Annonymous hacking to the local NT authority account

Anonymous
2022-10-14T02:55:12.137+00:00

Hi, I am just wondering that there were a consecutive local account hijacking and a brutal force attack to my PC.

In the event viewer, I found that there was a null session attack from the unknown hacker once per a minute (Almost). Below is an example of the attack.

-------------------------------------

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SYSTEMS
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: -
Source Network Address: 212.103.60.106
Source Port: 0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

----------------------------------------------------

So, I managed to find the one who is logging in to my PC with a pstool function psloggedon. I found that

----------------------------------------------------

Users logged on locally:
10/14/2022 9:46:52 AM WIN-MY PC domain\Administrator

Users logged on via resource shares:
10/14/2022 10:52:45 AM (null)\Administrator

----------------------------------------------------

the user name was identical but the null account has already logged on as an administrator.

I tried to modify the settings not to enumerate not only anonymous SAM accounts but also the shares in the windows registry and the local security policy.

But it seems that the null account logs off in that time and redo to bypass it. I checked that the null account log-in continues while the log-on time has renewed.

It might be somewhere the hacker has installed the malware program in the C: drive folder, so I checked whether the malware service is going on by using the msert.exe.

It says that there are three suspicious files in the C: folder, but I couldn't finish the virus searching because the scan suddenly terminated with the result being nothing wrong. I think the hacker uses the malware program that he/she installed to access my PC as the nt authority account, managing the services.msc and stop the program that can scan and recover the system itself.

Is there any solution to take back the hijacked local account?

As it is not the administrator account, the hacker can have a full control over the system even in reinstalling the OS.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,976 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Anonymous
    2022-10-14T19:44:59.16+00:00

    Yeah, I already reinstalled the OS with deleting all the files, while the hacking continues.

    i think the hacker accesses to the 1-5-21-1024--blah blah SID account by hijacking my IP address and he took the system account authority of my PC.

    It is non-sense that the hacker came from a random attack because nor did I not access to the suspicious site or downloads, neither didn't change my IP after reinstalling the OS. It might be reasonable to think the hacker is NT authority account itself.

    I found that these anonymous log-in attempts are related to <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> and <Correlation ActivityID="{6586b4ce-dfda-0000-4ab5-8665dadfd801}"

    <EventData>
    <EventID>4625</EventID>
    <Keywords>0x8010000000000000</Keywords>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">AZUREADMIN</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp</Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">-</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">40.117.130.218</Data>
    <Data Name="IpPort">0</Data>
    </EventData>

    Will these event viewer actions might be helpful for recovering the system?

    0 comments No comments

  2. Timothy OGrosky 0 Reputation points
    2023-07-10T10:09:10.8833333+00:00

    Gthis is the new rootkit that kaspersky found it funny I showed them in 2019 it gets in Tv phone about anything with a memory and you cant get rid of it .. all you can do is buy better system you must have a gigabyte or a asus Motherboard.. it can hack you with raido waves or ioloop.. it in bios and you cant get it out it also hace micro incoding on the intel processor so as with me your blanked it is they are hacking form Russia Chania and Iran the 3 have gotten together... this is about shuting our electric off and we can do nothing then.. so many people have this you would believe if you checked everyone you know has it but does not know...

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.