How to tell if your PC is Hacked? Process Forensics

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this episode of how to tell if your PC is hacked we're going to look at one of the most advanced forensic tools just like process Explorer and auto runs this is also part of the Microsoft sys internal Suite which you can download from learn.icrosoft.com it's a completely portable tool so you don't have to install anything and once you open it you are going to be greeted with this little filter window and we'll see why this is important but for now I'm just going to hit OK and right away we are bombarded by all the stuff on the screen and if you're wondering what is all this this is essentially what is happening on your system right now this is showing you every single activity every single registry query file change anything that's happening on the system it is showing you that in real time if you want to stop this flow you can just turn off auto scroll and now it's a static list but of course if you look at the bottom left the events are still being collected so if you wanted a detailed forensic log well you got it now this system we're looking at right now is an infected system and not only is it compromised by several crypto miners it is actually hijacked to the point that even if we go and try to download an antivirus from somewhere it's going to look like we're downloading an antivirus but when we open it it is going to show us a fake antivirus that has completely taken control of the system and I'm going to show you what indicates this type of behavior inside of process monitor so one of the things that I found suspicious right away as I opened it is all of these queries for MC providers if you look over here we've got svchost.exe which is supposed to be a system process but it's continuously querying MSI slash providers Amazon stands for anti-malware scan interface and an amsi provider would be an antivirus that's installed on your system and while it may be normal to have one or two queries it's hard to understand why you would need to do thousands of queries in real time to keep getting that information unless you were trying to actively detect and terminate any possible antivirus provider that was installed on the system and if you want to understand what exactly it's doing you can look at the operations over here so it says reg query key so it's sending a query to the registry then it's enumerating the key until there's no more entries and then it's closing the key the registry in Windows is kind of like a system logbook that not only keeps track of everything on your system but that also controls how things behave on the system so for example you could disable an antivirus like Windows Defender via the registry by changing a single key value so it's not difficult to understand why a malware would be interested in that now if we scroll down we've got another process called sihost.exe and this is making a lot of network connections via TCP sending and receiving data that is what is logged over here if we double click this we can actually see the path the class of the operation which is Network go through the process how it started in the command line which looks pretty suspicious honestly and of course we can keep going through this list but that might take forever so one of the key features that you want to use if you're using process monitor is Filters so if you click on the filter tab it's going to allow you to set specific filters to get the information that you want so for example once we have identified one of the suspicious processes let's say it's sihost.exe we can create a filter based on process name and then set it as SI host or you can just select it from here and then you can choose to include it now this is quite versatile so if I wanted to exclude a certain process I could just select the process and say exclude so if there's regular system activity going on that's disturbing you can exclude that if there's a window those update you can exclude that and you can really focus in on the details and the operations that are of significance so we're going to add this filter now hit apply and the moment this is done as you can see our view is completely transformed and now I can actually turn on auto scroll without getting overwhelmed too fast because now we're only looking at sihost.exe and what it's doing and it's very clear what it's doing it is the network component of the malware now another way to filter through these events is to select the kind of operation you want to see so for example if you only want to see changes within the file system you can select show file system activity and disable registry Network and everything else and now we're only seeing files that are created deleted read all of that stuff for example if you were suspecting ransomware activity you could just select this and see what files are being modified if you only want to see network activity well you just select that and now we are only seeing network connections being made so if you're trying to identify all of the different addresses your system is is connecting to which process is connecting to where this is a great view to do it similarly if you want to look at the registry you can select just that if you're looking for things like process injection you can select process and thread activity and this is going to show you what processes are created what threads are created so if there's multi-threading going on any dlls being loaded this is going to show that so for example we can see all of these dlls being loaded by this process these are of course known system dlls but if you do see a system process loading an unknown dll something that you do not recognize and you can Google these names by the way then that could be a potential hijack attempt now another cool thing you can do is you can turn the capture on and off anytime so we can turn it on it's going to start recording and once we have the data that we want we don't want to be flooded with more we can just hit the capture button again and it's just going to stop now as you use this tool more and more you're going to be able to use different filters to observe different different types of behavior and the only use case is not necessarily to detect malware you could use this to see what a certain system process is doing if something is trying to spy on you if some company is sending some data somewhere if some application is behaving in a way you don't like now just to show you what this looks like on my host system you can see we've got a ton of different things going on just in the network alone so we've got Discord connecting we've got Armory crate which is the Asus software for my motherboard that's constantly probably checking for updates or whatever we've got Nvidia container we've got Steam and again if I wanted to look at any one of these more closely I could go into the filter section and I could say hmm I want to see what this whole Asus framework is doing as usual I can go to the process name and then select the Asus framework.exe add that rule hit apply and now we're only looking at the connections being made by the Asus framework so there you have it that is process monitor it's a very powerful tool as you can see there's a lot of information there and once you become an expert with the filters you can use this to do just about anything there are no secrets anymore please like and share this video and let me know if you'd like to see more content like this if you like looking under the hood and exploring alternative systems even in the world of Finance you'll be interested in the sponsor with money markets being as they are and hyperinflation hitting most of us and Europe it is a good time to think about investment strategies in different markets you might have heard about precious metals but what about art today's sponsor Masterworks gives people iqni access to invest in artwork by Legends like Picasso Banksy Monet a market that has traditionally been quite Niche the interesting thing about Masterworks is that it allows almost anybody to invest in a share of the art so you don't need Millions to invest in historic artwork it's a brand new market and Masterworks offerings have sold out within hours and every sale to date has delivered positive returns to their investors with with over seven hundred thousand signups there's an invite process with link in description you will be able to go straight through and schedule a call with an advisor to get started now I've gone through this process myself the sign up process is pretty simple and you don't need a credit card until you decide to purchase so you can sign up via their website get to the dashboard look at their latest offerings and see if anything looks interesting to you Masterworks is quite an Innovative platform so there's a lot to explore and like I said you can sign up and do your research without even using your card so consider checking them out using link in description as with any investment there's always going to be risk so you should do your due diligence before investing personally I like to say don't invest what you can't afford to lose I've linked all of their information and disclosures in the description below so feel free to read through thank you so much for watching and thank you to Masterworks for sponsoring this video and as always stay informed stay secure

Info

Channel: The PC Security Channel

Views: 476,854

Rating: undefined out of 5

Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, ransomware, trojan, virus, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, best EDR, EDR, Is your PC hacked, How to tell if your PC is hacked, Procmon, Process monitor, forensics, forensics tutorial, sysinternals, sysinternals tutorial, forensics 101, learn, microsoft, windows, procmon tutorial

Id: dykc9YC9Z6U

Channel Id: undefined

Length: 8min 57sec (537 seconds)

Published: Sat Jul 08 2023