5.6 Malware Whats Running EH

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

9 hours 47 minutes
Video Transcription
Hi. Welcome back to the course. In the last lab, we went over Tool called TCP View, which allows us to get some visuals on monitoring ports that are currently open on a machine. Now the aspect of cyber security penetration testing. Why that's important is because if we're trying to analyze metal, where a lot of times malware will use unknown ports or
uncommon ports on a machine, so it might help us narrow down,
especially if we know that particular Mauer strains commonly used a certain port number. So if we see that poor number might be a trigger saying, Hey, you know what, this probably Now we're somewhere on this machine. Let's figure out where it's at.
So in this video, we're gonna use a tool called What's Running Utility? Now that's gonna give us visibility on the different processes running on the particular machine.
So let's go ahead and get started. So you should still be connected to the Windows 10 machine. If you're not, just click up on P Lab Winton and get connected
our next step here, we're gonna open up Internet Explorer to the Intranet page, and then we're gonna select tools and then hacking tools. So let's go ahead and do that with scrolled on to the bottom and then just launch Internet Explorer from the task part.
Now we're gonna go to tools,
and then we're gonna scroll down a little bit, and we're gonna look for hacking tools. So
right here, go ahead and click on that.
Let's go back to our lab document. Not we want to look for a file called What's Running 30 set up dot e x c. So basically, version three point off what's running. So we're gonna click back on our Internet page here and just scroll down till we see what's running.
All right, so we see it right here. What's running? Three underscore zero underscore setup, daddy. Etc. So go ahead and click on that.
You're gonna get it. Prompted the bottom of your screen and we're just gonna say, run to that problem.
All right, so while that's opening up, there s we've selected Run.
And now we're going to get the what you see in the background here. I've got the user account control pop up box. We're just gonna click Yes to that. That way we can get installing with the Wizard. So just say yes to that
you'll see in a launch. T What's running setup wizard for us.
So that's our next step in the lab here and then basically wouldn't click next. And then we're going to select the license agreement,
and we're gonna accept it
now. We're also gonna keep all the default settings
and just click next all the way through, and then finally will culminate with clicking the install button. So we're gonna combine a few steps here as we go through it.
So let's go back to our wizard. We're just going to say next
and then we're gonna accept the license agreement again. You could read through it if you want to. I'm not going to
just say next
next year
is gonna put the path there. We're just going to say next we want to keep the default. We're going to use normal installation. Just default. That and I'm just gonna leave this alone. You can create a quick lunch icon if you want to you, but I'm gonna leave this alone and just say next
it's gonna summarizing install, and then we're just gonna say install
just takes a second or soda. Install it. Let's go back to our lab documents. And now it's installed.
Our next appears Toe de Selector, uninsulated the launch. What's running check box. And then we're gonna click the finish button. So let's go ahead and do that.
So we see that check box right there, so it's uncheck it
and then just click on finish.
Now we want to either minimize recon, disclose Internet Explorer. We're not gonna need it again. This lab. I'm gonna go ahead and close it to get it out of the way.
Let's go back to our lab document now.
So we've minimized her clothes. Internet Explorer again. You don't need it again in this particular lab.
I don't extend peers were going to right click on the what's running application on our desktop here. And then we're gonna run it as an administrator.
After we do that is gonna give us that user account control Papa box again. We're just going to say yes to that. So we're gonna click on our icon here, right? Click and then run his administrator.
It's gonna give us that user account control. We're just going to say yes to that, Papa,
and it's going to start launching the Wizard. The excuse me, the tool for us.
So once it launches, so you see Step 15 here. It's launched for us in the background there. It's gonna default us into the processes tab.
That basically just shows us an overview of any processes that are currently running on the system.
Now we're gonna look for a particular process. So we're gonna look in steps 16 here for one dr dot e x e.
So let's go ahead to look for that.
So we look through here
all the way down here and right there, we see one dr dot t x c. So go ahead, just click on that
and I'm gonna
go down here. There we go.
So what you're gonna notice is on the right side here. Once we click on that, it gives us a little bit of information about that particular process so we can click here, see some information. We can open all these expanding or close them as we deem fit. Would you see the memory is using
We could see the file version ING
input output is showing the operations there.
Well, you see the time when it wasn't created, etcetera, etcetera. So a lot of different things there. Now we're not gonna touch on those at all. We actually just want to do something with one drive. So let's go back to our lab document here. So we found the one Dr. So no one steps 17. We're actually gonna right click on it, and we're gonna go ahead and stop the process.
All right, so let's go ahead and do that.
So we're gonna right click on one dr dot t x c
and then stop the process. It's top option here. Now it's gonna open up this terminating process. Papa box for us.
Let's go back to our lab document and we'll see what we need to do for that.
All right, so
that box open for us, And now we're gonna say, Okay, now what? You're gonna notice as soon as we say OK,
keep an eye on the one dr dot t x c You're gonna see that it disappears off the list. And that's how you know you were successful in doing it.
All right, so let's click. Okay, Here. So keep an eye down here on one Dr Don t x c and see what happens to it.
All right. Poof. Like magic. It disappeared on us, so we know we were successful in stopping that process.
Okay, let's go back to our lab document.
So now that the process window, we noticed that the processes are running in a tree structure view. So let's take a look at what that means. Basically, we see here that I can I can click the minus sign there, and it hides that particular process. Brian, check it. It puts it back on there. So the difference between them when we're about to go to is the one we're about to change it to
just list everything. So let's go back to our lab documents. So
on the left side, we want a clicker says show processes in tree. And then now what that's gonna do is change it to a flat Hiroki, you'll notice a difference here. So again, just keep an eye. On this year, we're gonna click right here. The show processes in tree.
We're gonna select that and you'll see it just basically list everything now so we don't have any plus reminded science toa kind of like a windows full, but we don't have any. Plus or minus is to explore the different processes. We just haven't all listed out here.
So I'm gonna click back on in a just cause I like this view a lot better. So let's move on to the next step in our lab.
So on the left side, we're gonna click on the expand The service's column. So we're gonna click here.
You'll see here. It shows us a lot of different service is now
it will expand out that window a little bit here.
So let's go back to our lab document
now in the center, we're gonna click on the product name. What that's gonna do is sort all these service is by the product names. Let's go and do that. So here at the top left, just click on product name.
You'll see it's gonna sort him all by different products. Win and explore markets off windows or dot net framework down the way There will see ah viene see viewer
here, etcetera, etcetera. So it's gonna list them all by product name.
All right, so our next step here, we're gonna click the current State column header. So that's going to sort the service's by the current state that they are in.
Okay, so it's gonna be this one right here, so it's gonna sort of basically by Are they running? Are they stopped? So once we click it once, it's gonna show us all the stop ones. And then if we scroll all the way down, we could see all the running ones.
So if we scroll down here, you'll see eventually we see all the ones running.
Now, if we just click that same box again, it's gonna put all that weren't running ones at the beginning. And then we could scroll on to see all the stop one. So a couple ways, you could just sort it just to get a different view on it.
Let's go back to our lab document here. We're gonna go down to step number 25. So on the left side here, we're gonna select the I P Connections column.
So go ahead and click on that there.
And now we're just gonna take a look and see what kind of I p options we could have for our different columns were gonna click on the select I P column on the left side here. So right here, we're gonna click on that option.
I just pulls it up. So you see here we can choose pick and choose which ones we will actually want to see over here. Now, I'm not gonna just any of these at all, But if you want to play around and just see what your view looks like, that's perfectly fine. I'm just gonna say okay to that. And if you make a change here to say Okay,
All right, let's move on with our lab.
So now on the left side of step 27 we're gonna click on where says drivers,
So let's go ahead and do that. So about halfway down here, we're just gonna click on drivers
you're gonna notice it's gonna show us the driver's right here in this column.
All right, so we see a list of installed drivers. That is correct. Now, step 29. We want to look for this win USB driver. So let's go ahead and see if we notice that anywhere. So we're gonna look in the driver column and we're gonna go down to the sea when USB, so we see it right there.
All right, so go ahead and click on it. Now, you see some information in the right pain here again, again, we can look alike file version and stuff like that.
So let's go back to our lab document.
So we see that it is displayed for us. And in the right box there, on this around the right side, we could see details of the driver.
So next we're gonna click the startup tab. So click back on here and then click to start a tab here at the top. Right?
So now let's go back to our lab documents. So we're gonna uncheck the box. That's to the left of one drive. So we see the one dr here, we're just gonna unchecked this box to the left of that.
All right, let's move on to the next step of her lab.
So now we're gonna actually take a snapshot. So we're gonna select the take snapshot option and that's located at the top left here in this snapshot section.
So take snapshot going to click on that.
So our next step here is we actually want to save the snapshot so the window opened up for us. We had already seen that. Now we're gonna save a snapshot, and we're gonna name it P Lab Win 10
Grace were to click on Snoehvit. Snapshot.
It's gonna open up basically a file saving thing for us,
and we're gonna type in here P lab dash when?
Okay, you just click on the save option there.
All right, so it's safe to snapshot for us.
All right, so that was the final step in our lab. So we went ahead and save the snapshot. So we're gonna close to snapshot in all over other windows
now, thinking back to the vory introduction video where we talked about these different tools. And we talked about how each component here that we're looking at, whether it's port or process, monitoring file integrity with the Haskell tool, or even using a tool like stinger for assessing If there's now we're infecting our machine.
Um, thinking back to that, why do you think that we need to monitor what ports and processes are running on a particular machine,
and I kind of gave you the answer already?
You're correct. If you guess that it's religious and malware. So it allows us if we know what ports should be well, operating on what processes should be operating, we can quickly see Hey, this looks out of place and, you know, maybe there's malware on this machine. In most cases, we can see type of some type of activity
now, different things like, you know, rats, a room on a remote Access Trojan, and stuff like that may or may not be something that we can visually see in like a process monitor. You know, it may be something that we're not able to see, so it is important to look at the ports as well because that might help us narrow down
if there's an affectionate all on that particular machine.
So in this video, we covered the tool called What's Running Utility? Essentially, and we went ahead and looked at some different processes, is and listed a mile for us. Now, in the next video, we're gonna go over hash coke. As I mentioned, that one could be used for checking file integrity. Now we're just gonna go over in the next lab
about using hash coke and some of the different features it has
and we'll do a couple of hashes. But just know that you can always take any file and check the integrity of it by, you know, getting the original file and then also performing a hash on the file that you have to make sure they match up.
Up Next
Penetration Testing and Ethical Hacking

If the idea of hacking as a career excites you, you will benefit greatly from completing this training here on Cybrary. You will learn how to exploit networks in the manner of an attacker, in order to find out how protect the system from them. Those interested in earning their Certified Ethical Hacker (CEH) will want to start by taking this course

Instructed By