In this episode of "How to Tell If Your PC is Hacked," we're diving into one of the most advanced forensic tools available. Similar to Process Explorer and Autoruns, this tool is part of the Microsoft Sysinternals Suite, which you can download from learn.microsoft.com. It's completely portable, requiring no installation. Once opened, you'll see a filter window—just hit "OK" for now.
Immediately, you'll notice a flood of information on the screen. This tool shows real-time system activity, including every registry query, file change, and more. To stop the flow, turn off auto-scroll, which pauses the live updates while still collecting events. This feature is crucial for creating a detailed forensic log.
Our current system is infected, compromised by multiple crypto miners. It's so hijacked that even downloading antivirus software results in a fake antivirus taking control. I'll demonstrate how to identify such behavior using Process Monitor.
Detecting Suspicious Activity
As soon as I opened Process Monitor, I noticed numerous queries for AMSI providers by svchost.exe, a system process. AMSI (Anti-Malware Scan Interface) providers are antiviruses installed on your system. While a few queries are normal, thousands indicate the process is trying to detect and terminate any antivirus software.
To understand its actions, look at the operations column. For instance, "RegQueryKey" indicates registry queries, crucial for malware to manipulate system behavior. The Windows registry functions like a system logbook and control center, making it a prime target for malware.
Filtering for Focused Analysis
One of the most powerful features of Process Monitor is its filters. For example, you can set a filter to focus on sihost.exe, a process making numerous network connections. By filtering based on process name, you can isolate and analyze specific activities.
Filters allow you to exclude regular system activities and focus on suspicious behavior. For instance, exclude Windows Update processes to prevent distractions. Once applied, these filters transform your view, making it easier to track specific activities like network operations or file system changes.
Detailed Activity Monitoring
To monitor specific types of activity:
- File System Activity: Track file creation, deletion, and modification, useful for identifying ransomware.
- Network Activity: See which processes are making network connections, ideal for spotting data exfiltration.
- Registry Activity: Monitor changes to the Windows registry, crucial for detecting system manipulation.
- Process and Thread Activity: Observe process creation, thread activity, and DLL loading, which can indicate process injection or multi-threading by malware.
If you notice an unknown DLL being loaded, it might be a hijack attempt. Google the DLL names to verify their legitimacy.
Practical Example on a Host System
On my host system, the network activity shows multiple connections from applications like Discord, Armory Crate, Nvidia Container, and Steam. To investigate further, I can filter by the Asus Framework process to see its specific network connections.
Conclusion
Process Monitor is an incredibly powerful tool. Mastering its filters allows you to perform detailed forensic analysis, uncovering every aspect of your system's behavior. No secrets remain hidden with this tool.
No comments