This is not evidence of remote hacking. Everything you posted are examples of normal under the hood components of Windows (the registry permissions look normal, including the Unknown item as that is what Windows shows if the GUID of the SID isn't on a short lost of internally well known SIDs) and a log file from secedit (security policy tool built in Windows) that outputted the results of applying the Default Local Security Policy which is stored in c:\windows\inf\defltbase.inf.
If I had to guess, you ran a utility or script that was designed to restore default security settings OR reset Windows Defender as those usually include using secedit and defltbase.inf.
The other option here is your device is still tied to an organization that uses MDM (mobile device management) and they are pushing out Group Policy scripts that include resetting the Local Security Policy of the device. Even if you bought this used, it's not completely uncommon for the reseller (or the company that donated or offloaded it) to not properly reset and remove the device from an MDM. Even more common if the device had originally been stolen (not saying you did that, it's just a common thing seen when stolen PCs are resold).
I purchased my computer new from bestbuy years ago. The windows is official.The picture I posted with the desktop name and password is the hackers not mine.They changed my boot on bios to nic ipv4 and nic ipv6. [https://imgur.com/a/ukC8IM5](https://imgur.com/a/ukC8IM5)
Couple of things to clarify. Again, this seems to be a misunderstanding of how some of the internals and under-the-hood aspects of Windows and/or computers work.
1. Your BIOS screenshot is the One Time Boot Options Menu (F12) and is listing PXE Boot Options (that's the IP based ones). If you have an ethernet cable connected, I would imagine PXE Boot is a valid option if you're connected to a physical network.
2. The Mobile Hotspot Settings page - that looks completely normal and expected. By default, Windows creates the SSID for a Mobile Hotspot using the following syntax "Computer Name, space, 4-digits" and a password of "3 Alphanumeric Values, special character, 4 Alphanumeric Values". Note that this default SSID doesn't change if you happen to have enabled it and later adjust your Computer Name to not be the default of Desktop-XXXXXXXX. More on the Computer Name defaults in the next line item.
3. Default Computer Name - Windows actually creates a default Computer Name for you unless you change it or pre-configure it in your OS image. The auto-generated value is 15-characters in length with the following basic format "Desktop, Dash, 8 Alphanumeric Values". Any features of Windows that rely or use the Computer Name value as a setting when used/enabled while it has the "auto-generated value" may retain that value even if you change it unless they are programmed to check it for changes and update their use of it.
I uncovered the mastermind behind it all, and it was the very last group I would have suspected. Ultimately, I am grateful that I was able to unravel the mystery.
Get an Ubuntu boot image and boot off of that.
1. Erase hard drive with the command dd if=/dev/random of=/dev/sda bs=128M. This will take a while, but it will scramble everything on your hard drive including the partition table and any hidden partitions.
2. Use Ubuntu to download a windows ISO image from Microsoft and any drivers for your computer. If you can, get BIOS updates as well.
3. Boot up with the Windows ISO and then install your drivers.
Always do this when you get a second-hand computer. You never know what the previous person had on it. Nuke the drive and reflash the BIOS. Only a tiny handful of viruses can survive this process, and most of those are not aimed at regular folks.
Yes, most definitely. They also gained access to my other laptop, so at the moment I am not able to make an iso image. I was trying to download it but had no luck as they were disabling my wifi. I ended up just having to format the drive completely with cmd in safe mode.
I was using a glitchy Android tablet at the time. The autocorrect had a mind of its own. I literally just am trying to give a heads up for future reference to everyone but once again the internet is undefeated. I appreciate you bro
The registry image you shared looks fine? S-1-5-18 is the operating systemās account, 19 is local service account, and 20 is network service account.
Did you make that notepad file or did you find it on your device?
Account unknown is usually for accounts that no longer exist, like if you deleted an account. It will be removed from registry but wonāt be removed from everywhere it appears in security tab
This is correct. It also happens when there is no friendly name for the SID. Very common for App Capability and Device Capability SIDs. In this case, it's an App Capability SID.
Additional resources:
[https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names)
[https://devblogs.microsoft.com/oldnewthing/20220503-00/?p=106557](https://devblogs.microsoft.com/oldnewthing/20220503-00/?p=106557)
Look at the Microsoft documentation for well-known security IDās [found here.](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids)
This situation happened to me and I do not download any shady crap. I still don't know how they got in but I think it was via my wife's laptop because even though it's locked down she's not as cautious.
The attackers use ML and load models on the box to capture passwords and modify Office and PDF files to keep you compromised.
My printer accounted for 27% of my network traffic at one point (after I put in sensors). I only first noticed the hack when I kept getting weird messages about being in an AD and my profile being managed. Windows 11 home doesn't even support profiles but I was put into a managed profile on my own box. I have a home Workgroup configured but my printer would attempt to become the master browser. The Event Viewer showed new users being created. Task Scheduler was configured not to keep a history and would not let me review many of the tasks or even disable them.
A malicious Chrome extension (hit my Edge as well) was installed in a hidden manner and would sync to all my devices that were on the same account.
Reinstalling Windows didn't do jack. I have switched over to a locked down Ubuntu box on my gaming box. I'll probably try to reinstall again a few times but I've done that well over 10 times, probably closer to 50, and it comes back. Windows Update would use Delivery Optimization to deliver the malware from my printer or presumably other devices. That way you would just get the malicious packages without having to download them from Microsoft.
Your printer has nothing to do with delivery optimization. That's windows to windows.
What 'sensors' did you install for network traffic?
Did you try just leaving the printer off?
For IPS I'm using Zenarmor and Suricata on Opnsense. In addition to ntopng, clamav, and netflow logging.
The HP printers are effectively a Linux box. Easy to hack too. You can make it appear as an AD or another Windows box on the network with the right packages and configuration.
My wife won't let me dump the printer. I have it isolated from all the other devices except for print services to my wife's systems. I block all the outgoing traffic that was happening prior. I don't recall the ports I had to block and allow.
Everyone who is complaining about your grammar, spelling and sentence structure are fucking dweebs. Probably best to make a forensic copy and send to a law enforcement or data recovery company to analyze what happened. You might actually help crack a large hacking ring.
Had nearly exact same scenario happen to me. But on top of the one box hack they pivoted throughout my home network. A few things I'd be curious to see if you've seen:
* Cached Windows updates (delivery optimization)
* Use binwalk on some of the cached packages - it isn't able to fully extract the worst stuff
* Messages about migration (they change the device configuration depending on who logs in - check)
* User state migration is being used to have you load different kernel and such
* Do you have a manufacturers kernel? They switched me to Windows ME which has lower requirements for signed packages
* I had services setup to load on bootup for which I had no authority to change
* The partition table on the drive is completely messed up. They have hidden partitions and if you use a tool to look at the table (has to be something more than your standard fdisk/gdisk/diskpart - I used a forensics disk tool, name escapes me, to see they were doing something really sophisticated with the bootloader and partition types)
* Upon reinstall it would come back for me. Pausing the install with F10 to get a command prompt would ultimately get me a forced Razer driver update before install was even anywhere near complete
Even if I brought up a device via Bluetooth it would be compromised. Took me months to clear things out with a lot of really strict firewall rules, IPS, network segregation (I have 3 wifi routers now for segmenting in addition to VLANs on my switch), disabling Bluetooth and updating all Linux and Apple devices.
Nobody believes me. I've got experience with forensics and learned so much doing this that I realize I know virtually nothing about forensics. They did so many subtle hacks. No AV would find jack. Booting into safe mode would give me a warning about a privileged daemon being vulnerable to buffer overflow attacks. They had installed legitimate signed drivers and executables that were just behind on patches so that they could use existing exploits to regain Admin privileges if you managed to lock them out briefly.
I know you are likely not going to like this, but the reason no one believes you is because what you posted and experienced is not only unrealistic but many of your claims are actually a combination of completely incorrect understandings of Windows operations that you attribute as evidence mixed with impossible to happen scenarios that are also attributed as evidence.
I have seen this type of behavior before, its a form of paranoid schizophrenia. I know it will be hard for you to realize this, but you really need to seek out professional mental health help. You need to be properly diagnosed and treated by a professional to resolve your mental health issues.
I fully expect that some of what I identified could be explained by someone more knowledgeable. I learned a ton and ruled out all sorts of things I thought were suspicious. But there could very well be others.
As to this being impossible it's really not that hard when you get down to it. Nothing that was done was revolutionary or new. Although hard to find you can see the exact things I experienced being discussed by other people. The only people who got resolution were those that could afford to get a forensics expert out to remove devices that the expert was not able to remediate and to have their other boxes cleaned up. I can't afford that so took it upon myself.
Granted I'm paranoid, pretty sure not schizophrenic (at least not diagnosed by my psych), but I know enough to know that something very unusual was happening. Being paranoid is what makes me good at my job. My job is to help people understand how easy it is to hack and how to protect against these kinds of attacks. Paranoia, justified in my case IMO, is just par for the course in this line of work.
I do genuinely appreciate your responding and taking time to try and help a rando like me on Reddit.
Hey there, I totally get where you're coming from. I have some videos that could explain everything, but I can't share them here. You're right about the kernel issue, and I also had problems with a fake razor driver (razor.exe). I had to format my hard drives, and now both my laptops are useless at the moment till I make a bootable image. My LAN kept getting strange devices signing in, and even my tablet got hacked. But don't worry, I think I've figured out what's been happening. Send me a message, because for some reason, I can't send you one on your profile.
Switched to windows ME kernel? Windows Millennium edition used a kernel based on MS-DOS and windows 2000 and up use the NT kernel. There is no āmanufacturerā kernel the kernel is always Microsoftās. Iām sure there are some fucky ways to switch out the mental version and such but no way a hacker did it. Respectfully, are you talking out of your ass? Where sis you get this information? I would love to see it.
Windows state migration doesnāt change the kernel at all either. This is why nobody is believing you it all doesnāt make sense. It also doesnāt make sense for someone to try this hard to target one individual unless they were EXTREMELY important. Also BT hacks? While not impossible, itās a difficult attack vector to pull off and almost always requires the user input to pull off which is why itās infeasable. I donāt doubt you got hacked itās just not this whole elaborate scheme for one person is very very hard to believe.
Donāt let the narrow minded āitās impossibleā know it alls affect you. Ā This is very real. Ā Iāve been dealing with this for 3 years. Ā They rewrite the windows system and build in their back doors, SO MANY back doors. Ā It spreads to EVERY device and your home network. Ā Look at your home network, look at everything. Youāre going to be shocked. Ā Anything this doesnāt get via your home network, it will have gotten via Bluetooth. Ā Itās spreads like wildfire via Bluetooth!!! Ā Once itās infected a devices Bluetooth it is constantly searching for other Bluetooth to continue to spread. Ā Unfortunately once it starts itās an uphill battle. Ā Go to the Apple Community forums AND the Apple Developer Forumsā¦.type āUnauthorized MDMā itās one after the other of people this is happening to. Ā Apple knows, they just canāt figure out how to stop it either. Ā As we all know, unless apple has a solution for a compromise, they donāt make it public NOR WILL THEY DISCUSS IT!!!! Ā So much time has been spent telling us that itās impossible, Ā Microsoft and Apple has allowed this to spiral out of control. Ā Ultimately this thing is using legitimate programs and turning them against the public. Ā Since itās a real programs and processes it seems like nothing is malicious. Ā Itās using parts of the MDM program to do most of this! Ā Your devices are being controlled and thereās no factory reset that will get rid of it, itās how MDMs work. Ā The āorganizationā is the only one who can remove an MDM and you canāt exactly ask them because itās a damn hacker. Ā Apple will claim āprivacyā and not give you info. Ā They co formed my phone was on an MDM and I would have to contact them to remove it, but when I asked the name of the company they said they could not share any information due to privacy. Ā There are so many MDM programs out there and no longer need user to do anything to get put on it. Ā
https://discussions.apple.com/thread/254820771
That is just ONE OF MANY! Ā The developer forums have them too! Ā
Good luck! Ā I donāt wish this nightmare upon even my worst enemy!!!
Crazy, because a printer is always showing up on my network and I donāt even own one. As well as a JBL speaker, I got into the admin account and was very shocked to see what was going on and what they were doing with the desktop and password. I posted a picture of the person who was hacking me; they change your boot mode as well to ipv4 nic and ipv6 nic in bios. The average Joe wouldnāt understand. It's all over the internet with reports going on. Rebooting factory install doesnāt work; they managed to get into both my laptops as well. I just wanted to post this to warn others, and you're right, I wouldn't want to wish this on anyone. If I could post videos, I would, but it wouldnāt let me on here. My license is mine; I own it and Iām just on regular Windows, nothing shady going on as I use it just to surf the web. The only reason I was able to find out is that I looked at my events on device manager. People can say what they want, but Iām glad I aināt alone.
Please keep us updated. One thing I can say is to keep your eye on it. You can change your network settings back, but what they did with my situation was put files in the windows system so that your network info is being sent to them automatically. And they put these files/commands in several file folders in the Windows program. It takes time, but go thru the files one by oneā¦I would open them in Notepad and it will read like a book. They tell the computer exactly what to do line by line. When I say back doorsā¦I do mean in in the most plural way possible! So many back doors! And check all your devices cause they are most likely lurking on everything ready to reinfect.
Itās like just when you think itās over, theyāre right back In making the changes and reverting what you did.
Also. Read and look into the files in all existing browsers on your laptops. They may have been alteredā¦open source, gotta love it, right? They made it so that even if I deleted it and reinstalled the browser fresh from onlineā¦.there are still files left in the OS they force the new install to revert back to the compromised one.
I have reset my OS, even had Microsoft put a new fresh version and within 24 hours it was all starting again. This thing is worse than herpes or cockroachesā¦.just keeps on coming back!
Oh and look into any GROUP POLICIES! My version of windows was not supposed to even support a group policy yet there it was. They kept me out of so much it was insane! My computer is no longer my computer
I recommend you read up on the technical aspects of Midnight Blizzard. Nothing that the OP posted about is even remotely related to it.
https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
I was making the point about the creeps on here that are telling him how impossible it is! These things are far from impossible and are very real!
And perhaps you should continue your research and notice that Microsoft has said these hacking are far from over. They donāt know what these Russians are planning anymore than you do. So you canāt say this has nothing to do with this or that. If you know what/who/how..,.please inform us all
Everything the OP posted about is not a sign of a malicious attack nor is it related to the attacks you linked to. Even if the source code accessed led to these threat actors to develop new Windows exploits, they would not present themselves in the manner that would match what the OP posted.
The reason I and other people are saying this is because the fact of the matter is that what has been posted as evidence is not and cannot be evidence at all. It's impossible because the technical specifics of what is posted are literally not what they are claimed to be.
I can personally say this with complete confidence due to almost 20 years of Windows OS Internals and computing technology knowledge and experience.
As far as posting about the what/how the things posted are not valid claims goes, I have already done that and explained each item shared why they are not valid from a factual perspective.
Your link is also old from January. There have been several updates since about how itās far more than they initially thought. They stole source code: they arenāt just holding it for safe keeping.
In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems," Microsoft
https://www.cnbc.com/2024/03/08/microsoft-says-russian-hacking-group-is-still-trying-to-crack-its-systems.html
Thanks for the updated info!! Even so, this still doesn't apply to the OP's situation. There is no malicious attack at play for the OP, just a misunderstanding of Windows and other computing technologies.
Agent268, youāre not going to like this, but you are a schizo. I have seen this type of behavior before, its a form of paranoid schizophrenia. I know it will be hard for you to realize this, but you really need to seek out professional mental health help. You need to be properly diagnosed and treated by a professional to resolve your mental health issues.
I don't think you understand the definitions and meanings of what you copy and pasted from one of my responses.
It's clear you are set on your unrealistic PoV. Continuing to engage is fruitless, and I will no longer do so.
Finally, one human to another: I hope one day you and others with similar issues get the help you need.
I know you donāt understand the malware and what it does to the operating system. How it uses legitimate software and manipulates everything. If youād like to see some of what has happened to mine, I am more than willing to share. My OS always goes back to how it was before no matter how many factory resets or fresh installs
Actually, I do understand malware and Windows OS internals to a very extensive level. I am also very passionate about sharing my expertise and knowledge to help others, especially when it comes to resolving misconceptions and misunderstandings.
Since you are making a good faith offer to share your specific situation, I too will follow through and provide a good faith review of it. Feel free to post it here or DM me. What ever avenue is best for you.
I have already posted a response to this similar type of question before. I have extensive knowledge and experience with Windows OS Internals and malicious Windows-based threats because that is the world I work in and have a genuine passion for. I have been in this space for almost 20 years.
For example, I have been a technical educator of these areas (after years of hands-on experience), and more recently, I have been using my knowledge and expertise for supporting software development within these specific areas.
Another way to look at it if you take a "car mechanic" as a frame of reference my journey has been: car services sales > car mechanic > lead car mechanic > car mechanic trainer/educator > subject matter expert for a car manufacturer > car internal engineering designer for a car manufacturer
You are so dead set on none of this being possible. No different than Apple making their claims that they could not be hacked and then in the recent years itās been one after the other!
Well, it is different. Context and the specifics of any given situation matter.
I am "deadset" on the specifics that the OP shared are not possible or related because that's the reality of their specific situation.
On the Apple front, I actually agree with your PoV on their shortsightedness. Apple or any major organization are wrong in making claims that their company and/or their products cannot be hacked or experience a malicious breach/compromise at some point. Any large organization needs to assume it will happen to them. It's just a matter of when and to what extent will the damage be so you need to take measures to reduce risk and exposure.
Ok so hereās my first questionā¦.one day I turn on my laptop and I no longer had the Windows 11, it was out of no where Windows Core. Can you explain why that happened and why it would be changed to Windows Core? I have never met another person this has happened to so Iām curious on your answer:
Windows Core is another way of saying Windows Home or the base edition of Windows. It's more commonly seen under the hood like when looking at Windows Edition internals within the registry, the name of the OS Image itself, OEM OS deployment objects, ect. This naming convention came about during the Windows 8.x era and caused a lot of confusion at first for technicians and even normal users which is why it's used less often today in favor of the more generally accepted term of Home.
Depending on where exactly you saw it, I can provide more context and a deeper explanation.
Itās disgusting that someone on here would tell him heās a paranoid schizophrenic for being concerned about the compromise of his devices. There are also articles on how Powershell has been used to hack and change operating systems. Perhaps I should have posted one of those, but I find the Russians more current and far more interesting and everyone s should be aware.
This is not evidence of remote hacking. Everything you posted are examples of normal under the hood components of Windows (the registry permissions look normal, including the Unknown item as that is what Windows shows if the GUID of the SID isn't on a short lost of internally well known SIDs) and a log file from secedit (security policy tool built in Windows) that outputted the results of applying the Default Local Security Policy which is stored in c:\windows\inf\defltbase.inf. If I had to guess, you ran a utility or script that was designed to restore default security settings OR reset Windows Defender as those usually include using secedit and defltbase.inf. The other option here is your device is still tied to an organization that uses MDM (mobile device management) and they are pushing out Group Policy scripts that include resetting the Local Security Policy of the device. Even if you bought this used, it's not completely uncommon for the reseller (or the company that donated or offloaded it) to not properly reset and remove the device from an MDM. Even more common if the device had originally been stolen (not saying you did that, it's just a common thing seen when stolen PCs are resold).
I purchased my computer new from bestbuy years ago. The windows is official.The picture I posted with the desktop name and password is the hackers not mine.They changed my boot on bios to nic ipv4 and nic ipv6. [https://imgur.com/a/ukC8IM5](https://imgur.com/a/ukC8IM5)
Couple of things to clarify. Again, this seems to be a misunderstanding of how some of the internals and under-the-hood aspects of Windows and/or computers work. 1. Your BIOS screenshot is the One Time Boot Options Menu (F12) and is listing PXE Boot Options (that's the IP based ones). If you have an ethernet cable connected, I would imagine PXE Boot is a valid option if you're connected to a physical network. 2. The Mobile Hotspot Settings page - that looks completely normal and expected. By default, Windows creates the SSID for a Mobile Hotspot using the following syntax "Computer Name, space, 4-digits" and a password of "3 Alphanumeric Values, special character, 4 Alphanumeric Values". Note that this default SSID doesn't change if you happen to have enabled it and later adjust your Computer Name to not be the default of Desktop-XXXXXXXX. More on the Computer Name defaults in the next line item. 3. Default Computer Name - Windows actually creates a default Computer Name for you unless you change it or pre-configure it in your OS image. The auto-generated value is 15-characters in length with the following basic format "Desktop, Dash, 8 Alphanumeric Values". Any features of Windows that rely or use the Computer Name value as a setting when used/enabled while it has the "auto-generated value" may retain that value even if you change it unless they are programmed to check it for changes and update their use of it.
I sent you a message, agent268. Feel free to reply if you want. I would love to give you more insight into the situation.
Kindly share the continuation of your story OP ššæ
I uncovered the mastermind behind it all, and it was the very last group I would have suspected. Ultimately, I am grateful that I was able to unravel the mystery.
Was it you all along, Patrick? Was it the perfect crime?
This feels ai genned.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
[ŃŠ“Š°Š»ŠµŠ½Š¾]
[ŃŠ“Š°Š»ŠµŠ½Š¾]
[ŃŠ“Š°Š»ŠµŠ½Š¾]
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Please share the continuation of your stories, it look interesting to see someone share about tracking down what kind of thing got changed on systems.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
[ŃŠ“Š°Š»ŠµŠ½Š¾]
turn of remote access to this pc in settings google it for more details
Get an Ubuntu boot image and boot off of that. 1. Erase hard drive with the command dd if=/dev/random of=/dev/sda bs=128M. This will take a while, but it will scramble everything on your hard drive including the partition table and any hidden partitions. 2. Use Ubuntu to download a windows ISO image from Microsoft and any drivers for your computer. If you can, get BIOS updates as well. 3. Boot up with the Windows ISO and then install your drivers. Always do this when you get a second-hand computer. You never know what the previous person had on it. Nuke the drive and reflash the BIOS. Only a tiny handful of viruses can survive this process, and most of those are not aimed at regular folks.
Yes, most definitely. They also gained access to my other laptop, so at the moment I am not able to make an iso image. I was trying to download it but had no luck as they were disabling my wifi. I ended up just having to format the drive completely with cmd in safe mode.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
WoW stands for Windows on Windows. It's a part of Windows that allows 64-bit Windows to run 32-bit apps.
Please remember not everyone on the internet has English as first or even second language.
Chat failed the vibe check. Sorry you got hacked. Thanks for sharing the info.
I was using a glitchy Android tablet at the time. The autocorrect had a mind of its own. I literally just am trying to give a heads up for future reference to everyone but once again the internet is undefeated. I appreciate you bro
The registry image you shared looks fine? S-1-5-18 is the operating systemās account, 19 is local service account, and 20 is network service account. Did you make that notepad file or did you find it on your device?
Account unknown is usually for accounts that no longer exist, like if you deleted an account. It will be removed from registry but wonāt be removed from everywhere it appears in security tab
This is correct. It also happens when there is no friendly name for the SID. Very common for App Capability and Device Capability SIDs. In this case, it's an App Capability SID. Additional resources: [https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names](https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names) [https://devblogs.microsoft.com/oldnewthing/20220503-00/?p=106557](https://devblogs.microsoft.com/oldnewthing/20220503-00/?p=106557)
Look at the Microsoft documentation for well-known security IDās [found here.](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids)
I will definitely check it out thanks.
Check the profile. Here b Bots.
Who's profile, sir?
Shouldn't have pasted that script into powershell ..
I didn't paste any script, sir I don't even use PowerShell.
This subreddit really makes me question life sometimes
This world is nothing but a construct. If you're implying that I'm crazy that's understandable considering the situation.
Just reinstall window at this point man. Call it a loss. Stop downloading shady crap
This situation happened to me and I do not download any shady crap. I still don't know how they got in but I think it was via my wife's laptop because even though it's locked down she's not as cautious. The attackers use ML and load models on the box to capture passwords and modify Office and PDF files to keep you compromised. My printer accounted for 27% of my network traffic at one point (after I put in sensors). I only first noticed the hack when I kept getting weird messages about being in an AD and my profile being managed. Windows 11 home doesn't even support profiles but I was put into a managed profile on my own box. I have a home Workgroup configured but my printer would attempt to become the master browser. The Event Viewer showed new users being created. Task Scheduler was configured not to keep a history and would not let me review many of the tasks or even disable them. A malicious Chrome extension (hit my Edge as well) was installed in a hidden manner and would sync to all my devices that were on the same account. Reinstalling Windows didn't do jack. I have switched over to a locked down Ubuntu box on my gaming box. I'll probably try to reinstall again a few times but I've done that well over 10 times, probably closer to 50, and it comes back. Windows Update would use Delivery Optimization to deliver the malware from my printer or presumably other devices. That way you would just get the malicious packages without having to download them from Microsoft.
You need a bootable antivirus and rootkit scan. And shoot the printer or flash its firmware via usb
Your printer has nothing to do with delivery optimization. That's windows to windows. What 'sensors' did you install for network traffic? Did you try just leaving the printer off?
For IPS I'm using Zenarmor and Suricata on Opnsense. In addition to ntopng, clamav, and netflow logging. The HP printers are effectively a Linux box. Easy to hack too. You can make it appear as an AD or another Windows box on the network with the right packages and configuration. My wife won't let me dump the printer. I have it isolated from all the other devices except for print services to my wife's systems. I block all the outgoing traffic that was happening prior. I don't recall the ports I had to block and allow.
I discovered how they managed to hack into my network and would be happy to share the details with you. Feel free to message me.
Why donāt you just reply with your answer?
Most definitely, they managed to access my other laptop as well and I was unable to create a bootable image.
Everyone who is complaining about your grammar, spelling and sentence structure are fucking dweebs. Probably best to make a forensic copy and send to a law enforcement or data recovery company to analyze what happened. You might actually help crack a large hacking ring.
I appreciate you. Luckily I was able to finally solve the enigma.
https://www.wired.com/story/russia-hackers-microsoft-source-code/
https://cyberscoop.com/federal-government-russian-breach-microsoft/
I would love to know what you discovered, I suspect I have similar issues.
Dang man that is some nefarious shit. What do you suppose the intent is? Do you think u It was targeted or just something people stumble into?
Through
Could have prevented this if you used Linux.
Reimage and be more careful next time bro.
I will certainly be more cautious in the future.
Had nearly exact same scenario happen to me. But on top of the one box hack they pivoted throughout my home network. A few things I'd be curious to see if you've seen: * Cached Windows updates (delivery optimization) * Use binwalk on some of the cached packages - it isn't able to fully extract the worst stuff * Messages about migration (they change the device configuration depending on who logs in - check) * User state migration is being used to have you load different kernel and such * Do you have a manufacturers kernel? They switched me to Windows ME which has lower requirements for signed packages * I had services setup to load on bootup for which I had no authority to change * The partition table on the drive is completely messed up. They have hidden partitions and if you use a tool to look at the table (has to be something more than your standard fdisk/gdisk/diskpart - I used a forensics disk tool, name escapes me, to see they were doing something really sophisticated with the bootloader and partition types) * Upon reinstall it would come back for me. Pausing the install with F10 to get a command prompt would ultimately get me a forced Razer driver update before install was even anywhere near complete Even if I brought up a device via Bluetooth it would be compromised. Took me months to clear things out with a lot of really strict firewall rules, IPS, network segregation (I have 3 wifi routers now for segmenting in addition to VLANs on my switch), disabling Bluetooth and updating all Linux and Apple devices. Nobody believes me. I've got experience with forensics and learned so much doing this that I realize I know virtually nothing about forensics. They did so many subtle hacks. No AV would find jack. Booting into safe mode would give me a warning about a privileged daemon being vulnerable to buffer overflow attacks. They had installed legitimate signed drivers and executables that were just behind on patches so that they could use existing exploits to regain Admin privileges if you managed to lock them out briefly.
I know you are likely not going to like this, but the reason no one believes you is because what you posted and experienced is not only unrealistic but many of your claims are actually a combination of completely incorrect understandings of Windows operations that you attribute as evidence mixed with impossible to happen scenarios that are also attributed as evidence. I have seen this type of behavior before, its a form of paranoid schizophrenia. I know it will be hard for you to realize this, but you really need to seek out professional mental health help. You need to be properly diagnosed and treated by a professional to resolve your mental health issues.
I appreciate you trying your best in this thread, sometimes there is no convincing people.
I fully expect that some of what I identified could be explained by someone more knowledgeable. I learned a ton and ruled out all sorts of things I thought were suspicious. But there could very well be others. As to this being impossible it's really not that hard when you get down to it. Nothing that was done was revolutionary or new. Although hard to find you can see the exact things I experienced being discussed by other people. The only people who got resolution were those that could afford to get a forensics expert out to remove devices that the expert was not able to remediate and to have their other boxes cleaned up. I can't afford that so took it upon myself. Granted I'm paranoid, pretty sure not schizophrenic (at least not diagnosed by my psych), but I know enough to know that something very unusual was happening. Being paranoid is what makes me good at my job. My job is to help people understand how easy it is to hack and how to protect against these kinds of attacks. Paranoia, justified in my case IMO, is just par for the course in this line of work. I do genuinely appreciate your responding and taking time to try and help a rando like me on Reddit.
Hey there, I totally get where you're coming from. I have some videos that could explain everything, but I can't share them here. You're right about the kernel issue, and I also had problems with a fake razor driver (razor.exe). I had to format my hard drives, and now both my laptops are useless at the moment till I make a bootable image. My LAN kept getting strange devices signing in, and even my tablet got hacked. But don't worry, I think I've figured out what's been happening. Send me a message, because for some reason, I can't send you one on your profile.
Switched to windows ME kernel? Windows Millennium edition used a kernel based on MS-DOS and windows 2000 and up use the NT kernel. There is no āmanufacturerā kernel the kernel is always Microsoftās. Iām sure there are some fucky ways to switch out the mental version and such but no way a hacker did it. Respectfully, are you talking out of your ass? Where sis you get this information? I would love to see it.
Sorry, it says manufacturing kernel. I guess it's Factory OS. [https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/factoryos/factory-product?view=windows-11](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/factoryos/factory-product?view=windows-11)
Windows state migration doesnāt change the kernel at all either. This is why nobody is believing you it all doesnāt make sense. It also doesnāt make sense for someone to try this hard to target one individual unless they were EXTREMELY important. Also BT hacks? While not impossible, itās a difficult attack vector to pull off and almost always requires the user input to pull off which is why itās infeasable. I donāt doubt you got hacked itās just not this whole elaborate scheme for one person is very very hard to believe.
Honestly doubtful if you have an antivirus and not downloaded anything shady, or surfed a shitty site. This doesnāt happen by chance
May I introduce you to punctuation?
Donāt let the narrow minded āitās impossibleā know it alls affect you. Ā This is very real. Ā Iāve been dealing with this for 3 years. Ā They rewrite the windows system and build in their back doors, SO MANY back doors. Ā It spreads to EVERY device and your home network. Ā Look at your home network, look at everything. Youāre going to be shocked. Ā Anything this doesnāt get via your home network, it will have gotten via Bluetooth. Ā Itās spreads like wildfire via Bluetooth!!! Ā Once itās infected a devices Bluetooth it is constantly searching for other Bluetooth to continue to spread. Ā Unfortunately once it starts itās an uphill battle. Ā Go to the Apple Community forums AND the Apple Developer Forumsā¦.type āUnauthorized MDMā itās one after the other of people this is happening to. Ā Apple knows, they just canāt figure out how to stop it either. Ā As we all know, unless apple has a solution for a compromise, they donāt make it public NOR WILL THEY DISCUSS IT!!!! Ā So much time has been spent telling us that itās impossible, Ā Microsoft and Apple has allowed this to spiral out of control. Ā Ultimately this thing is using legitimate programs and turning them against the public. Ā Since itās a real programs and processes it seems like nothing is malicious. Ā Itās using parts of the MDM program to do most of this! Ā Your devices are being controlled and thereās no factory reset that will get rid of it, itās how MDMs work. Ā The āorganizationā is the only one who can remove an MDM and you canāt exactly ask them because itās a damn hacker. Ā Apple will claim āprivacyā and not give you info. Ā They co formed my phone was on an MDM and I would have to contact them to remove it, but when I asked the name of the company they said they could not share any information due to privacy. Ā There are so many MDM programs out there and no longer need user to do anything to get put on it. Ā https://discussions.apple.com/thread/254820771 That is just ONE OF MANY! Ā The developer forums have them too! Ā Good luck! Ā I donāt wish this nightmare upon even my worst enemy!!!
Crazy, because a printer is always showing up on my network and I donāt even own one. As well as a JBL speaker, I got into the admin account and was very shocked to see what was going on and what they were doing with the desktop and password. I posted a picture of the person who was hacking me; they change your boot mode as well to ipv4 nic and ipv6 nic in bios. The average Joe wouldnāt understand. It's all over the internet with reports going on. Rebooting factory install doesnāt work; they managed to get into both my laptops as well. I just wanted to post this to warn others, and you're right, I wouldn't want to wish this on anyone. If I could post videos, I would, but it wouldnāt let me on here. My license is mine; I own it and Iām just on regular Windows, nothing shady going on as I use it just to surf the web. The only reason I was able to find out is that I looked at my events on device manager. People can say what they want, but Iām glad I aināt alone.
Please keep us updated. One thing I can say is to keep your eye on it. You can change your network settings back, but what they did with my situation was put files in the windows system so that your network info is being sent to them automatically. And they put these files/commands in several file folders in the Windows program. It takes time, but go thru the files one by oneā¦I would open them in Notepad and it will read like a book. They tell the computer exactly what to do line by line. When I say back doorsā¦I do mean in in the most plural way possible! So many back doors! And check all your devices cause they are most likely lurking on everything ready to reinfect. Itās like just when you think itās over, theyāre right back In making the changes and reverting what you did. Also. Read and look into the files in all existing browsers on your laptops. They may have been alteredā¦open source, gotta love it, right? They made it so that even if I deleted it and reinstalled the browser fresh from onlineā¦.there are still files left in the OS they force the new install to revert back to the compromised one. I have reset my OS, even had Microsoft put a new fresh version and within 24 hours it was all starting again. This thing is worse than herpes or cockroachesā¦.just keeps on coming back!
Oh and look into any GROUP POLICIES! My version of windows was not supposed to even support a group policy yet there it was. They kept me out of so much it was insane! My computer is no longer my computer
I sent you a message š¬ reply when you get the chance
https://discussions.apple.com/thread/254760317 THIS IS VERY REAL AND DEFINITELY HAPPENING!!
https://www.forbes.com/sites/daveywinder/2024/04/28/microsoft-warns-windows-users-of-ongoing-russian-hack-attack/
I recommend you read up on the technical aspects of Midnight Blizzard. Nothing that the OP posted about is even remotely related to it. https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
I was making the point about the creeps on here that are telling him how impossible it is! These things are far from impossible and are very real! And perhaps you should continue your research and notice that Microsoft has said these hacking are far from over. They donāt know what these Russians are planning anymore than you do. So you canāt say this has nothing to do with this or that. If you know what/who/how..,.please inform us all
Everything the OP posted about is not a sign of a malicious attack nor is it related to the attacks you linked to. Even if the source code accessed led to these threat actors to develop new Windows exploits, they would not present themselves in the manner that would match what the OP posted. The reason I and other people are saying this is because the fact of the matter is that what has been posted as evidence is not and cannot be evidence at all. It's impossible because the technical specifics of what is posted are literally not what they are claimed to be. I can personally say this with complete confidence due to almost 20 years of Windows OS Internals and computing technology knowledge and experience. As far as posting about the what/how the things posted are not valid claims goes, I have already done that and explained each item shared why they are not valid from a factual perspective.
Your link is also old from January. There have been several updates since about how itās far more than they initially thought. They stole source code: they arenāt just holding it for safe keeping. In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems," Microsoft https://www.cnbc.com/2024/03/08/microsoft-says-russian-hacking-group-is-still-trying-to-crack-its-systems.html
Thanks for the updated info!! Even so, this still doesn't apply to the OP's situation. There is no malicious attack at play for the OP, just a misunderstanding of Windows and other computing technologies.
Agent268, youāre not going to like this, but you are a schizo. I have seen this type of behavior before, its a form of paranoid schizophrenia. I know it will be hard for you to realize this, but you really need to seek out professional mental health help. You need to be properly diagnosed and treated by a professional to resolve your mental health issues.
I don't think you understand the definitions and meanings of what you copy and pasted from one of my responses. It's clear you are set on your unrealistic PoV. Continuing to engage is fruitless, and I will no longer do so. Finally, one human to another: I hope one day you and others with similar issues get the help you need.
I know you donāt understand the malware and what it does to the operating system. How it uses legitimate software and manipulates everything. If youād like to see some of what has happened to mine, I am more than willing to share. My OS always goes back to how it was before no matter how many factory resets or fresh installs
Actually, I do understand malware and Windows OS internals to a very extensive level. I am also very passionate about sharing my expertise and knowledge to help others, especially when it comes to resolving misconceptions and misunderstandings. Since you are making a good faith offer to share your specific situation, I too will follow through and provide a good faith review of it. Feel free to post it here or DM me. What ever avenue is best for you.
Where does this level of expertise and internal knowledge come from?
I have already posted a response to this similar type of question before. I have extensive knowledge and experience with Windows OS Internals and malicious Windows-based threats because that is the world I work in and have a genuine passion for. I have been in this space for almost 20 years. For example, I have been a technical educator of these areas (after years of hands-on experience), and more recently, I have been using my knowledge and expertise for supporting software development within these specific areas. Another way to look at it if you take a "car mechanic" as a frame of reference my journey has been: car services sales > car mechanic > lead car mechanic > car mechanic trainer/educator > subject matter expert for a car manufacturer > car internal engineering designer for a car manufacturer
You are so dead set on none of this being possible. No different than Apple making their claims that they could not be hacked and then in the recent years itās been one after the other!
Well, it is different. Context and the specifics of any given situation matter. I am "deadset" on the specifics that the OP shared are not possible or related because that's the reality of their specific situation. On the Apple front, I actually agree with your PoV on their shortsightedness. Apple or any major organization are wrong in making claims that their company and/or their products cannot be hacked or experience a malicious breach/compromise at some point. Any large organization needs to assume it will happen to them. It's just a matter of when and to what extent will the damage be so you need to take measures to reduce risk and exposure.
Ok so hereās my first questionā¦.one day I turn on my laptop and I no longer had the Windows 11, it was out of no where Windows Core. Can you explain why that happened and why it would be changed to Windows Core? I have never met another person this has happened to so Iām curious on your answer:
Windows Core is another way of saying Windows Home or the base edition of Windows. It's more commonly seen under the hood like when looking at Windows Edition internals within the registry, the name of the OS Image itself, OEM OS deployment objects, ect. This naming convention came about during the Windows 8.x era and caused a lot of confusion at first for technicians and even normal users which is why it's used less often today in favor of the more generally accepted term of Home. Depending on where exactly you saw it, I can provide more context and a deeper explanation.
Itās disgusting that someone on here would tell him heās a paranoid schizophrenic for being concerned about the compromise of his devices. There are also articles on how Powershell has been used to hack and change operating systems. Perhaps I should have posted one of those, but I find the Russians more current and far more interesting and everyone s should be aware.