Please save the 4625 hacking event, which is causing a headache, as a

Page 1 of 2 12 LastLast

  1. Posts : 42
    windows10
       #1

    Please save the 4625 hacking event, which is causing a headache, as a


    Please save the 4625 hacking event, which is causing a headache, as a-1111.png
    I am experiencing continuous hacking attempts on my computer guest account by an unknown Windows hacker or virus. They are attempting to hack using Type 3 network, but I don't know what IP they have. Their traces are not being recorded in Event Viewer, so I tried creating and registering the following command to address the issue:

    When the 4625 event occurs as an audit failure, please save it as a txt file on the D: drive.

    I finally found out the command by asking ChatGPT and succeeded for the first time, so I'm sharing this tip with joy.

    Code:
    set CURRENT_USER=%USERNAME%
    schtasks /create /sc ONEVENT /tn "Event viewer action" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"

    However, unfortunately, I failed to display the event along with the time it occurred. I tried the following, but it didn't work:

    If you have any better tips, please let me know. Thank you.
    Code:
    schtasks /create /sc ONEVENT /tn "Event viewer action" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && echo %date% %time% >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"
    Code:
    echo %date% %time% >> d:\txt2.txt
    to delete
    Code:
    schtasks /delete /tn "Event viewer action" /f
    ..
    Olle~! I've found a way. ! I am Date time added.
    Code:
    set CURRENT_USER=%USERNAME%
    schtasks /create /sc ONEVENT /tn "Event viewer action" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && date /t >> d:\txt2.txt && time /t >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"
    .
    .
    I've found the date ,time seconds unit to be perfect.
    You have to register the two separately. It's a messy way, but it works
    Code:
    for /f "delims=" %a in ('dir /a-d /b /o /s "%SystemRoot%\System32\WindowsPowerShell\powershell.exe"') do (schtasks /Create /SC ONEVENT /TN "Event viewer action2" /TR ""%a" -Command Add-Content -Path 'D:\txt2.txt' -Value (Get-Date)" /EC Security /MO "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" /f )
    Last edited by krdondon; 12 Jun 2023 at 18:21.
      My Computer


  2. Posts : 17,058
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #2

    We were told a decade[?] ago not to use Guest accounts because they made the computer vulnerable to attacks. That's why the Guest account is disabled by default in Windows 10.
    Create a standard local account instead and use that for guests. Add Guest Account - TenForumsTutorials


    All the best,
    Denis
      My Computer


  3. Posts : 42
    windows10
    Thread Starter
       #3

    Yes that's right I'm not using it but
    Is it a virus or a hacker.. Something is trying to hack my Windows Guest account. I have already closed it.

    I simply wanted to know which ip the virus or hacker is accessing.
    I wanted to know the list of ips accessing that time.
    It didn't show up in event viewer.
      My Computer


  4. Posts : 17,058
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #4

    I cannot answer your questions.
    I can only say that disabling the built-in Guest account is what you ought to do.


    All the best,
    Denis
      My Computer


  5. Posts : 42
    windows10
    Thread Starter
       #5

    Already inactive.
    but. Events like this keep happening.
    Automatically blocked.
    But I couldn't figure out what his ip was.
    I wanted to share a tip.
    And in terms of time and date...
      My Computer


  6. Posts : 17,058
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #6

    Oh, by the way, you could have set up a Custom view for the event in Event viewer then clicked on Attach a Task to this Custom view

    krdondon said:
    I finally found out the command by asking ChatGPT and succeeded for the first time, so I'm sharing this tip with joy.
    If you have any better tips, please let me know.


    Denis
      My Computer


  7. Posts : 42
    windows10
    Thread Starter
       #7

    I'm feeling lazy. I'm writing in command line.
    I think it's much faster when I use drag and copy with commands.
    Thank you for the advice.

    Also, I've been waiting for this tip. I wanted to know, but couldn't figure it out. So, I've been trying for months, and finally succeeded today.
    :) I'm happy.
      My Computer


  8. Posts : 1,728
    Windows 10 Pro x64 22H2
       #8

    krdondon said:
    I simply wanted to know which ip the virus or hacker is accessing.
    I wanted to know the list of ips accessing that time.
    It didn't show up in event viewer.
    If you want to learn hacker's IP (if there is one at all) then follow these steps:

    1. Click on start and type: secpol.msc, right click and "Run as Administrator"
    2. If prompted for password, enter administrator password and click "Yes" to continue
    3. Expand node: "Advanced Audit Policy Configuration"
    4. Expand node: "System Audit Policies - Local Group Policy Object"
    5. Click on "Object Access"
    6. Double click "Audit Filtering Platform Packet drop"
    7. Check "Configure the following audit events"
    8. Check "Failure" and click OK to apply



    These steps above will enable monitoring network but only those connections which fail.
    this means you need to set your firewall to drop anything you don't want, this way you can use whois website to determine if IP is legitimate or not.

    To actually view dropped traffic once you enable auditing and setup to drop traffic then follow these steps:

    1. Click on start and type: compmgmt.msc, right click and "Run as Administrator"
    2. If prompted for password, enter administrator password and click "Yes" to continue
    3. Expand node: "Computer Management (Local)
    4. Expand node: "System Tools"
    5. Expand node: "Event Viewer"
    6. Expand node: "Windows Logs"
    7. Click on "Security"
    8. In the column "Task Category" look for "Filtering Platform Packet Drop"
    9. Click on individual event to see details about the event



    You're mostly interested in inbound events, but if you suspect you're hacked you also want to monitor outbound events and take a look at which process is attempting outbound.

    Keep in mind though if hacker was able to install callback malware on your computer he probably will delete events related to his malware.

    Another tool which you need is TCP view from sysinternals, it will enable you to detect if there is malware listening for inbound connection and on which port, so you can then monitor only that port.
    https://learn.microsoft.com/en-us/sy...nloads/tcpview
      My Computer


  9. Posts : 42
    windows10
    Thread Starter
       #9

    Fail all event viewer audits
    I have registered and used them all.
    Code:
    auditpol /set /category:"{6997984F-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /category:"{6997984A-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /category:"{6997984E-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /category:"{69979850-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /category:"{6997984B-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /category:"{69979849-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /category:"{6997984C-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /category:"{69979848-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /category:"{6997984D-797A-11D9-BED3-505054503030}" /success:enable /failure:enable
    
    auditpol /set /subcategory:"{0CCE9215-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9216-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9217-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE921B-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9243-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9220-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    GitHub - DigitalRuby/IPBan: Since 2011, IPBan is the worlds most trusted, free security software to block hackers and botnets. With both Windows and Linux support, IPBan has your dedicated or cloud server protected. Upgrade to IPBan Pro today and get a discount. Learn more at ↓
    And I am using ipban.

    And I am using simplewal free firewall program
      My Computer


  10. Posts : 1,728
    Windows 10 Pro x64 22H2
       #10

    @krdondon
    You won't be able to detect anything with all auditing options enabled because it will flood your event viewer faster than what normal human can process.

    To go that route you'll need a script which will harvest events, filter them and make an output of a summary report.

    Sadly I don't know how IPBan works so I can't help with that.
    But with simplewall you should be able to block outbound to prevent malware from calling home.

    Keep in mind that hackers don't simply just hack someones PC, rather it's users who install malware which then connects to hackers's PC so he can then access your computer, that's how it works.
    And this is the only reason why blocking outbound is important, simplewall should help you with that, you only need your custom rules for legitimate programs so that you don't block yourself from internet.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:28.
Find Us




Windows 10 Forums