Use `malfind` to identify injected code regions - Compare `pslist` and `psscan` for hidden processes - Look for `PAGE_EXECUTE_READWRITE` memory regions not backed by files - Check for unusual DLL loads in process memory