Below is a detailed set of activities with step-by-step instructions that you can perform using built-in Windows tools and interfaces. This will help you investigate, discover, and analyze potential security issues on a Windows system.
- Objective: Identify and investigate suspicious or unknown processes running on the system.
- Steps:
- Open Task Manager:
- Right-click on the taskbar and select Task Manager.
- Alternatively, press
Ctrl + Shift + Esc
.
- Check for Unfamiliar Processes:
- In the Processes tab, scroll through the list of running processes.
- Look for processes with unfamiliar names or unusually high resource usage.
- Investigate Process Details:
- Right-click on any suspicious process and select Open File Location to view where the process is running from.
- Search online for the process name to determine if it’s legitimate.
- In the Details tab, right-click on the process and select Properties to check the digital signature under the Digital Signatures tab (if present).
- Open Task Manager:
- Objective: Check for unauthorized or suspicious programs that are set to run automatically at startup.
- Steps:
- Open Task Manager:
- Right-click on the taskbar and select Task Manager.
- Go to the Startup tab.
- Review Startup Programs:
- Look through the list of programs that run at startup.
- Check for unfamiliar or suspicious entries, especially those with a high startup impact.
- Disable Suspicious Entries:
- Right-click on any suspicious entries and select Disable to prevent them from running at startup.
- Use Open File Location to investigate further, or Search online to find more information.
- Open Task Manager:
- Objective: Monitor network connections to identify any unusual or unauthorized communication.
- Steps:
- Open Command Prompt:
- Press
Win + R
, typecmd
, and press Enter.
- Press
- List Active Connections:
- Type the following command and press Enter:
netstat -anob
- This will list all active network connections, along with the process IDs (PIDs) that are using them.
- Type the following command and press Enter:
- Identify Suspicious Connections:
- Look for connections to unfamiliar IP addresses, especially those with a foreign address.
- Note the PID of any suspicious connection and cross-reference it with the processes in Task Manager.
- Open Command Prompt:
- Objective: Identify and investigate scheduled tasks that could be used for persistence or unauthorized activity.
- Steps:
- Open Task Scheduler:
- Press
Win + R
, typetaskschd.msc
, and press Enter.
- Press
- Browse Through Scheduled Tasks:
- In the left pane, expand Task Scheduler Library.
- Browse through the folders and tasks, paying attention to tasks that run programs or scripts.
- Investigate Suspicious Tasks:
- Right-click on any suspicious task and select Properties.
- Check the Actions tab to see what program or script the task runs.
- Note the Triggers tab to see when the task is scheduled to run.
- Disable or Delete Suspicious Tasks:
- If you find a task that seems suspicious, you can Disable or Delete it by right-clicking on the task.
- Open Task Scheduler:
- Objective: Review Windows Event Logs for signs of compromise, such as failed logon attempts, service changes, or script execution.
- Steps:
- Open Event Viewer:
- Press
Win + R
, typeeventvwr
, and press Enter.
- Press
- Check Security Logs:
- In the left pane, navigate to Windows Logs > Security.
- Look for Event ID 4625 (failed logon attempts) and Event ID 4624 (successful logons).
- Check System Logs:
- Navigate to Windows Logs > System.
- Look for Event ID 7045 (a service was installed) and Event ID 7035 (a service was started).
- Filter Logs for Specific Events:
- Right-click on a log (e.g., Security), select Filter Current Log, and enter the Event IDs you’re interested in.
- This helps narrow down relevant events for investigation.
- Open Event Viewer:
- Objective: Verify that there are no unauthorized or suspicious user accounts, especially those with administrative privileges.
- Steps:
- Open Local Users and Groups:
- Press
Win + R
, typelusrmgr.msc
, and press Enter. - Navigate to Users under Local Users and Groups.
- Press
- Review User Accounts:
- Check the list of user accounts for unfamiliar names.
- Pay special attention to accounts that are members of the Administrators group.
- Disable or Remove Unauthorized Accounts:
- Right-click on any suspicious account and select Properties.
- You can Disable the account by selecting Account is disabled or delete the account if it's confirmed as unauthorized.
- Open Local Users and Groups:
- Objective: Check the Windows Hosts file for unauthorized entries that could redirect traffic or block access to legitimate sites.
- Steps:
- Open the Hosts File:
- Press
Win + R
, typenotepad
, and press Enter. - In Notepad, click File > Open and navigate to
C:\Windows\System32\drivers\etc
. - Change the file type dropdown to All Files and select the hosts file.
- Press
- Review the Hosts File:
- Look for any unfamiliar entries, especially those that redirect commonly used sites (like Google or antivirus update sites) to a different IP address.
- Remove Suspicious Entries:
- Delete any unauthorized entries and save the file.
- Open the Hosts File:
- Objective: Review browser history and installed extensions to detect signs of phishing, malware, or unauthorized access.
- Steps:
- Open the Browser (e.g., Chrome, Edge):
- Launch your web browser.
- Check Browser History:
- Press
Ctrl + H
to open the browser history. - Look for visits to suspicious sites, phishing pages, or sites you don’t recognize.
- Press
- Review Installed Extensions:
- Go to the browser menu and navigate to Extensions.
- Review the list of installed extensions for any that you didn’t install or that seem suspicious.
- Remove any unwanted or suspicious extensions.
- Open the Browser (e.g., Chrome, Edge):
- Objective: Check for any recently installed software that could be malicious or unwanted.
- Steps:
- Open Control Panel:
- Press
Win + R
, typecontrol
, and press Enter. - Navigate to Programs > Programs and Features.
- Press
- Sort by Installation Date:
- Click on the Installed On column to sort the list of installed programs by date.
- Look for any unfamiliar or suspicious software installed recently.
- Uninstall Suspicious Software:
- Select the software and click Uninstall to remove it.
- Open Control Panel:
- Objective: Detect and investigate any unauthorized remote connections to the system.
- Steps:
- Open Command Prompt:
- Press
Win + R
, typecmd
, and press Enter.
- Press
- List Remote Sessions:
- Type the following command and press Enter:
query user
- This will list all active user sessions, including those connected remotely.
- Type the following command and press Enter:
- Identify Unauthorized Connections:
- Check the list for any sessions connected remotely (usually indicated under the SESSIONNAME column).
- If you find an unfamiliar session, note the ID and username.
- Log Off Unauthorized Sessions:
- Use the following command to log off a suspicious session:
logoff <ID>
- Replace
<ID>
with the session ID of the suspicious connection.
- Use the following command to log off a suspicious session:
- Open Command Prompt: