IT Tips - Defend yourself against a lying co-worker who even spies on your screen remotely
It's no surprise if you're climbing the ladder to success you'll make some jealous at best... at worst, you'll make an enemy/enemies.
The more success you have, the more likely you will conflict with someone's "natural order" of things.
Today I'm going to speak from personal experience regarding a liar and a fraud whom I caught red-handed and how you can protect yourself.
First, there are a few things you need to learn:
Detect Manipulation - lying is just a small part of deception. When someone tries to manipulate you or others on a regular basis, watch out, you are more than likely dealing with a fraud, a cheat, and a liar. Humans aren't that good at picking up on this until after the fact, and after it's been done a few times... don't feel bad if you fell victim after being targeted.
Defeat Manipulation - so you found out someone is dishonest, but each and every time they are so convincing (especially spreading doubt) it's only after the fact and after the damage has been done that something seemed like it wasn't right. If you haven't realized it yet, most people are too trusting. This isn't necessarily a bad thing, you really do want them to trust you when you need them to believe something and same for them with you. But what stops a sociopath from abusing that same trust?
The answer is Hitchens Razor:
What can be asserted without evidence can be dismissed without evidence
quod grātīs asseritur, grātīs negātur / What is freely asserted is freely dismissed
Or rather, don't believe something without actual (empirical) evidence
We won't delve into detecting Logical Fallacies and how an Argument must be both true and valid and therefore sound.
For that I recommend RationalWiki.
Just remember that Hitchens Razor is an extremely important tool at your disposal so you won't fall for even the most advanced scare tactics among other extremely believable arguments.
Some of you may ask why I would include the above in TechNet. I did because this is industry-related information of interest to IT pros and developers. In fact, I think it's in everyone's best interest to remember this anytime you have any meetings or discussions on projects or changes in general. Just think how much better things would be if you could tell when someone is trying to manipulate you.
Now let's deal with the technical side.
Scenario:
So you are suspicious after you brought up a Security Prompt on your screen to run something as administrator which you left open for a few seconds... and then to your surprise it had some username and a valid password typed into it all by itself, which was successfully authenticated and in turn created a profile on your machine... and that profile was created for an IT Administrator Account which belongs to someone who you've been having many many problems with.. yes really, this really happened. You were the only one at the computer, no one else had a separate keyboard plugged into it, you have very high confidence that this isn't the first time this has happened where you are being spied on where anything on your screen is visible to them! How many hours, days, weeks, and months were you being spied on? Not to mention with what! Or who else, like other bosses, POI (People of Interest), or even the CEO...
So what now?
Well, obviously you need to report to your Manager, but what if all that happens is they go talk with the manager of the person you've been having problems with? And what if that manager doesn't fire the person for not following policy / showing they are untrustworthy and you see that person the next day at a meeting and they just give you a mean glare. In my opinion, you have to be pretty convincing to have people believe you haven't been spying on anyone else .... "Oh, I got caught spying... well, that's the only one I was spying on, honest!". Though I suppose they gave the good old "I dunno" argument from ignorance to any and all questions... I wasn't there so I don't know what went down but obviously, it worked well enough because....
This person is still employed, yep yep, and they continue to undermine any efforts you put forward like a true sociopath, always trying to destroy your reputation or anyone else that sides with you! Where it gets so bad that your Manager just wants to be left alone and says you and the perpetrator are the same, "you're both just doing your jobs!" and they're "tired of fighting".... that this person "has Reasons" but no actual explanation, just "has Reasons".
Besides writing and sending a formal complaint, what else can you do to protect yourself?
Well, you could set up an audit on certain registry keys because you have a feeling you know what program that person was using. In this case, SCCM 2012 CmRcViewer.exe. But doesn't that prompt the end user and have a big green bar at the top? Ah, that's the beauty of it, after researching online it turns out you can change a few registry values and spy on someone logged into a computer, complete with clicking on things or, dare I say, typing in your credentials for them ;)
Lets set up an email alert in case that happens again:
Step 1: Turn off the Configuration Manager Remote Control Service on your Computer (CmRcService) but leave the Startup type at Automatic
Step 2: On your computer, navigate into your C drive and create a folder called "Registry"
Step 3: Create the following files using notepad++ or any other text editor capable of doing the job
Registry Alert - Data Accessed.ps1
param(
$Computer,
$EventID,
$EventType,
$EventDateTime,
$eventSubjectUserName,
$eventSubjectDomainName,
$eventSubjectUserSid,
$eventObjectType,
$eventAccessCommand,
$eventObjectName,
$eventProcessName
)
#$Computer >> C:\Registry\Comp.txt
#Set-StrictMode -version 2.0
#Set-ExecutionPolicy Unrestricted -Force
$emailFrom = "NoReply-AuditAlert@email.com";
$emailTo = @("YOU@email.com");
$emailCC = @("BOSS1@email.com","BOSS2@email.com");
$emailSmtpServer = "smtp.YOURDOMAIN";
$regAccessCommand = @{
[string] "%%1537" = "DELETE"
[string] "%%1538" = "READ_CONTROL"
[string] "%%1539" = "WRITE_DAC"
[string] "%%1540" = "WRITE_OWNER"
[string] "%%1541" = "SYNCHRONIZE"
[string] "%%1542" = "ACCESS_SYS_SEC"
[string] "%%4432" = "Query key value"
[string] "%%4433" = "Set key value"
[string] "%%4434" = "Create Sub Key"
[string] "%%4435" = "Enumerate sub-keys"
[string] "%%4436" = "Notify about changes to keys"
[string] "%%4437" = "Create Link"
}
#Due to poor formatting, the string for Access contains enters and tabs and spaces, which we must remove.
$RegistryCommandCode = $eventAccessCommand.replace("`n","").replace("`r","").replace("`t","").replace(" ","");
$codes = $RegistryCommandCode.split("%%",[System.StringSplitOptions]::RemoveEmptyEntries);
$RegistryCommand = "";
ForEach($code in $codes)
{
if($RegistryCommand -ne "")
{
$RegistryCommand += ", ";
}
$RegistryCommand += $regAccessCommand.Item("%%" + $code);
}
# This script is for emailing an Alert on Registry Access
$Title = "Registry Alert - Data Accessed on $Computer"
$Message = @"
Registry Alert - Data Accessed on $Computer
Event == An attempt was made to access an object. [EventID=$EventID]`r`n
Event Type == $EventType`r`n
Event DateTime == $EventDateTime`r`n
Event Details:
Audited Account == $eventSubjectDomainName\$eventSubjectUserName
Audited Account SID == $eventSubjectUserSid
Audited Process == $eventProcessName `r`n
Registry Command == $RegistryCommand ( $RegistryCommandCode )
Data Type == $eventObjectType
Data Path == $eventObjectName
"@
$ignoreSIDs = "S-1-5-18", "S-1-5-19";
if($ignoreSIDs -inotcontains $eventSubjectUserSid)
{
Send-MailMessage -To $emailTo -Cc $emailCC -From $emailFrom -Subject $Title -Body $Message -SmtpServer $emailSmtpServer
}
Registry Alert - Value Modified.ps1
param(
$Computer,
$EventID,
$EventType,
$EventDateTime,
$eventSubjectUserName,
$eventSubjectDomainName,
$eventSubjectUserSid,
$eventObjectName,
$eventObjectValueName,
$eventOperationType,
$eventOldValueType,
$eventOldValue,
$eventNewValueType,
$eventNewValue,
$eventProcessName
)
#$Computer >> C:\Registry\Comp.txt
#Set-StrictMode -version 2.0
#Set-ExecutionPolicy Unrestricted -Force
$emailFrom = "NoReply-AuditAlert@email.com";
$emailTo = @("YOU@email.com");
$emailCC = @("BOSS1@email.com","BOSS2@email.com");
$emailSmtpServer = "smtp.YOURDOMAIN";
$regOperationHash = @{
[string] "%%1904" = "New registry value created"
[string] "%%1905" = "Existing registry value modified"
[string] "%%1906" = "Registry value deleted"
}
$regValueHash = @{
[string] "%%1873" = "REG_SZ"
[string] "%%1875" = "REG_BINARY"
[string] "%%1876" = "REG_DWORD"
[string] "%%1883" = "REG_QWORD"
[string] "%%1879" = "REG_MULTI_SZ"
[string] "%%1874" = "REG_EXPAND_SZ"
}
$RegistryOperation = $regOperationHash.Item($eventOperationType);
#$RegistryOperation = $eventOperationType.GetType().FullName
$OldValueType = $regValueHash.Item($eventOldValueType);
$NewValueType = $regValueHash.Item($eventNewValueType);
# This script is for emailing an Alert on Registry Value Modified
$Title = "Registry Alert - Value Modified on $Computer"
$Message = @"
Registry Alert - Value Modified on $Computer
Event == An attempt was made to access an object. [EventID=$EventID]`r`n
Event Type == $EventType`r`n
Event DateTime == $EventDateTime`r`n
Event Details:
Audited Account == $eventSubjectDomainName\$eventSubjectUserName
Audited Account SID == $eventSubjectUserSid
Audited Process == $eventProcessName`r`n
Audited Operation == $RegistryOperation ( $eventOperationType )`r`n
Registry Key == $eventObjectName`r`n
Value Name == $eventObjectValueName
Change Information:
Old Value Type: $OldValueType ( $eventOldValueType )
Old Value: $eventOldValue
New Value Type: $NewValueType ( $eventNewValueType )
New Value: $eventNewValue
"@
$ignoreSIDs = "S-1-5-18", "S-1-5-19";
if($ignoreSIDs -inotcontains $eventSubjectUserSid)
{
Send-MailMessage -To $emailTo -Cc $emailCC -From $emailFrom -Subject $Title -Body $Message -SmtpServer $emailSmtpServer
}
Registry Alert - Data Accessed.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2018-08-09T00:00:00.0</Date>
<Author>Administrator</Author>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=4663)]]</Select></Query></QueryList></Subscription>
<ValueQueries>
<Value name="Computer">Event/System/Computer</Value>
<Value name="EventDateTime">Event/System/TimeCreated/@SystemTime</Value>
<Value name="EventID">Event/System/EventID</Value>
<Value name="EventType">Event/System/Provider/@Name</Value>
<Value name="eventAccessCommand">Event/EventData/Data[@Name="AccessList"]</Value>
<Value name="eventObjectName">Event/EventData/Data[@Name="ObjectName"]</Value>
<Value name="eventObjectType">Event/EventData/Data[@Name="ObjectType"]</Value>
<Value name="eventProcessName">Event/EventData/Data[@Name="ProcessName"]</Value>
<Value name="eventSubjectDomainName">Event/EventData/Data[@Name="SubjectDomainName"]</Value>
<Value name="eventSubjectUserName">Event/EventData/Data[@Name="SubjectUserName"]</Value>
<Value name="eventSubjectUserSid">Event/EventData/Data[@Name="SubjectUserSid"]</Value>
</ValueQueries>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT10M</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
<Arguments>-Command "& '.\Registry Alert - Data Accessed.ps1' -Computer '$(Computer)' -EventID '$(EventID)' -EventType '$(EventType)' -EventDateTime '$(EventDateTime)' -eventSubjectUserName '$(eventSubjectUserName)' -eventSubjectDomainName '$(eventSubjectDomainName)' -eventSubjectUserSid '$(eventSubjectUserSid)' -eventObjectType '$(eventObjectType)' -eventAccessCommand $(eventAccessCommand) -eventObjectName '$(eventObjectName)' -eventProcessName '$(eventProcessName)'"</Arguments>
<WorkingDirectory>C:\Registry</WorkingDirectory>
</Exec>
</Actions>
</Task>
Registry Alert - Value Modified.xml
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2018-08-09T00:00:00.0</Date>
<Author>Administrator</Author>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=4657)]]</Select></Query></QueryList></Subscription>
<ValueQueries>
<Value name="Computer">Event/System/Computer</Value>
<Value name="EventDateTime">Event/System/TimeCreated/@SystemTime</Value>
<Value name="EventID">Event/System/EventID</Value>
<Value name="EventType">Event/System/Provider/@Name</Value>
<Value name="eventNewValue">Event/EventData/Data[@Name="NewValue"]</Value>
<Value name="eventNewValueType">Event/EventData/Data[@Name="NewValueType"]</Value>
<Value name="eventObjectName">Event/EventData/Data[@Name="ObjectName"]</Value>
<Value name="eventObjectValueName">Event/EventData/Data[@Name="ObjectValueName"]</Value>
<Value name="eventOldValue">Event/EventData/Data[@Name="OldValue"]</Value>
<Value name="eventOldValueType">Event/EventData/Data[@Name="OldValueType"]</Value>
<Value name="eventOperationType">Event/EventData/Data[@Name="OperationType"]</Value>
<Value name="eventProcessName">Event/EventData/Data[@Name="ProcessName"]</Value>
<Value name="eventSubjectDomainName">Event/EventData/Data[@Name="SubjectDomainName"]</Value>
<Value name="eventSubjectUserName">Event/EventData/Data[@Name="SubjectUserName"]</Value>
<Value name="eventSubjectUserSid">Event/EventData/Data[@Name="SubjectUserSid"]</Value>
</ValueQueries>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT10M</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
<Arguments>-Command "& '.\Registry Alert - Value Modified.ps1' -Computer '$(Computer)' -EventID '$(EventID)' -EventType '$(EventType)' -EventDateTime '$(EventDateTime)' -eventSubjectUserName '$(eventSubjectUserName)' -eventSubjectDomainName '$(eventSubjectDomainName)' -eventSubjectUserSid '$(eventSubjectUserSid)' -eventObjectName '$(eventObjectName)' -eventObjectValueName '$(eventObjectValueName)' -eventOperationType '$(eventOperationType)' -eventOldValueType '$(eventOldValueType)' -eventOldValue '$(eventOldValue)' -eventNewValueType '$(eventNewValueType)' -eventNewValue '$(eventNewValue)' -eventProcessName '$(eventProcessName)'"</Arguments>
<WorkingDirectory>C:\Registry</WorkingDirectory>
</Exec>
</Actions>
</Task>
Remember, Scripts must be placed inside "C:\Registry" because that is where the Tasks will look for the scripts
Step 4: Import "Registry Alert - Value Modified.xml" and "Registry Alert - Data Accessed.xml" into Task Scheduler (taskschd.msc)
Step 5: Edit the "Registry Alert - Data Accessed.ps1" and "Registry Alert - Value Modified.ps1" scripts to send to the correct email(s)
Also, ensure you are targeting a valid SMTP Address, this is usually SMTP.{yourdomain} ... ex. smtp.contoso.com
Step 6:
In gpedit.msc
-> Computer Configuration
-> Windows Settings
-> Security Settings
-> Advanced Audit Policy Configuration
-> System Audit Policies - Local Group Policy Object
-> Object Access
-> Audit Registry == Check Configure + both Success and Failure checkboxes
Step 7:
In regedit.exe
-> Locate the Top Key you want to audit ( HKLM\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control )
-> Right click the Key, choose Permissions...
-> Click Advanced
-> Click the Auditing Tab
-> Click Add...
-> Type "Everyone" without quotes and hit ok
-> Check Full Control under both Successful and Failed to Audit all Access.
-> Verify this will apply on "This key and subkeys" then Hit Ok
-> Click OK
-> Close Permissions Window
Step 8:
Give your computer a restart, when it comes back up, ensure the Configuration Manager Remote Control Service on your Computer (CmRcService) has Started.
I know this isn't quite honey-potting, more like baiting.... but still, this is a great way to symbolize what will happen to an unsuspecting attacker.
Developers Note:
By no means is this a foolproof method, those intimately familiar with how to bypass existing auditing or disable the auditing portions of Security are to be considered an advanced attacker. Sadly if you are dealing with an advanced attacker who is aware of these methods you may not receive an email when they decide to intrude upon you, but if you believe someone may be doing something to you, you can double check the Event Logs, specifically the Event Viewer -> Windows Logs -> Security ... and see what other accounts are logging in or accessing registry keys. You may also think of changing up script names, location, and where you the scheduled tasks are stored to make it harder for an attacker to locate and compromise your audit alerts.
All in all, remember. You aren't paranoid if you're right! .... like when they really are spying on you and out to get you. :)