Disappearing Files & Programs

steve108 · 16 Mar 2021

AndreTen said:

I agree with Try3, and your statement in the last post.

This looks like direct remote access to me. No heavy traffic is necessary. Only few scripts. Don't forget about exchange vulnerabilities that were patched last week - if they were.

Do you have exchange on your servers? Did you patched them all?

In the case that servers were compromised, there could be malicious code on them, that won't be recognized as such.

Fun stuff ........ At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software — Krebs on Security

f14tomcat · 16 Mar 2021

Denis, just a snip from one of your posts. A likely and often used tactic, not just with computers, is diversionary attack. Do a lot of unrelated mischief while accomplishing whatever the main goal was.

But why would a state try to annoy & confuse you & your users, in particular, by deleting things rather than by disabling your computer / stealing information from it?

Denis

NMI · 16 Mar 2021

p33pm3 said:

2. I cant run program that requires elevated (admin) rights.

Why not?

simrick · 19 Mar 2021

It's not uncommon to have malware planted on systems as "time bombs", set to go off at a later date. Add "file-less" to that and you'll be awfully lucky to ever figure out what really happened. I've not experienced your description exactly, but I have seen files go missing from worms that create hidden partitions, move all the user's data to there, and then feed through the network to the next victim. Sorry I can't be of more help.

RickC · 09 May 2021

@p33pm3

Whilst malicious, I don't think it's malware (which you have already checked for).

Just a few thoughts...

The slowness of the devices suggests a background process, perhaps using Windows' interactive logon feature in the background. AFAIK, Task Manager only shows processes in the current user context, not secondary logons?

Q. Does your file recovery show whether file deletions occurred within or outside of the affected users' normal working hours?

Q. Are your devices normally shut down after working hours, or left to 'sleep'?

Q. Do your devices have PowerShell Remoting enabled? (It's disabled by default but many organisations enable it for scripted remote management.)

Q. Do you have a network person/team who can check whether your devices are segmented (VLANs) from 'business competitors... in the same department' and/or can monitor network traffic for use of PsExec?

Q. Are you a domain admin who can turn on 'Audit' logging? (If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation.)

If you're not in a domain but client devices are using Windows 10 Pro then you can use the Local Group Policy Editor to monitor for logon/logoff events (in case of interactive/secondary logons) and process creation (for example, to capture the use of PsExec.exe). Open the editor then drill down to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy then look at the settings for:

Account Logon > Audit Other Account Logon Events (which should pick up interactive logons)
Detailed Tracking > Audit Process Creation (which should capture PsExec.exe)
Object Access > Audit File System (which should capture file deletions)

Hope this helps... but note that I retired whilst the organisation I worked for used Windows 7 Pro, not 10... so things may have changed.

p33pm3 · 09 May 2021

The slowness of the devices suggests a background process, perhaps using Windows' interactive logon feature in the background. AFAIK, Task Manager only shows processes in the current user context, not secondary logons?

Actually, Task Manager does show processes from other users under the "Users" & "Details". But I still do use process explorer for easy navigation.

Q. Does your file recovery show whether file deletions occurred within or outside of the affected users' normal working hours?

It was during working hours when users were firing up their computer in the morning. It's practically deleting files when windows is loading, causing the windows to slowdown to a crawl.

Q. Are your devices normally shut down after working hours, or left to 'sleep'?

Shutdown.

Q. Do your devices have PowerShell Remoting enabled? (It's disabled by default but many organisations enable it for scripted remote management.)

Disabled.

Q. Do you have a network person/team who can check whether your devices are segmented (VLANs) from 'business competitors... in the same department' and/or can monitor network traffic for use of PsExec?

I don't think this scenario would apply coz a couple of the affected computers happened when they are working at home whilst others are at different branch offices. More probable use of trojan or delayed batch command for execution. Also, in my case, psexec wouldn't be able to wipe out majority of "Program Files" folder especially whilst Windows is running.

Q. Are you a domain admin who can turn on 'Audit' logging? (If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation.)

This is a good idea except that...
1. Most of the computers we have (and also affected) uses Home edition of Windows, so GP editor isn't available.
2. Also, I've tried the logging in the past on Windows 7 Pro but doesn't seem to log deletions using command line.
So, I might need to find some other applications that could do this.

Good sharing. The incidents stopped since about a month ago and hopefully that's the end it. Logging file deletions is a good idea but I'd probably need to tackle it in a more economical way since most of the computer here are Home edition and hopefully doesn't affect the om