Beyond running system scans and basic troubleshooting, I would not know how to find the answer. A neighbor believes that he has an intruder from his work snooping. They asked me bc I’m geeky in different things but this is one of those things that is kind of intriguing(also above my knowledge). They asked if I could try to detect if someone who has a backdoor (remote access) is abusing that power. How would one go about doing this? Wireshark?
I assume that you have run a full malwarebytes or similar scanning program first with all of the options checked.
Also narrow down what exactly the computer is doing that makes him suspect a backdoor. “backdoor” is just a buzzwork for many non-computer savvy people and has a much wider definition than the actual definition. Then you can do some research and find out what kind of thing to look for.
Wireshark is a good option.
Autoruns is another great option.
Would take a bit to write up a tutorial on how to implement said programs on finding malware or hackers.
Blue teaming is great but is sometimes meticulous in practice. Not a bad thing but you don’t just press “Scan” and find an answer, unfortunately. You’ll have to research your findings, be they IP addresses or processes
+1 for wireshark but only if you have reason to believe his machine or network is compromised. I’d lean toward online accounts being broken into first.
My default is to use Autoruns to examine everything being started on boot/login. It also has features to scan using VirusTotal signatures.
which then shows if a process has been associated by AV providers as Malware with a link to see by who:
I can also recommend Windows Firewall Control which allows simpler management of the Windows Firewall and can be used to allow outbound access to signed processes only and to prompt for anything unsigned. It takes a little while to get it trained but after that any new process that is not signed is flagged to the user.
Erm just a crazy question. You say this is someone from his work. Is this a work laptop?
If this is then it is very possible the endpoint is a bit overzelous in its policies.
Depending on the vendor they can capture everything from keyboard strokes to record video when a violation occurs.
If this is not the case then ignore me.
SRC. … we make ^ software
here are 3 tools that could help you.
http://spinlab.wpi.edu/courses/ece230x/EtherealQuickStartGuide.pdf.
https://sectools.org/tool/etherape/
and detecting key loggers
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-do-i-check-if-i-have-got-keyloggers-on-my/28d52ade-c8f5-4427-8225-59f154fdb259
https://www.linkedin.com/pulse/how-detect-keylogger-remove-from-your-computer-tchize-matias
Every time somebody like this thinks they’re ‘getting hacked’ it seems like they’re paranoid about some illegal shit they’re doing, or just plain paranoid. I used to work in a small repair shop, we’d get a ton of people like this. Most of the time they just had typical malware.
sometimes its a legitimate complaint
a friend of ours is a respectable and successful advertising agent.
her neighbor was a competitor who broke into her office and installed a hardware key-logger that he could remotely access.
I was installing a new monitor for her and found it.
after a bit of forensic work the logs and the device was turned over to the police