New
#11
Denis, just a snip from one of your posts. A likely and often used tactic, not just with computers, is diversionary attack. Do a lot of unrelated mischief while accomplishing whatever the main goal was.
But why would a state try to annoy & confuse you & your users, in particular, by deleting things rather than by disabling your computer / stealing information from it?
Denis
It's not uncommon to have malware planted on systems as "time bombs", set to go off at a later date. Add "file-less" to that and you'll be awfully lucky to ever figure out what really happened. I've not experienced your description exactly, but I have seen files go missing from worms that create hidden partitions, move all the user's data to there, and then feed through the network to the next victim. Sorry I can't be of more help.
@p33pm3
Whilst malicious, I don't think it's malware (which you have already checked for).
Just a few thoughts...
The slowness of the devices suggests a background process, perhaps using Windows' interactive logon feature in the background. AFAIK, Task Manager only shows processes in the current user context, not secondary logons?
Q. Does your file recovery show whether file deletions occurred within or outside of the affected users' normal working hours?
Q. Are your devices normally shut down after working hours, or left to 'sleep'?
Q. Do your devices have PowerShell Remoting enabled? (It's disabled by default but many organisations enable it for scripted remote management.)
Q. Do you have a network person/team who can check whether your devices are segmented (VLANs) from 'business competitors... in the same department' and/or can monitor network traffic for use of PsExec?
Q. Are you a domain admin who can turn on 'Audit' logging? (If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation.)
If you're not in a domain but client devices are using Windows 10 Pro then you can use the Local Group Policy Editor to monitor for logon/logoff events (in case of interactive/secondary logons) and process creation (for example, to capture the use of PsExec.exe). Open the editor then drill down to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy then look at the settings for:
- Account Logon > Audit Other Account Logon Events (which should pick up interactive logons)
- Detailed Tracking > Audit Process Creation (which should capture PsExec.exe)
- Object Access > Audit File System (which should capture file deletions)
Hope this helps... but note that I retired whilst the organisation I worked for used Windows 7 Pro, not 10... so things may have changed.
Actually, Task Manager does show processes from other users under the "Users" & "Details". But I still do use process explorer for easy navigation.The slowness of the devices suggests a background process, perhaps using Windows' interactive logon feature in the background. AFAIK, Task Manager only shows processes in the current user context, not secondary logons?
It was during working hours when users were firing up their computer in the morning. It's practically deleting files when windows is loading, causing the windows to slowdown to a crawl.Q. Does your file recovery show whether file deletions occurred within or outside of the affected users' normal working hours?
Shutdown.Q. Are your devices normally shut down after working hours, or left to 'sleep'?
Disabled.Q. Do your devices have PowerShell Remoting enabled? (It's disabled by default but many organisations enable it for scripted remote management.)
I don't think this scenario would apply coz a couple of the affected computers happened when they are working at home whilst others are at different branch offices. More probable use of trojan or delayed batch command for execution. Also, in my case, psexec wouldn't be able to wipe out majority of "Program Files" folder especially whilst Windows is running.Q. Do you have a network person/team who can check whether your devices are segmented (VLANs) from 'business competitors... in the same department' and/or can monitor network traffic for use of PsExec?
This is a good idea except that...Q. Are you a domain admin who can turn on 'Audit' logging? (If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation.)
1. Most of the computers we have (and also affected) uses Home edition of Windows, so GP editor isn't available.
2. Also, I've tried the logging in the past on Windows 7 Pro but doesn't seem to log deletions using command line.
So, I might need to find some other applications that could do this.
Good sharing. The incidents stopped since about a month ago and hopefully that's the end it. Logging file deletions is a good idea but I'd probably need to tackle it in a more economical way since most of the computer here are Home edition and hopefully doesn't affect the om