Hackers vs PowerShell!

OK, I have a couple of servers in my home lab. I suppose it has a lot to do with the fact that I work with ConfigMgr and other server tools.

Additionally, I like using Remote Desktop to connect and manage my machines, I suppose it has something to do with the fact that I once work as a Developer on the Terminal Services Client Team.

And yes, I have a couple of ports open to the Internet. <I am now reconsidering this :^(  >

Hack

Anyways, I was looking today at the performance on one of my machines, and noticed one of the remote desktop server processes was being accesses by someone in Germany. Germany?!!? What???

german.JPG

Something running on FastWebServer.de and Your-Server.de.

The network traffic was slow, not as fast as my active Remote Desktop session. What could it be? After some thought, I figured it could be someone attempting to log in using different credentials. Perhaps using a bot to try various credentials. Um… OK

PowerShell

PowerShell to the rescue.

I used the get-eventlog cmdlet to search for the right log (Security) and event entry (4625).

get-eventlog -log Security -InstanceId 4625 | Measure-Object

981 entries!! Youza!

Further analysis shows that entry #6 of the ReplacementStrings property shows the account that was used to logon. A frequency analysis should be in order:

PS E:\> get-eventlog Security -InstanceId 4625 | 
   %{$_.ReplacementStrings[5]} | group | 
   sort Count -Descending | select -first 10 Count,Name

Count Name
----- ----
  152 ADMINISTRATOR
  150 SUPPORT
  150 TEST
  150 ADMIN
  150 DEMO
  150 ROOT
    7 EDDIE
    7 SQLADMIN
    7 CAFE
    7 BILL

The names appear to be random, nothing specific to me, needless to say I have disabled the local administrator account, and begun other security measures.

But I thought the powershell was fun! :).

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s