‘Hacked’

You should consider a machine hacked when you have concrete evidence of compromise, such as:

• Malware detected on the system.
• Evidence of data exfiltration (e.g., large amounts of data transferred to an unknown location).
• Unauthorized access to sensitive information.
• Compromised credentials found.

Important: Don’t rely solely on patch status. Focus on detecting actual malicious activity.