There's other, by the way, there's others besides Have I Been Pawned, you know, dehashed, and there's a few others that you can, there's some tools that are available on GitHub and other places that you can use to go ahead and search the dark web for your email address and sometimes actually see the passwords that were used. A lot of some of the browsers nowadays and some of the other anti-virus, anti-malware systems will look for your email for you in the dark web. So those are, sometimes those are just automated. You don't have to do it yourself and they'll send you an alert to say, Hey, we found your email, but you probably should check occasionally, you know, like I just did to see whether or not your credentials have been dumped into the dark web. All right. Unknown charges to your bank or credit card. Okay. That's, that's a, that's probably a good indication too. Although, once again, this doesn't necessarily mean that your computer has been hacked. It can mean that simply somebody has your credentials again. But going from your credentials to actually taking over your computer is not that big of a step. So once somebody has your credentials, it becomes increasingly easy to start taking over all of your accounts. Number 10 on this list is your antivirus or anti-malware has been disabled. If that's disabled, then it's probably somebody's gotten into your system. This is one of those areas where you can be pretty sure that unless you disabled your antivirus, anti-malware, that you probably have somebody inside your computer. Let's be clear when I say somebody inside your computer. That simply means that they've got some malware in there that they can control your machine. Doesn't literally mean there's somebody inside your computer, right? It means that somebody has pawned, some people call pawned or owned your computer. That just means that they've got some malware inside there that allows them to control your computer, right? And, you know, if in some cases it's only to use your computer, like I said earlier, to mine crypto or use it in a botnet. But somebody's inside there, and so you still have to be concerned. They may not be stealing your accounts, but they're still using your resources. And then once your system is compromised, very often that system will find its way onto the dark web and other people will then do malicious things or worse things with it. So once it's compromised, it then gets communicated out on the dark web and say, hey, this is an IP address that is part of our botnet that we've compromised. It's vulnerable to this type of attack. You can take it over with this, this, and this. So that's a good indication that somebody's inside there, right, that you have antivirus or malware that's been disabled, right? So one of the things, if we want to take the next step in being able to determine whether or not our system is actually compromised, is that we can actually use some tools that are excellent for being able to find services on your system. Services are basically just a process. It's like an application that's running in the background. And that's what the attacker is using to control your system. So you have to think about this from the attacker. They put malware onto the system. That is a process, right? And that process allows them to connect to your computer and control it. Well, there's two things that are indicators here for you as somebody who might be a target, is that there's probably a process that is running on your system that you can see. Now, there's a lot of processes running on your system. That's the hard part, yeah. That's the hard part, right, is distinguishing the good ones from the bad ones. So in Linux, you can use PSAUX to see all the processes, right? You can use Task Manager in Windows. And also there's a tool, okay? This is Process Explorer in Windows. It's a SysInternals tool. So Sysinternals is now a division of Microsoft, but it originally was a separate entity that Microsoft purchased, and they have a lot of excellent tools in Sysinternals. So let's take a look at some of these here and see what we can do. right let's go and take a look i got a um a virtual machine so in kali we have or any linux okay for that matter we can do ps aux all right it shows us all the processes that are running right so if we had some malware on our system, it's going to show up here somewhere, right? The problem is that the hard part is being able to determine the good ones from the bad ones, right? And so we've got all of these processes. Of course, you can also, you know, we can use grep to be able to search for any particular process name. The problem is determining which ones are malicious. So you can't really search unless you know the name of the process. Or you can search by name. You can see all of the processes that are running on this system. And there's not really a whole lot going on in the system, but lots of processes running. It'll show up in there somewhere, okay, if you know what you're looking for. There's also, you know, you can use Netstat. And Netstat, I've used Netstat a number of times to find malware, all right? And it's really simple because remember that the attacker has to have a connection to your machine, right? They can't control your machine if they don't have a connection to it. So it's going to show up in these connections here. And so, you know, once again, it comes down to your knowing, okay, what's good and what's bad. But one of the things that you can do is as you see each of these processes, you can just, if anything looks out of place, you simply do a little Google search on it, right, and see if it's a legitimate process. There's a lot of processes running, right? And oftentimes you'll find, if you don't find that it's a legitimate, or in many cases, you'll find a reference to it on some website that it's a malicious process. Then you can just kill the process, because we know that we can kill processes in Pali by just using the kill command, the kill nine command, and then whatever, the malicious process. And that will at least kill it for the moment right that'll kill it for the moment it'll knock it out right stop it but in some cases good malware will restart when you reboot your system but it'll stop it for right now right and so that's one of the things you can do if the attacker, even if the attacker has malware inside your system, if you stop the malware or you stop the connection, because notice these are all the ports right here. And so you can block those ports and then keep the attacker from controlling the system. They still might have malware in your system, but if they can't connect to it, it doesn't do them any good. All right. All right. So that's kind of what we can do, and that's going to apply both for Mac, okay, from the command, the terminal in Mac, as well as in Linux and Unix versions because Mac is a version of Unix. Then let's go ahead and see if we can get a Windows machine up there which is probably what most people are using who are watching this video and let's see if we can get it started. Well David what I've done is I've gone ahead and put some malware on my Windows machine. This is a Windows 10 machine. It's a VM of a Windows machine. And for those of you who are interested, you can get an evaluation copy from Microsoft. So if you want to go ahead, I mean, some people write me all the time, like, where can I get a Windows 7 machine? Where can I get a Windows 10 machine? You can get these Windows Enterprise evaluations, and you can create a virtual machine. But then, of course, at 90 days, they die. But then you just go get another one and install it. So that's what I'm doing here. This is an evaluation. This is a Windows 10 machine. And what I've done is I've put some malware. I've created some malware in Kali, and I put it on the desktop. I went and executed it as administrator. And now you can see that in Task Manager, it's right there. Now, one of the things that you're going to see in reality is it's not going to be called malware. Exactly. I did that simply to demonstrate, to show you how it works. But very often what will happen is that you look at these processes down below here, right? You see some of these Windows processes, lots of processes running on your system. So very often the malware developer will use a name like service host, right? Or a small variation on that service host, right? So that it looks like it belongs here, right? And you see some of these other processes that are running. So one of the things that you want to do, all right, is to go through this and somewhere you're going to find a process that doesn't belong there. But of course, the important point is to know what your system looks like normally. Generally, okay, so what's happening here in the task manager is that you can arrange them. I just clicked on the memory to see which ones are using the most resources. This is showing me what's using the most memory and what's using the most in terms of CPU, which one's using the most clicking on them and ordering them. And oftentimes, if your malware is particularly using up a lot of your resources, you'll see it pop up to the top. In this case, this malware is not being used. So it's somewhere down here. There it is right there. There's malware too. So it's running. It's using a couple of megs of memory. It's not using any CPU because the hacker right now is not doing anything with it it's sitting idle in the background on my schist system right so one of the things that you can do as as an average user is go ahead and click on that and then hit end task right and i've been able to do that on some very quick and dirty uh systems a lot of the attacks that I see, most of them are not very sophisticated. If you're being attacked by a nation state, you're going to have some pretty sophisticated malware. But most people are not being attacked by nation states, right? And so it's going to be pretty easy just click on this and then go ahead and task and that'll kill it all right some of the other things that we might want to look for let's let's go open up a command a command shell in windows and we can do a net stat and we can begin to see okay the connections that are on my system. This is connected here. You see, this is my Windows machine, and here is the malware connected. And so this is one of the other ways that I can tell. Like, okay, there's a connection here that I don't recognize. It shouldn't be there.

Doom is a bit strange, right? It's a bit of a giveaway.

Yeah, in this case it is, Doom. And then the other thing I wanted to show is Process Explorer. This is your sysinternals right here. You can download this by just going and Googling sysinals at microsoft and they'll there's uh all of these tools okay there's look at all the tools that are in here right but the one i want to show you and the one that's most useful for this exercise is process um explore or process monitor all right because remember that these are processes running in the background, extracted them, here's process monitor. Okay, so here's process monitor and we'll look at process explorer as well. And what this is doing is it's showing me all the processes that are running on the system. All right, and once again we're looking for things that don't belong there. Okay. And let's see if we can find our malware on this system. These are all Explorer, the Microsoft Explorer. These are all things, you know, that the system opens and is running. Let's go ahead and see if we can do a bind. All right. And let's go malware. And there it is. Okay. So it's opening it. It says it's from a process explorer. I mean, I'm sorry, the file explorer. And it looks like right there. Okay. Malware to exe to file. It shows you the file being created there. All right. That's when we put it on the system. And then let's go and see if we can find, let's go find all the, there's one of them. Here's creating, create the file map. Okay. And we should find the execution and opening of that file there somewhere. Let's go ahead and take a look at the process explorer, which I think demonstrates a little bit better. So let's see, let's go and open it up and go process explorer right here. So the process monitor shows us the process, each process in a timeline of when they've actually been executed. Over here, this shows us the processes and shows us the sub-processes, so the child processes that are running off it. Let's see if we can find our malware here. There it is. There it is, right there. Okay, you can see the malware right here. All right. And so this is a that doesn't belong there all right and so this is one of the ways we can tell that you know we've got something that is probably um malicious you can see here that i just right clicked on it and then i had kill process i can go ahead and kill it now and it'll stop that process so this is probably the process explorer is my preferred method you can use task manager right but process explorer is probably the best way to find the malicious processes and then lastly let's go ahead and we're just looking today at Windows. And then lastly, let's go ahead and take a look at Wireshark. And for your viewers, most of your viewers, of course, have seen Wireshark, right? And they know how to use it. And Chris has been on many times showing how to use Wireshark. Is that his name, right, Chris?

Yes.

Chris, okay. So let's go ahead and let's see if we can get some traffic. Okay. So this is Wireshark, right? And what Wireshark will do for the user is simply show all of the traffic, all of the packets that are traversing your system. And the reason that this is important to you as somebody who's trying to diagnose the malware is that it's going to show the connection between your system and the hacker. So one of the things that you might want to do, you know, go through here and just start looking, okay, for unusual connections. Now, it's not that easy to do, as I said, because sometimes it's, you know, they're kind of, unless you're familiar with this, let's generate, let's see, we've got our malware still running. I think that I have it running on the port of the devil. Okay. 666. That's the port that the devil uses when it's hacking your system. Let's see if we can find it. Aha! You can see these here. This is the connection. Okay, this is the connection between the hacker and your system. Okay, it's going back and forth between, this is of course on a local area network. In reality, you would find a public IP address in here. You find your own private IP and then the public IP of who was controlling it. So it would give you an IP address and you could search to see who's controlling it. Now, very often, you see the traffic, we're getting more connections. It's the same connection, just packets going between. But oftentimes the hacker will use a proxy or a command and control server. So even though you might get the IP address of who's controlling your system by going to Wireshack, it's not always going to lead you in the right place. A good attacker is going to use an intermediary system you know the the amateur hacker which you know there's a lot of amateur hackers out there so we can't over over or underestimate them because there's a lot of people i've seen a lot of malware that you know are really amateur that you know people will call up and say, oh, I'm Microsoft. This is a common one that maybe your viewers have seen. They'll call up and say, we're Microsoft, and we have seen some unusual activity on your system, and we need you to download this particular app, and it'll clean your system. Oh, okay, of course, I'm going to do that. And they download an app, and then that app then connects to the hacker in some foreign country, and then they take control, and then they go ahead and harvest whatever information they can get from your machine. And those tend to be, those types of attacks tend to be very simple, right? They tend to be very rudimentary attacks. Now, if you're talking about a nation state attacker, then you can be sure that they're not using their own IP address. They're using an intermediary IP address. And they're using malware that is going to be more difficult to detect. So, for instance, we're talking about using different names. Let's go back and look at, oftentimes they'll use service hosts like this right here.