top of page

How To Tell If Your PC Is Hacked (Windows 11)

How To Tell If Your PC Is Hacked (Windows 11) | Black Hat HQ

How To See If Your Windows 11 PC Is Compromised


Here's a structured approach to checking for compromise on a Windows 11 system, organized from the most reliable forensic artifacts down to subtle behavioral indicators. Run through these in order. This is a guide on how to tell if your PC is hacked (Windows 11).


Tier 1: High Confidence - These Prove Compromise


1. Check for Autoruns (Persistence Mechanisms)


This is where most attackers live. Use Autoruns from Sysinternals (run as Administrator) — it shows every persistence point on the system. The built-in msconfig or Task Manager only show a fraction.


powershell

# Download and run Autoruns
curl -L -o autoruns.zip https://live.sysinternals.com/autoruns.zip
expand-archive autoruns.zip .
.\Autorunsc64.exe -a -h -s -v -o autoruns.csv

# Or check persistence points manually via PowerShell:
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location

# Check scheduled tasks — very common persistence
schtasks /query /fo LIST /v | findstr /i "payload beacon update maintenance"

# Check WMI event subscriptions (fileless persistence)
Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding

What to look for: Entries in unusual locations — HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceStartup folders, scheduled tasks named to look like Windows services (WindowsUpdateTaskSecurityHealthAdobeUpdater), WMI event subscriptions (almost never legitimate on a workstation).


2. Network Connections to C2


powershell

# Active connections with process mapping (run as admin)
netstat -ano -p TCP | findstr ESTABLISHED

# Resolve remote IPs to check against known bad ranges
Get-NetTCPConnection | Where State -eq Established | Select-Object -Property `
    @{Name="LocalAddress";Expression={$_.LocalAddress}},
    @{Name="LocalPort";Expression={$_.LocalPort}},
    @{Name="RemoteAddress";Expression={$_.RemoteAddress}},
    @{Name="RemotePort";Expression={$_.RemotePort}},
    @{Name="OwningProcess";Expression={Get-Process -Id $_.OwningProcess | Select -ExpandProperty ProcessName}}

Cross-reference remote IPs against:

  • Known C2 infrastructure ranges: DigitalOcean, Hetzner, OVH, BuyVM, Contabo

  • Common malware ports: 4444, 5555, 8080, 8443, 9001, 31337

  • Connections to IPs on non-standard ports that persist after browser closes


Beaconing check — if you can observe over time (e.g., check netstat every 30 seconds for 10 minutes), look for connections that appear periodically every 30-60 seconds to the same IP.


powershell

# Quick beacon check — run this every 30s in a loop
while(1) {
    Get-NetTCPConnection -State Established | Where RemotePort -notin @(80,443,22) | Format-Table RemoteAddress,RemotePort
    Start-Sleep 30
}

3. Check for Unusual Drivers (Kernel-Level Compromise)


powershell

# List loaded kernel drivers
Get-WmiObject Win32_SystemDriver | Where State -eq Running | Select DisplayName,PathName,Started,StartMode

# Check for Microsoft names + third-party publishers
driverquery /si | findstr /v "Microsoft"

Watch for: Drivers loaded from %TEMP%, drivers signed by unknown publishers, unsigned drivers (Windows 11 blocks these by default, but an attacker with admin access can install them), drivers named to look like real drivers but are actually malicious (ntfs.sys is legitimate; ntfs64.sys is suspicious).


4. Check Security Event Logs for Tampering


powershell

# Check if security log was cleared — this is a massive red flag
Get-WinEvent -LogName "Security" -MaxEvents 1 | Select TimeCreated,Id

# If no events or only recent events, log was likely cleared
# Compare with:
(Get-WinEvent -ListLog "Security").RecordCount

# Check event 1102 (Security log cleared)
Get-WinEvent -FilterHashtable @{LogName="Security";Id=1102} -MaxEvents 5

An attacker who clears the security log is running with admin privileges and expects to be caught. If the security log has been wiped, you're dealing with someone who knows what they're doing.


5. Check Account Anomalies


powershell

# List all local users, including hidden ones
Get-LocalUser | Select Name,Enabled,PasswordLastSet,LastLogon,Description

# Check for accounts with last logon but user doesn't recognize
# Check the Administrators group
net localgroup Administrators

# Look for accounts added recently
Get-LocalUser | Where PasswordLastSet -gt (Get-Date).AddDays(-30)

# Check for RDP access being enabled unexpectedly
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections

Watch for: Unknown user accounts (especially with generic names like SupportAdminBackupTemp), familiar user accounts with a recent password change the user didn't make, guest accounts enabled.


Tier 2: Moderate Confidence - Suspicious Behavior


6. Process Anomalies


powershell

# Processes with no parent (orphan processes)
Get-WmiObject Win32_Process | Where {$_.ParentProcessId -eq 0} | Select Name,ProcessId

# Processes running from temp directories
Get-Process | Where {$_.Path -match "\\Temp\\"} | Select ProcessName,Id,Path

# Processes with suspicious names (typosquatting)
Get-Process | Where { $_.ProcessName -match "^(svch0st|expl0rer|scvhost|lsasss|winlog0n)$" }

# Check for hidden processes (visible to kernel not userspace) — requires driver

The most common trick: malware named svchost.exe running from C:\Users\<user>\AppData\ or C:\Windows\Temp\. Real svchost.exe lives in C:\Windows\System32\ and is started by services.exe (parent PID is the services control manager).


7. File System Anomalies


powershell

# Check common malware drop locations for recently created executables
Get-ChildItem -Path "$env:TEMP" -Recurse -Include *.exe,*.dll,*.ps1,*.vbs,*.js | Where LastWriteTime -gt (Get-Date).AddDays(-14)

# Check AppData for unusual executables
Get-ChildItem -Path "$env:LOCALAPPDATA" -Recurse -Include *.exe,*.dll -Depth 2 | Where LastWriteTime -gt (Get-Date).AddDays(-14)

# Check for ADS (Alternate Data Streams) — NTFS hiding technique
Get-ChildItem C:\ -Recurse -ea 0 | ForEach { Get-Item $_.FullName -Stream * } | Where Stream -ne ':$DATA'

# Hidden files in unusual locations
Get-ChildItem -Path C:\ -Hidden -Filter *.exe -ErrorAction SilentlyContinue

Common hiding spots: C:\Users\<user>\AppData\Local\TempC:\Users\<user>\AppData\Roaming\Microsoft\Windows\TemplatesC:\Windows\TempC:\PerfLogs, recycle bin artifacts, C:\ProgramData\ subdirectories.


8. DNS Query Anomalies


powershell

# View DNS cache for suspicious domains
Get-DnsClientCache | Where Name -notmatch "(microsoft|google|apple|facebook|amazon|cloudflare|windows|office|akamai|azure)\.com$" | Sort-Object Name -Unique

What to look for: Domains using DGA patterns (random-looking strings), subdomains that look like encoded data (a1b2c3d4.malware-c2.com), connections to registered-soon domains (if you check WHOIS and the domain was created 2 months ago, that's suspicious).


Tier 3: Behavioral Indicators


9. Strange System Behavior


  • High CPU/Disk/Network when idle — open Task Manager, sort by CPU and Disk, see what's active when you're doing nothing. C2 beaconing, crypto mining, or data exfiltration.

  • Unexplained data usage — check Data Usage in Windows Settings or via PowerShell:


powershell

Get-NetAdapterStatistics | Select Name,ReceivedBytes,SentBytes

  • Webcam/mic LED turning on unexpectedly — check Device Manager → Cameras or run:


powershell

# Check camera and mic access logs
Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Camera/Camera";Id=1010} -MaxEvents 10

  • Mouse moving on its own / random clicks / windows closing without input

  • Firewall rules being disabled or new allow rules appearing:


powershell

netsh advfirewall firewall show rule name=all dir=in | findstr /i "allow"
netsh advfirewall firewall show rule name=all dir=out | findstr /i "allow"

  • Windows Defender being disabled — this is a massive red flag:


powershell

Get-MpComputerStatus | Select RealTimeProtectionEnabled,AntispywareEnabled,NISEnabled

Tier 4: Deep Forensic Collection (If You Suspect A Breach)


If any of the above flags came up, escalate to full forensic acquisition:


powershell

# 1. Memory dump (the most valuable artifact)
# Requires procdump from Sysinternals
.\procdump64.exe -accepteula -ma lsass.exe lsass.dmp   # Credential theft investigation
.\procdump64.exe -accepteula -r -ma -n 3 -s 5 -c 50 svchost.exe   # Dump process hitting 50% CPU

# Or full memory capture (use winpmem or Magnet RAM Capture)
.\winpmem_mini_x64_rc2.exe memory.raw

# 2. Collect prefetch files (execution history)
Copy-Item C:\Windows\Prefetch\* $env:TEMP\forensic\prefetch\

# 3. Collect recent file execution (MRU)
# RecentDocs
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" $env:TEMP\forensic\recentdocs.reg
# RunMRU
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" $env:TEMP\forensic\runmru.reg

# 4. Collect USN journal (file change journal)
fsutil usn readjournal C: > $env:TEMP\forensic\usn_journal.txt

# 5. Collect event logs
wevtutil epl Security $env:TEMP\forensic\security.evtx
wevtutil epl System $env:TEMP\forensic\system.evtx
wevtutil epl Application $env:TEMP\forensic\application.evtx
wevtutil epl "Windows PowerShell" $env:TEMP\forensic\powershell.evtx
wevtutil epl "Microsoft-Windows-TaskScheduler/Operational" $env:TEMP\forensic\taskscheduler.evtx

Automated Triage Script


powershell

# Save as triage.ps1, run as Administrator
$out = "$env:TEMP\forensic_$(Get-Date -Format yyyyMMdd_HHmmss)"
New-Item -ItemType Directory -Path $out -Force

# System info
systeminfo | Out-File "$out\systeminfo.txt"
Get-Service | Format-Table -AutoSize | Out-File "$out\services.txt"

# Network
Get-NetTCPConnection | Format-Table -AutoSize | Out-File "$out\netstat.txt"
Get-DnsClientCache | Format-Table -AutoSize | Out-File "$out\dns_cache.txt"
netsh advfirewall firewall show rule name=all dir=in | Out-File "$out\firewall_in.txt"

# Processes
Get-Process | Format-Table Id,ProcessName,Path,CPU,PM -AutoSize | Out-File "$out\processes.txt"
Get-WmiObject Win32_StartupCommand | Format-Table -AutoSize | Out-File "$out\startup.txt"

# Accounts
Get-LocalUser | Format-Table -AutoSize | Out-File "$out\local_users.txt"
net localgroup Administrators | Out-File "$out\admin_group.txt"

# Persistence
Get-ScheduledTask | Where State -eq Ready | Format-Table TaskName,TaskPath,State | Out-File "$out\tasks.txt"
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | Out-File "$out\run_local_machine.txt"
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | Out-File "$out\run_current_user.txt"

# Security
Get-MpComputerStatus | Format-List | Out-File "$out\defender_status.txt"

# Browser extensions (Chrome-based)
if (Test-Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions") {
    Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" -Directory | 
        ForEach { (Get-Item "$_\*manifest.json" | Get-Content | ConvertFrom-Json).name } |
        Out-File "$out\chrome_extensions.txt"
}

# Suspicious file locations
Get-ChildItem -Path "$env:TEMP" -Recurse -Include *.exe,*.dll,*.ps1,*.vbs,*.js -File -ErrorAction SilentlyContinue | 
    Select FullName,LastWriteTime,CreationTime,Length | Out-File "$out\temp_executables.txt"

Write-Host "[+] Forensic data saved to $out"

Quick Triage Decision Guide


You Found This

Likelihood

Established C2 connection to known malicious IP

Compromised, active

Unknown admin account

Compromised

Security log cleared

Compromised, skilled attacker

Device admin EDR/Defender disabled

Compromised

WMI event subscription

Compromised, fileless persistence

Scheduled task with base64-encoded payload

Compromised

Unusual driver from Temp directory

Rootkit / kernel compromise

Process from %TEMP% named svchost.exe

Compromised

High outbound traffic when idle

Exfiltration or C2 beaconing

Just a weird popup or browser redirect

Adware / potentially unwanted

Only one strange registry entry

Investigate further


Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page