YTread Logo
YTread Logo

How to know if your PC is hacked? Suspicious Network Activity 101

Mar 29, 2024
So how can you tell if

your

PC is

hacked

? It is one of the most common questions that everyone has. In this video, we'll analyze

your

network

activity

and find out if there's anything

suspicious

on your computer if you're online. any threat actor, etc. In the previous video of the series, which is our beginner's guide to cybersecurity, we discuss different ways malware can persist on your system with scheduled tasks, autorun, and Windows services like custom, we are going to have a live broadcast. Discord workshop where we'll look at your system right after this video premieres, so make sure you go to discord.tbsc.tech or follow the link in the description now to get started and make this a really interesting video.
how to know if your pc is hacked suspicious network activity 101
A wonderful volunteer on the desktop is called Intel Dot XM Rig. The second part of the extension may give you an idea of ​​what it does, but let's go ahead and run this file now. Some of you may think that at any time there is a malicious actor active on your computer, if it gets

hacked

you will have a malware process or you will have some kind of malware running that you can scan and you can see in your process list or you can load into vars total and check the detections or something that an antivirus scanner will detect, but as we'll see here, that's not necessarily the case, so after running this example, I'll just open process explorer and as you can see, it doesn't have anything malicious running on the system, it looks nice, clean and ready, but as we dig deeper you will see that we have a crypto miner built inside the system that will consume CPU resources and profit. attacker, another thing to keep in mind before we start is that all the tools that I will use in this video are basically part of the internal system package, so there are no paid tools, they are all free and you can download them directly from Microsoft.
how to know if your pc is hacked suspicious network activity 101

More Interesting Facts About,

how to know if your pc is hacked suspicious network activity 101...

Of course you can dive. deeper with Wireshark, but we don't really need to do that because what we are trying to establish is a connection to a certain malicious IP and what we want to capture is the IP address of the malware actors because that will allow us to not only shut down the malware

activity

in our system, but also inform the authorities to shut them down, in general, you don't necessarily need to look at communications or packages being sent back and forth, what you really need to

know

. is if a

suspicious

connection is being made and as we speak you can notice that svchost.exe suddenly starts taking up 50 of the CPU, look at the RAM it is taking up as well and it says that it is a host process for Windows system and it is correct, for which is hard to

know

what's going on here unless we look at

network

activity.
how to know if your pc is hacked suspicious network activity 101
I will also open up the task manager just to show you what a typical user would see so there is no malicious process here we just have the system taking up to 50 CPU if you are an average user you might think this is just an update esp Now updates actually cause annoyances like this persistently, but as we'll find out when we check the IP address, this is not an update. There is likely a crypto miner mining ethereum in our system, so how are we going to do that first step? We're just going to right click on this and click on properties and within these sections it will generally start on the image that it needs to go to. tcpip and this will show us the different network connections established by this particular process, as you can see we have one remote server here, in fact we have two and these are probably nodes that the threat actor is using to execute their malware operation. sometimes the threat actor can host them themselves, sometimes they can be a third party like a Google server or even an AWS server, but if that is the case what you can do is collect this IP and write a complaint saying that this particular IP address is being used for malicious purposes and that the provider providing services to the threat actors should be able to shut them down because that would be against their terms of service.
how to know if your pc is hacked suspicious network activity 101
Make sure you have the resolution addresses checked here because that's going to show you more details, if we go back to the original window, just exit this, you can also see the command that was used when starting svchost.exe and you can see this huge string of characters random here which is probably some kind of key and you can also see the opencl cpu max threads which are probably instructions for the miner. Now, of course, we can go ahead and delete the process tree, but to make sure the miner goes away, what we would need to do is look for any persistence. mechanisms that you may have on the system, which is something we discussed in the last video, so if you haven't seen it, make sure to watch it to get a better view of this and also to get a summary of all the connections that your computer is currently doing, you can go to the tcp view, which is also part of the system journals, and this will show us all of our different processes and the remote addresses they are connecting to.
Now you can see that some of these are legitimate Windows services. Again, make sure you have the resolving addresses checked here, but this one is definitely suspect just like this one because they are not standard IP addresses that you would normally see on a system, but of course if you are a new user you might do not do it. Know that, so how can you determine which of these are legitimate connections being made and which are suspicious? To start, you can check if there is supposed to be any network activity happening on your computer, for example, if you have Steam Discord and all By running it, you can try to close those applications, which will reduce some of the noise here and that way you will be able to isolate If something happens beyond what you expect, once you've done it, what you can do is, obviously, you can. copy the particular IP address and then search for it and see if it is associated with a legitimate service or you can just right click here and click on whois and this will get the details of the domain name and who is registered for you.
You can also get a complaint form here and report it to the threat actors, of course once you have isolated the original sample you can analyze it on a web platform like interzer or vars total. Many thanks to our sponsoring synth for setting up an enterprise account so we can do our threat investigations, as you can see this particular threat is an axiom rigged miner, it has a correlation of 44 with that, we verified the first hole report , we have 53 detections, but again, a reminder that this is not the first thing you may see when you look at a compromised system, so you may have a system with only legitimate-looking processes that is totally malicious and, by the way, these crypto miners are very smart, so what they could do is that when you open something like the task manager, it just deletes all of its resource usage so you don't see anything strange, but when it disappears into the background, the miner will start to ramp up and consume all those CPU resources now if we look at the dynamic execution in the sandbox here.
You can see that in memory it has the same behavior that we noticed in the virtual machine, so it launches svchost.exe, which looks legitimate but is the one that carries out its mining operations. We take a look at ttps, here we have the injection process. Process dumping, this is a technique where attackers basically replace a legitimate system process and use it for their malicious activities. We also have a crypto mining command, which is what we also saw in the system when we looked at Process Explorer. It's basically the same chain and set of instructions and we also have this IP which, by the way, leads to the Netherlands.
If you want to do similar threat research you can set up a community account at analyze.insert.com and start using it for free using the link in the description now in our system we can go ahead and finish the process tree associated with crypto miners. I don't want to keep making more money, but I hope this demonstrates how malicious network activity can be detected. on your system so once again follow the steps you want to open something like tcp view look at the remote addresses that your system is connecting to and then try to resolve them and see if any of them don't add up or are not associated. with any service you use and once you do that you can isolate the process and take action against them and make sure you report the IPs as well.
In the future we will focus on a deeper analysis of different aspects of malware. so don't forget to subscribe to PC security channel if you want to learn more about cyber security. We will now do a live analysis of whatever is happening on your system in our Discord workshop, so click the link in description go to discord.tpsc.tech to join our event and I will be there to help you practice some of the concepts discussed in this video and guide you through the process of conducting a threat investigation, so if you have any questions, It will be a great place for you to ask because I will be there live with our amazing community, so don't miss the event.
It's a great opportunity to meet awesome people, so I'll see you there at discord.tps.tech, I hope. You found this video useful, please like and share it if you want to see more such content in the future. This is Leo. Thank you very much for watching and, as always, stay informed. Stay safe.

If you have any copyright issue, please Contact