Monday, July 5, 2021

Is someone infiltrating into your computer?

Sometimes you may have to open certain ports on your computer to allow you to remote into your computer at home or in office. There is a very good chance that this port will be scanned by hackers and they will try to infiltrate into your computer... sometimes just for fun and sometimes for malicious purposes. 

Event viewer is the place where you can keep an eye on it and see if this happening or not. 

Step 1:
Right click the Start menu button and open Event Viewer on your computer. 

Step 2:
Browse to "Windows Logs" and then "Security" and look for Event ID 4624.

Step 3:
Look into the details of the event. You can see below that I tried to sign in from my computer called "Pluto" with an IP address with the admin user. 

There are numerous logon types like 2,3,4,5,8,9,10, but in this article we are only talking about type 3, which is for remote connections. If you want to know more about the logon types please go this article from Microsoft's article on Administrative Tools and Logon Types

This is what happens when you provide incorrect username/password. It generate an Event ID 4625.  An attempt was made to sign into the computer, but because of wrong password or username it was rejected. 

What happens is that hackers will keep trying to login till they get in. Therefore, you need to keep an eye on this log event if you have you RDP port open to public. 

Create a filter to quickly access these events.

On the Event Viewer select the log name "Security" and then select "Filter Current Log". It will bring up the dialogue box for filter properties. 

1. This looks for the logs in the last 24 hours. You can set any range. 
2. Provide the event ID. In this case it's 4625.
3. Click Okay

This pulls up only two events on my computer.

Now you need to save the "Filter to Custom Views". 

1. Select the "Save Filter to Custom Views"
2. Name the filter.
3. Provide the location. You can save it "Custom Views" or create a sub folder. 
4. Click Ok to save the filter. 

Once saved you can always access is from under "Custom Views".

Examples of Logon Types and Failures:
  • A failed attempt to sign in using RDP will generate an event ID 4625 and logon type 3.
  • A failed attempt to sign in on the computer will generate an event ID 4625 and logon type 2.
  • A failed attempt to sign in on console view will generate an event ID 4625 and logon type 10. 

The logon types will differ but the event ID for all failed attempts remains the same. Unless you know that you tried to sign in yourself and you entered the wrong password then these events are concerning and needs to be further investigated. 

For example for if you look into the "Network Information" section and you find that the attempt to sign in was a from an unknown computer and the IP address is a public IP address then it definitely means that someone is attempting to sign in. 

No comments:

Post a Comment

Please leave your comments and suggestions.

Simplify Third-Party Application Patching with Chocolatey

Managing third-party application updates can be a time-consuming task, especially in an IT environment where automation is crucial. In this ...