This is the second in a series of blog posts where we dive into our systems to find Indicators of Compromise (IoC). No, not the Olympic committee. These are clues to tell us we have some malicious tasks. It could have been placed there by a hacker, but 99 times out of a hundred, it was a Drive-By-Download.

If your computer is running slow or your Internet download speeds aren’t what they used to, you might have malware. Crypto miners, zombie bots, ransomware time bombs, and other malware could use your connections for profit, piracy, and pure pandemonium! Read this article about Malware Crypto Miners (Link). Using built in Managers in Windows and Mac, we can (sometimes) find and eliminate these threats from our computers.

Last week we dug into the Windows Registry to see what programs start with Windows. If you found something of interest there, I hope you sorted it out. If not, reach out. We’d be glad to help. Read about finding potentially unwanted programs in the Windows Registry here (Link). A seasoned hacker will do everything they can to stay hidden. To find them, we will utilize two staples of the Windows operating system, Task Scheduler and Task Manager.

Mac Tasks

Mac has almost all the same features as we will discuss in Windows. However, the Mac version is called Application (or Activity) Monitor. Typically, it is in Applications – Utilities – Applications (or Activity) Monitor (Link). You can find a task scheduler on Mac either with chron jobs or Automator (Link). Several third-party applications also exist. Whatever you use, you should be able to follow along.

Task Scheduler

We will start in the Windows Task Scheduler as it is both the most cryptic for non-technical users and the busiest application in Windows. You can access Task Scheduler by simply typing “Task Scheduler” in the search bar.

When Task Scheduler opens, don’t panic! The Windows Task Scheduler is the system’s clock and calendar, performing specific repetitive tasks for Windows and all the applications on set schedules. Yes, exactly what it sounds like it does. From the list, you may recognize several applications. Odds are, many you will not.

If you select one, the panel below will provide detailed information with additional tabs. The General tab gives the name and description of the task.

Selecting the Triggers tab provides details for what causes the task to run and when. In the example below, Adobe Acrobat will search for updates when the user logs on and every day at 8PM.

The important information is in the Actions tab. This shows what runs and from where. Here, the Adobe upgrade program runs, searching for updates to the program.

You can spend a significant amount of time looking through the scheduled task and still miss a malicious entry. Hackers use the Task Scheduler to maintain control, even after you have cleaned your system! Most ransomware incidents find attackers leave tasks to reinfect the computer days, months, and even years later.

As part of a standard Penetration Test, scheduled tasks receive a great deal of attention. Mundane tasks could be overwritten with malicious applications. Or, my personal favorite, use a legitimate application to call a malicious dynamic link library (DLL) file. If you have doubts, reach out.

How Hardware Affects Computer Speed

Before we discuss the Task Manager, let’s discuss how computer operating systems, like Windows and Mac, operate with the computer hardware. Reading the Windows 11 Hardware Requirements (Link) indicates that the operating system, without running any other programs, needs 4GB of RAM Memory.

Minimum requirements are just that. Bare minimum. If you want to run anything else, including web browsers, which are Memory and Processor hogs, you need much more. In fact, my rule of thumb for a typical computer user is to take the minimum RAM Memory and processor requirements and multiply by four (4). We will see why when we look into the Task Manager. In other words, don’t be cheap with your computer hardware!

The computer’s Processor is used to run applications by moving data from the hard drive to RAM Memory and computing. If you don’t have enough RAM Memory for the applications you are trying to run, the system uses part of the hard drive to store the extra data. This is called the Swap or Page file. Learn how to make the Internet fast again here (Link).

If your system doesn’t have enough RAM memory, the processor becomes overloaded moving data between RAM and the hard drive and back to where it cannot respond to the tasks it should be doing. You see your computer slow down or stop responding. It could be a malicious application taxing your system or your hardware may be insufficient. The Task Manager will tell us which one is true.

Task Manager

Task Manager is available either by searching for “Task Manager” in the search bar or by right-clicking the Task Bar and selecting Task Manager. “Where is the Task Bar?” Right? The Task Bar is the bar at the bottom of the screen where the open applications show. I know you just asked that question.

Starting with the Processes tab, you’ll notice the list constantly changes based on the selected column. From here, you can select which column you want to sort by. This is useful to alert to which process is using the most CPU, Memory, Disk, Network, or Graphics Processor.

Selecting a different column sorts all applications by which is using the most of the column you chose. In the picture below, my Endpoint Protection, BitDefender, is using the most memory followed closely by Firefox. Quick math shows those two programs alone are using over 2 GB of RAM!

The Processes tab groups applications by Active and Background. To see all processes on a single pane, click the Details tab. This shows more detailed information, including the user running the application and the Process ID (PID). Notice how many entries are for Firefox with only one tab open. Now notice the entries for the Edge browser (msedgewebview2.exe). I don’t have Edge open, but still it’s running in the background.

The Performance tab will quickly tell if your system resources are stretched. Not only does this tab provide graphical representations of the same data we see in the Processes and Details tabs, but also provides details on the size and amounts of your processors and memory.

Besides the Task Scheduler, another favorite place to secure persistent access to a computer is by adding or manipulating Services. In the Services tab, you will find all the registered services on the computer, whether they are running, and which user or system account is running them. You’ll also notice the PID, which you can use to cross-reference in the Details tab.

Remember how we searched the Registry for programs that start with the computer? The Startup tab is a graphical representation of the same information. So, why do we need to look in the Registry when we can look here? I can hide applications from showing here. I can’t hide them in the Registry. If a particular application is slowing your computer, you can choose to not start it here.

One last tab of interest is the Users tab. If you are running a home or non-corporate computer, you should only see your own User. Corporate computers may have network service accounts logged in for monitoring and security. However, if you see any other user logged, alert your IT department. It’s not typically a good sign.

Caveats – While you may feel more in tune with your computer now than you’ve ever been before, there is a bit of bad news. Services, processes, and even scheduled tasks can be hidden from view. You might be able to hide them from the GUI or the primary user, especially if they are not the administrator or the only administrator. This is why we started last week in the Windows Registry. You can’t hide in there.

If you REALLY want to see the services configured, you can use the read-only query below. Beware! The data is copious! Unfortunately, without administrator access, there is no easy way to query the registry for scheduled tasks in newer versions of Windows.

Services
reg query hklm\system\currentcontrolset\services

Tasks At Hand

How do you prevent malware in the first place? Discipline and a good Endpoint Protection software. Don’t click on links or attachments in email. Don’t browse to places on the Internet you shouldn’t. Don’t click on any pop-ups. We will talk about cleaning your web browser plug-ins in the future. Next article will tackle network connections and logs.