Is someone infiltrating into your computer?

Sometimes you may have to open certain ports on your computer to allow you to remote into your computer at home or in office. There is a very good chance that this port will be scanned by hackers and they will try to infiltrate into your computer... sometimes just for fun and sometimes for malicious purposes. 

Event viewer is the place where you can keep an eye on it and see if this happening or not. 

Step 1:
Right click the Start menu button and open Event Viewer on your computer. 

Step 2:
Browse to "Windows Logs" and then "Security" and look for Event ID 4624.

Step 3:
Look into the details of the event. You can see below that I tried to sign in from my computer called "Pluto" with an IP address 192.168.1.3 with the admin user. 

There are numerous logon types like 2,3,4,5,8,9,10, but in this article we are only talking about type 3, which is for remote connections. If you want to know more about the logon types please go this article from Microsoft's article on Administrative Tools and Logon Types

This is what happens when you provide incorrect username/password. It generate an Event ID 4625.  An attempt was made to sign into the computer, but because of wrong password or username it was rejected. 

What happens is that hackers will keep trying to login till they get in. Therefore, you need to keep an eye on this log event if you have you RDP port open to public. 

Create a filter to quickly access these events.

On the Event Viewer select the log name "Security" and then select "Filter Current Log". It will bring up the dialogue box for filter properties. 

1. This looks for the logs in the last 24 hours. You can set any range. 
2. Provide the event ID. In this case it's 4625.
3. Click Okay

This pulls up only two events on my computer.

Now you need to save the "Filter to Custom Views". 

1. Select the "Save Filter to Custom Views"
2. Name the filter.
3. Provide the location. You can save it "Custom Views" or create a sub folder. 
4. Click Ok to save the filter. 

Once saved you can always access is from under "Custom Views".

Examples of Logon Types and Failures:

• A failed attempt to sign in using RDP will generate an event ID 4625 and logon type 3.
• A failed attempt to sign in on the computer will generate an event ID 4625 and logon type 2.
• A failed attempt to sign in on console view will generate an event ID 4625 and logon type 10. 

The logon types will differ but the event ID for all failed attempts remains the same. Unless you know that you tried to sign in yourself and you entered the wrong password then these events are concerning and needs to be further investigated. 

For example for if you look into the "Network Information" section and you find that the attempt to sign in was a from an unknown computer and the IP address is a public IP address then it definitely means that someone is attempting to sign in. 

PrintNightmare - Solution Until Microsoft Releases a Patch

Microsoft recently released a patch, CVE-2021-1675, to address the exploit in the Windows Print Spooler service, but it turned out that the patch didn't work. Initially they thought the bug was just about local privileges' escalation but it turns out that it's full remote execution. That means that an attacker can get full domain privileges' by executing the code as standard user. There are tons of ways a malicious actor could execute this exploit. The vulnerability has been dubbed as PrintNightmare.

Microsoft, probably, will be releasing a new patch soon but until then the only thing you can do is to disable the print spooler on the domain controller or any server where you don't need print spooler running. So here is what you can do.

Step 1:
Open PowerShell ISE as Administrator and type the below script:

Stop-Service -Name Spooler
Set-Service -StartupType Disabled -Name Spooler
Save the script as .ps1 file. 

Step 2:

Deploy the deploy script using your remote monitoring and management system. You will basically need to create a filter that will pull all the domain controllers and file servers. Create a scheduled task to run the script on all those machines pulled by the filter. 

Step 3:
The RMM should tell you whether the task executed successfully or not. But you can sign in into randomly into some machines to verify if the spooler function has been stopped and disabled.