Hey, everyone, welcome back to the course. So in this video, we're just gonna talk about some of the ways that you could help detect Mauer on systems
so we could do things like scanning for suspicious ports that are open, suspicious processes that might be running that aren't normal. Process is to be running.
We could look for registry entries that don't look normal. We could look for device drivers that we are like, Hey, we don't have this device in our machine.
Why do I have this printer? I don't even have a printer, right. So why do I have the device? The printer driver on my machine? We could look for suspicious started programs or suspicious files and folders,
abnormal network activities as well as different services that it might be running.
So let's talk about these a little bit more
So with suspicious ports were looking for uncommon port supports we normally wouldn't use. And these might be an indicator of compromise that there is some kind of infection or attack going on. For example, let's just say that normally I don't have anything running on Port 5000,
and so I see they have port 5000 is in use, I might say, Well, wait a minute. There's no services that run on that port for our organization. So why is there traffic on that port?
And why is most of that traffic outbound traffic
so we can use a tool, a command like Net Stat Dash ano, which will show us ports that are open on our device. And we could identify those suspicious ports from there
scanning for suspicious processes. So some Trojans use what's called PES or portable execute a bles
on that allows him to inject into various processes. So, for example, like Web browser processes or like Explorer Dottie XY,
and so the process is air actually visible right? They look like
legitimate processes, but they help the attacker do things like bypassing your host firewall, right? So your Windows firewall, for example,
and they can inject this through things like using a root kit to try to hide what they're actually doing. And they can use tools like process monitor or what's running toe. Identify suspicious processes,
suspicious registry entries. So Windows automatically executes instructions that you've got in run run services. Run services once run once,
and so an example of a suspicious century would be this one depicted here, where you see, after the typical entry of H key classes route we see executed a file open the shell Command. Basically, this is suspicious, right?
And we can use a tool like red scanner that allows us to scanner registry to find values that match the specific criteria that we specified
suspicious device drivers. So this is basically where user might install device drivers from an untrusted stores because they say, Well, this is the first one that came up in Google, and I need to update my printer software. And so basically, you can scan for suspicious device drivers that don't look
like they should be there. Right? So you have a certain printer, for example, and
this is a totally different type of printing device. Why would you need that driver on your system? So a tool like driver view can help you identify a listing of the device drivers that are currently loaded on your system suspicious Windows services. So, for example, the attacker
alter some registry keys to hide what they're doing, so they're gonna launch these different services, but there,
renaming the service or they're using registered Kiki's to try to hide what they're doing. And what these allow the attacker to do is to try to gain remote access to that device. Suspicious startup program. So basically, you want to check the startup program entries in the registry. You want to check the auto loading, uh,
drivers, So basically, the drivers that are automatically loaded upon boot
you want to check the boot dot I and I file you want to check the window services? So what services are automatically running once the the system is booting up, checking for suspicious files and folders. So has there been anything altered there? So, using something like sick verify that verifies the integrity of critical files
that have been digitally signed by Microsoft to say yes, this file has not been altered.
Using the F. C. I V or the file, check some integrity verifiers, basically a command line utility on that community. Compute MD five hash four files so you could verify that Yes, this is unaltered file or using a tool like trip wire, for example, that will verify the integrity of the files
and looking for suspicious network activities. So for example, is the attacker
communicating back to their command and control server from that victim machine and sending confidential information back? Are they stealing credentials? Are they stealing our intellectual property?
Is it normal for all of this type of
traffic or data to be leaving our network? Or is this an abnormal things? So looking for those suspicious activities
and we can use packet sniffers, try and network scanners to identify Mr Traffic going to malicious I P addresses we can use that also use tools like capsules Network analyzer. So just a quick, quick question here for you. This tool could help you check the integrity of critical files that have been signed by Microsoft that services
ap data sick very for trip wire
if you guess sick. Very if you are correct. So in this video, we just talked about some different ways that you can use to detect malware