Sunday, December 31, 2017
Detecting RATs Keyloggers Installed On Your PC Using CMD And TaskManager FOCSoft
Detecting RATs Keyloggers Installed On Your PC Using CMD And TaskManager FOCSoft
Hello Friends
In this tutorial, Ill be showing you the easiest way of finding out malicious applications installed on your PC that transfer data using the internet without you knowing it.
As stated in the title, well be using TaskManager and CMD for the purposes of this tutorial.
As stated in the title, well be using TaskManager and CMD for the purposes of this tutorial.
1. To get started, open up your TaskManager by right clicking your TaskBar and selecting TaskManager or just hit CTRL+ALT+DEL to get it open.
2. Once that is done, click the "Processes" tab of your TaskManager and click View -> Select Columns -> Make sure that "Process Identifier(PID)" is ticked.
3. Now click the PID column to make sure that all the processes are sorted in a specific order. This step is not necessary, but it will make it easier for you to detect processes using their IDs.
2. Once that is done, click the "Processes" tab of your TaskManager and click View -> Select Columns -> Make sure that "Process Identifier(PID)" is ticked.
3. Now click the PID column to make sure that all the processes are sorted in a specific order. This step is not necessary, but it will make it easier for you to detect processes using their IDs.
Once youve done that right, were going to move on to part 2 of our tutorial, which is using CMD to view established connections.
Assuming you know how to open up CMD, Im just going to rush through step 1.
1. Start -> Run -> CMD
OR
Just type in cmd in the searchbar if youre running a system powered by Windows7.
2. Once cmd is open, I want you to type in "netstat -ano".
Your result should be something like this:
Assuming you know how to open up CMD, Im just going to rush through step 1.
1. Start -> Run -> CMD
OR
Just type in cmd in the searchbar if youre running a system powered by Windows7.
2. Once cmd is open, I want you to type in "netstat -ano".
Your result should be something like this:
3. Now what were interested in are only the connections with the state "ESTABLISHED".
Isolate them out and look for the PID right next to them. There will be many connections with "ESTABLISHED" state, youll have to repeat the following steps for all of them.
This is the fun part. Now go back to the TaskManager and look for the name of the process(es) that has the same PID(s) as the one you found with the ESTABLISHED connection(s).
In the above case, its a safe and trusted application known as Dropbox, so Im good. But incase you find a process which you do not know, if its something like svchost.exe that youre sure is infected, right click the process and select "Open File Location".
Now all you have to do is right click the file and scan it using your AV or upload it to an online scanner such as VirusTotal.com and check if its infected.
Its as easy as that.
Hope you find this useful.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment