How to know if your PC is hacked? Suspicious Network Activity 101

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so how can you tell if your pc is hacked it's one of the most common questions everybody has in this video we're going to look at your network activity and figure out if there's anything suspicious going on in your computer if you're connected to any threat actors and so on in the previous video in the series which is our beginner's guide to cyber security we looked at different ways malware can persist on your system with scheduled tasks auto runs and windows services as usual we're going to have a live discord workshop where we're going to look at your system right after this video premieres so make sure you go to discord.tbsc.tech or follow the link in description for that now to kick things off and make this a really interesting video we have a wonderful volunteer on the desktop it's called intel dot xm rig the second part of the extension might give you an idea about what it does but we're going to go ahead and run this file now some of you may think that anytime there is a malicious actor active on your computer if you're hacked you're going to have a malware process or you're going to have some sort of malware running that you can scan that you can see in your process list or you can upload to vars total and check the detections of or something an antivirus scanner is going to pick up but as we'll see here that is not necessarily the case so after running this sample i'm just going to open up process explorer and as you can see we do not have anything malicious running on the system it looks nice and clean and good to go but as we'll dive deep you will see that we have a crypto miner embedded within the system that is going to be taking up cpu resources and profiting the attacker another thing to note before we get started is all the tools i'll be using in this video are basically part of the sys internal suite so there's no paid tools these are all free that you can download directly from microsoft you can of course dive deeper with wireshark but we don't really need to do that because what we're trying to establish is a connection to a certain malicious ip and what we want to capture is the malware actors ip address because that is going to allow us to not only shut down the malware activity on our system but also report them to authorities to get them shut down in general you don't necessarily need to actually look at the communications or the packets that are being sent back and forth what you really need to know is if there is a suspicious connection being made and as we're talking you can notice svchost.exe all of a sudden starts to take up 50 of the cpu look at the ram it's taking up as well and it says it's a host process for windows system and it's correct so what's happening here hard to tell unless we look at the network activity i'm also going to open task manager just to show you what a typical user would see so there's no malicious process here we just have the system taking up 50 of cpu if you're an average user you might think that this is just an update especially now that updates do actually persistently cause annoyances such as this but as we'll discover when we check the ip address this is not an update this is a crypto miner mining ethereum likely on our system so how are we going to do that well first step we're just going to right click on this and click on properties and within these sections it's typically going start at image you need to go to tcpip and this is going to show us the different network connections established by this particular process as you can see we have a remote server here we have two of them in fact and these are likely nodes that the threat actor is using to run their malware operation sometimes these can be self-hosted by the threat actor sometimes they may be a third party like they may be a google server an aws server even but if that's the case what you can do is you can collect this ip and write down a complaint saying that this particular ip address is being used for malicious purposes and the vendor who's providing services to the threat actors should be able to shut them down because that would be against their terms of service make sure you have the resolve addresses checked over here because that's going to show you more details if we go back to the original window just exit out of this you can also see the command that was used when starting svchost.exe and you can see this huge string of random characters here that is likely some kind of a key and you can also see opencl cpu max threads that's likely instructions for the miner now we can of course go ahead and kill the process tree but in order to make sure that the miner goes away what we would have to do is look for any persistence mechanisms that it may have on the system which is something we discussed in the last video so if you haven't seen that make sure you go and watch that one to get a better view of this though and also to get a summary of all the connections your computer is currently making you can go to tcp view which is also part of system journals and this is going to show us all of our different process and the remote addresses they are connecting to now you can see some of these are legitimate windows services once again make sure you have the resolve addresses checked over here but this one is definitely suspicious as is this one because they are not standard ip addresses that i would normally see on a system but of course if you're a new user you may not know that so how can you determine which of these are legitimate connections being made and which of these are suspicious well for starters you can check if any network activity is supposed to be happening on your computer so if you have for example steam discord and all of that running you can try shutting down those applications that's gonna reduce some of the noise here and that way you're gonna be able to isolate if there's anything happening beyond what you expect once you've done that what you can do is you can obviously copy the particular ip address and then look it up and see if it is associated with a legitimate service or you can just right click over here and click on whois and this is going to get the details for the domain name and who it's registered to you can also get a complaint form here and report the threat actors of course once you have isolated the original sample you can analyze it on a web platform like interzer or vars total a big thank you to our sponsor synthesizer for setting up an enterprise account so we can do our threat investigations so as you can see this particular threat is an axiom rigged miner it's got a 44 correlation with that we check the first hole report we've got 53 detections but once again a reminder that this is not the first thing you might see when you look at a compromise system so you may have a system with only legitimate looking processes that is totally malicious and by the way these crypto miners are very clever so what they might do is when you open up something like task manager they just drop all of their resource usage so you don't see anything strange but when you go away in the background the miner is going to start ramping up and taking up all of those cpu resources now if we look at the dynamic execution in the sandbox here you can see that in memory it has the same behavior that we noticed in the virtual machine so it launches svchost.exe which looks legitimate but is what carries out its mining operations we take a look at ttps we've got process injection here use of process hollowing this is a technique where attackers basically replace a legitimate system process and use it for their malicious activities we've also got a crypto mining command which is what we also saw on the system when we're looking at process explorer it's basically the same string and instruction set and we've also got this ip this one leads to the netherlands by the way if you would like to conduct a similar threat investigation you can set up a community account on analyze.insert.com and start using it for free using the link in the description now back on our system we can go ahead and terminate the process tree that is associated with the crypto miners i don't want to keep making them more money but hopefully that demonstrates how malicious network activity can be spotted on your system so once again going through the steps you want to open up something like tcp view look at the remote addresses your system is connecting to and then try to resolve them and see if any of them don't add up or are not associated with any services that you use and once you do that you can isolate the process and take action against them and make sure to report the ips as well in the future we're going to focus on more in-depth analysis of different aspects of malware so don't forget to subscribe to the pc security channel if you'd like to learn more about cyber security now we're going to be doing a live analysis of whatever is happening on your system in our discord workshop so click the link in description go to discord.tpsc.tech to join our event and i'll be there to help you practice some of the concepts discussed in this video and walk you through the process of conducting a threat investigation so if you have any questions that'll be a great place for you to ask cause i will be there live with our awesome community so don't miss out on the event it's a great chance to meet some amazing people so i will see you there at discord.tps.tech i hope you found this video helpful please like and share it if you'd like to see more such content in the future this is leo thank you so much for watching and as always stay informed stay secure you
Info
Channel: The PC Security Channel
Views: 412,174
Rating: undefined out of 5
Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, best EDR, EDR, is your pc hacked, suspicious network activity, sysinternals, how to tell if your computer is hacked, malware analysis
Id: aJ37b2-OhH8
Channel Id: undefined
Length: 10min 19sec (619 seconds)
Published: Wed Aug 03 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.