Disappearing Files & Programs

Page 2 of 2 FirstFirst 12

  1. Posts : 21,423
    19044.1586 - 21H2 Pro x64
       #11

    AndreTen said:
    I agree with Try3, and your statement in the last post.

    This looks like direct remote access to me. No heavy traffic is necessary. Only few scripts. Don't forget about exchange vulnerabilities that were patched last week - if they were.

    Do you have exchange on your servers? Did you patched them all?

    In the case that servers were compromised, there could be malicious code on them, that won't be recognized as such.
    Fun stuff ........ At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software — Krebs on Security
      My Computer


  2. Posts : 56,120
    Multi-boot Windows 10/11 - RTM, RP, Beta, and Insider
       #12

    Denis, just a snip from one of your posts. A likely and often used tactic, not just with computers, is diversionary attack. Do a lot of unrelated mischief while accomplishing whatever the main goal was.


    But why would a state try to annoy & confuse you & your users, in particular, by deleting things rather than by disabling your computer / stealing information from it?

    Denis
      My Computers


  3. NMI
    Posts : 982
    Windows 10 Pro, Version 20H2
       #13

    p33pm3 said:
    2. I cant run program that requires elevated (admin) rights.
    Why not?
      My Computer


  4. Posts : 16,278
    W10Prox64
       #14

    It's not uncommon to have malware planted on systems as "time bombs", set to go off at a later date. Add "file-less" to that and you'll be awfully lucky to ever figure out what really happened. I've not experienced your description exactly, but I have seen files go missing from worms that create hidden partitions, move all the user's data to there, and then feed through the network to the next victim. Sorry I can't be of more help.
      My Computer


  5. Posts : 1,104
    Windows 10 Pro (+ Windows 10 Home VMs for testing)
       #15

    @p33pm3

    Whilst malicious, I don't think it's malware (which you have already checked for).

    Just a few thoughts...

    The slowness of the devices suggests a background process, perhaps using Windows' interactive logon feature in the background. AFAIK, Task Manager only shows processes in the current user context, not secondary logons?

    Q. Does your file recovery show whether file deletions occurred within or outside of the affected users' normal working hours?

    Q. Are your devices normally shut down after working hours, or left to 'sleep'?

    Q. Do your devices have PowerShell Remoting enabled? (It's disabled by default but many organisations enable it for scripted remote management.)

    Q. Do you have a network person/team who can check whether your devices are segmented (VLANs) from 'business competitors... in the same department' and/or can monitor network traffic for use of PsExec?

    Q. Are you a domain admin who can turn on 'Audit' logging? (If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation.)

    If you're not in a domain but client devices are using Windows 10 Pro then you can use the Local Group Policy Editor to monitor for logon/logoff events (in case of interactive/secondary logons) and process creation (for example, to capture the use of PsExec.exe). Open the editor then drill down to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy then look at the settings for:

    • Account Logon > Audit Other Account Logon Events (which should pick up interactive logons)
    • Detailed Tracking > Audit Process Creation (which should capture PsExec.exe)
    • Object Access > Audit File System (which should capture file deletions)

    Hope this helps... but note that I retired whilst the organisation I worked for used Windows 7 Pro, not 10... so things may have changed.
      My Computer


  6. Posts : 7
    Win10
    Thread Starter
       #16

    The slowness of the devices suggests a background process, perhaps using Windows' interactive logon feature in the background. AFAIK, Task Manager only shows processes in the current user context, not secondary logons?
    Actually, Task Manager does show processes from other users under the "Users" & "Details". But I still do use process explorer for easy navigation.

    Q. Does your file recovery show whether file deletions occurred within or outside of the affected users' normal working hours?
    It was during working hours when users were firing up their computer in the morning. It's practically deleting files when windows is loading, causing the windows to slowdown to a crawl.

    Q. Are your devices normally shut down after working hours, or left to 'sleep'?
    Shutdown.

    Q. Do your devices have PowerShell Remoting enabled? (It's disabled by default but many organisations enable it for scripted remote management.)
    Disabled.

    Q. Do you have a network person/team who can check whether your devices are segmented (VLANs) from 'business competitors... in the same department' and/or can monitor network traffic for use of PsExec?
    I don't think this scenario would apply coz a couple of the affected computers happened when they are working at home whilst others are at different branch offices. More probable use of trojan or delayed batch command for execution. Also, in my case, psexec wouldn't be able to wipe out majority of "Program Files" folder especially whilst Windows is running.

    Q. Are you a domain admin who can turn on 'Audit' logging? (If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation.)
    This is a good idea except that...
    1. Most of the computers we have (and also affected) uses Home edition of Windows, so GP editor isn't available.
    2. Also, I've tried the logging in the past on Windows 7 Pro but doesn't seem to log deletions using command line.
    So, I might need to find some other applications that could do this.

    Good sharing. The incidents stopped since about a month ago and hopefully that's the end it. Logging file deletions is a good idea but I'd probably need to tackle it in a more economical way since most of the computer here are Home edition and hopefully doesn't affect the om
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 15:06.
Find Us




Windows 10 Forums