How to Detect Rootkits Malware on Windows PC Using PowerShell

Introduction

Detecting rootkits on a Windows PC can be challenging because they are designed to hide themselves. However, PowerShell can be used to perform basic checks and gather information that might indicate the presence of rootkits. Below are methods to detect potential rootkits on a Windows PC using PowerShell.

1. Check for Hidden Processes

Rootkits can hide processes from traditional Task Managers, making it difficult to detect malicious activities. You can use PowerShell to list all processes and compare them with what's shown in Task Manager.

Steps:

1. Open PowerShell as an administrator.
2. Type the following command and press Enter:

   Get-Process | Select-Object Name, Id, CPU, StartTime | Sort-Object CPU -Descending

3. Compare the list of processes generated by PowerShell with those in Task Manager (Press Ctrl + Shift + Esc to open Task Manager).

2. Check for Hidden Network Connections

Rootkits may create hidden network connections. You can use the Get-NetTCPConnection cmdlet to check for active connections.

Steps:

1. In PowerShell, type the following command and press Enter:

   Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State

2. Look for unusual or unexpected connections, especially those communicating with unknown or suspicious IP addresses.
3. If you find a suspicious connection, note the remote address and port for further investigation.

3. Check for Hidden Drivers

Rootkits and other forms of malware may install malicious drivers on your system. PowerShell can help identify these drivers.

Steps:

1. In PowerShell, type the following command and press Enter:

   Get-WmiObject Win32_SystemDriver | Select-Object Name, DisplayName, State, PathName

2. Check for drivers with suspicious or unknown names, and cross-reference them with trusted driver databases online.

4. Scan for Suspicious Modules

Rootkits may inject malicious modules into legitimate processes. PowerShell can list loaded modules for each process.

Steps:

1. In PowerShell, type the following command and press Enter:

   Get-Process | ForEach-Object { $_.Modules } | Select-Object ModuleName, FileName

2. Look for unfamiliar or suspicious module names and paths.
3. Research any suspicious modules to determine if they are associated with legitimate software or malware.

5. Check for Suspicious Scheduled Tasks

Rootkits might create hidden scheduled tasks to maintain persistence. PowerShell can list these tasks.

Steps:

1. In PowerShell, type the following command and press Enter:

   Get-ScheduledTask | Select-Object TaskName, TaskPath, State

2. Look for tasks that you don't recognize or that are running from unusual locations.
3. If a task seems suspicious, consider disabling or deleting it, ensuring it’s not essential to system operation.
4. To disable a task, use:

   Disable-ScheduledTask -TaskName "TaskName"

6. Check for File System Anomalies

Rootkits might hide files or directories. Use PowerShell to look for hidden files.

Steps:

1. In PowerShell, type the following command and press Enter:

   Get-ChildItem -Path C:\ -Recurse -Force | Where-Object { $_.Attributes -match "Hidden" }

2. Look for hidden files or folders that seem suspicious.
3. If you find hidden files or folders that you don't recognize, research them online to determine their legitimacy.

7. Monitor System Events

Rootkits and other malicious software can generate unusual system events. Monitoring these events can help you detect signs of tampering or suspicious behavior.

Steps:

1. To retrieve recent events from the system log, type the following command in PowerShell:

   Get-WinEvent -LogName System | Select-Object TimeCreated, Id, Message -Last 100

2. Look for events that may indicate tampering or unusual behavior.

8. Check for Suspicious Registry Entries

Rootkits often make changes to the Windows registry to maintain persistence. Use PowerShell to search for suspicious registry auto-run entries.

Steps:

1. In PowerShell, type the following command and press Enter:

   Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

2. Check for programs configured to start automatically that may indicate a rootkit’s presence.