How to Catch A Hacker In Your Computer
Вставка
- Опубліковано 31 лип 2024
- Sponsored: Get 25% off Blinkist premium and enjoy 2 memberships for the price of 1! Start your 7-day free trial by clicking here: www.blinkist.com/thiojoe
In this video we discuss how to detect if someone is snooping around your computer, whether a hacker or anyone else. The first method is a cool service called "Canary Tokens" which lets you set traps or "canarys" that will send you an email if they are accessed. These can be files of various types, Windows folders, links, and many more. Then I show you a method I came up with, where if someone accesses a specific file or folder in any way (even copying it without opening it), it will trigger an immediate shutdown of the computer and/or disable all network adapters to cut off remote access. This method is done using the Auditing security features in Windows.
ADDITIONAL NOTES / UPDATES:
• Many commenters have suggested adding the "-f" (force) parameter to the shutdown command, which prevents any programs from blocking the shutdown. So I'll add that to the command below.
• Many commenters have also mentioned that the Windows folder canary token wasn't working for them, so it might not be very reliable
Commands for copying:
• Disable All Network Adapters ⇨ Get-NetAdapter | Disable-NetAdapter -Confirm:$false
• Timed Shutdown With Message ⇨ shutdown -s -f -t 30 -c "Your message here"
• Cancel Shutdown ⇨ shutdown -a
• Apply Group Policy Changes ⇨ GPUpdate /Force
▼ Time Stamps: ▼
0:00 - Intro
0:51 - An Excellent Thing
2:19 - Canary Tokens
6:26 - My Method
7:31 - The Steps
7:56 - Enable Auditing
9:58 - Task Scheduler Tasks
11:35 - Setting Actions When Triggered
14:29 - Event Viewer Log
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ - Наука та технологія
Sponsored: Get 25% off Blinkist premium and enjoy 2 memberships for the price of 1! Start your 7-day free trial by clicking here: www.blinkist.com/thiojoe
Bruh
I think I just might!
3rd
Good work, Joe 💡
"that dang thio Joe always exposing me" 🧔
The hacker watching me watch this video :
That's me rn💀
@@MalieDon 🤨
@testvideos4837 I mean the computer itself. I don't even have a webcam on my monitor... Who even has a webcam with their PC. And even so just put it in the wall and bring it out when you need.
@TESTVIDEOS I have a web cam that pops up when I click it
@testvideos4837 🤯
6:39 A way to effect group policy editing changes on a Home edition is to do it on a Pro/Enterprise/Server version then go to the registry and export the policy that was set, copy the exported .reg file to a Home version and then merge into its registry.
Thank you for this. Will definitely try it out next time I need it.🤯
You can "hack" home edition and add group policy to this version of windows
@@Valorshine yes
@@Valorshine Indeed. It only takes two lines of code and doesn't require downloading anything, the files are already present, they just need to be installed. Almost like using the "Windows Features" dialog.
You can also enable auditing by running the following commands as administrator
Auditpol /set /subcategory:"Detailed File Share" /success:enable
Auditpol /set /subcategory:"File System" /success:enable
Auditpol /set /subcategory:"Detailed File Share" /failure:enable
Auditpol /set /subcategory:"File System" /failure:enable
The folder trick made me laugh, one guy who annoys scammers had a folder called “nudes” the scammer took a look and it was naked mole rats 🤣
This implies that mole rats wear clothes...
Kitboga :))
I've seen a different scam-baiter have a similar folder full of photos of Indians. I think it was Lewis or one of the other ones that stopped baiting a long time ago. 🤔
Oh yeah clicking photos of naked rats is absolutely immoral.
bro u actually got scammed 💀
Another trap potential: an autohotkey macro. You let the script run while you AFK, and if any button is pressed except the one specified, another script runs.
uh i like it!
So basically a "temp lockout" where if any key except the disable key is pressed a action occurs
I don't get this trick however... why not just using Windows password and lock the computer when leaving the computer via Win+L or something like that?
@@Lofote This video is about when that level has breached (or not set up). Maybe you just forgot to log out, someone has guessed the password, or hacked into remote desktop.
Naturally, people normally wouldn't let others get to their computers, but there are additional ways to make it completely unusable to anyone beside you.
Make it F13 😉
Thank you. This is definitely bookmarked in case I need to use it and follow the instructions closer. Really appreciate your time in making this.
It would also be useful to set up a trigger for if anyone tries to change Group Policy, as smarter malware might mess with that before copying anything.
Hackers watching this: 💀
Edit: Guys stop liking this my notifications explode..........
(Btw yes, my comment has 10x more likes than the creators lol)
💀
💀🗿
💀🗿☠️
Now we know....
Fr fr 💀
I do have to say I'm so glad you got away from troll content, as much as I loved it back then too, to something so much more useful overall to everyone. Definitely seems like a good pay it forward!
I think every Group Policy setting can be changed directly in the registry if you know where, regardless of whether you have Home or Pro versions of Windows. So that might be worth looking into for anybody stuck with Home.
Thank you. Very clever traps and alerts using Windows files and folders.
excellent video! this is all great information to have and I would love to learn more about what I can do with task scheduler!
Canary token can also be used for defenders and security professionals because they can use to lure attackers into revealing their presence or actions.
great content!
My message for the shutdown would be something like "Warning! the self destruct sequence has been activated. The computer will explode in (seconds)
Hello Joe. Thank you for all the great tips!
Windows will cache icons so the folder token probably stopped working for that reason. I imagine the idea is once it's triggered once you don't necessarily care if you miss subsequent triggers, so it's fine if the icon cache causes it not to retrigger.
Keep in mind auditing is off by default as it tends to slow down file access. So this may not be the best solution depending on your hardware. That said if you set it up for only specific files you're probably ok. Also keep in mind as you said lots of applications have legitimate reasons to sneak a peak at arbitrary files, but this extends beyond the search indexer. For example AV scanners, Windows Explorer trying to generate a thumbnail, etc so audits may not be as useful as you might think.
Thanks for the video on auditing file access.
Good ideas, thanks for this info.
Thanks for the in depth info. Will refer back for reference. 👍
Nice - big shout out! THX!
wow great video keep up the awesome work👍
Here's an easy-to-make "silent alarm" type of trap: Make a shortcut to a batch script that looks like a folder, and make that batch script write a file somewhere or otherwise alert you, then open the folder as normal. I dunno how to make CMD run silently though.
You could also pull a prank and make it do the shutdown command instead, preferably with a custom message :P
"I dunno how to make CMD run silently though."
just add " @echo off " at the start of a .bat file
That stops the command being entered being shown, im pretty sure @SKCro wants to hide the CMD window entirely.
@@IsaacGeorgeYT nope, it hides the cmd prompt aswel (if echo off is at the very top)
@@wojtekpolska1013 not if there’s echo output though, right??? When I start my mc server I have echo off but I still get console output
@@wojtekpolska1013 That just hides the output, it doesn't hide the command prompt window itself. I guess I could configure it to run minimized but 1) they might notice the taskbar icon flash, and 2) it might start the explorer window minimized as well.
Thanks for this information!
Pretty cool ! Thanks for the video !
Your channel got a shout out by Linus Tech Tips
Well done and well deserved because of your excellent content
Great video! I'll actually setup this honeypot, it seems very handy
@ThioJoe
I'm still going to like the video cause I do. I'm just upset that you just NOW made this video. This should've been your 1st video. Great information
Simply don't leave your computer unlocked. Create a desktop shortcut to immediately lock the OS and use it. You can even create a script to not only lock the screen but to display a fake background of some kind of work/development taking place to throw off the nosy busy bodies.
Hahaha, that reminds me of a prank I did on my friends computer (while he watched me do it, so it was just for laughs) where I took a screenshot of the desktop with all the icons and then used photo editing to mildly warp the screen/icons, then set that as the wallpaper.
Unfortunately, I didn't know the computer was used by other people and another person called their tech support friend to troubleshoot the problem with the distorted icons.
Of course the normal looking icons were on top of the distorted ones, but it still looked messed up.
Even better, use WinKey+L to instantly lock your computer. If you get into a habit of using it every time you walk away (and have bitlocker enabled), you'd have yourself a pretty secure PC :P
With dynamic lock in windows you can pair your phone with bluetooth and have the computer automatically lock when the phone gets disconnected
Exactly. Btw there is no need for a lock desktop icon, just use Win+L on the keyboard :)...
@@Lofote Better to set it to activate the screensaver automatically after some downtime, it is much more user-proof. At least in 2 minutes, the session will be blocked.
Saw this tech on a another tech UA-camr channel. Still gonna watch it anyways !
Theo dropping the heat 🔥
That is really useful. I was wondering if something could be similarly made for USB Drives, where it can log whoever accesses the drive, whether on the network or outside. Maybe even stopping access entirely?
So this could help solve a very niche problem where I want to log every time a computer opens edits or changes ANY file and save the result to a .CSV file
(yes I'm aware this would create billions of entries) I've been trying to narrow down what a malware is doing - and logging everything it touches is very valuable.
Thats a good idea 💡 thanks 😀
nice and helpful, this is something new, this is has give me a nice use case
This will be interesting to experiment with
this is good.. thank you! 👍👍
Awesome video
Many thanks for this video. Highly informative. Actually there is a way to add group policy editor to Windows 10 & 11 Home Editions which I came across and it works like a treat. As I have Windows 11 Home, by installing group policy editor as a batch file, I was able to undertake all the steps you outlined in this video. Thanks again. I feel more secure knowing that if a hack took place, I have a good chance to stop the hacker in their tracks.
Interesting video. Quite a bit new stuff here 👍🏽
Thanks TJ~
Damn helpful.
So you just monitor an action on a file. Anyway, the idea is interesting . Thank you for this video
This was VERY helpfull. Thanks ThioJoe :)
Now thats an actual reason to consider getting the Pro Versions of Windows
pro gives you the nice management console gui, but you can still do all these things from cmd/powershell and registry if you have a good reference handy. Some people in the comments are saying it's possible to install those features even in home, might want to come back and browse the comments section again. I will say though, when I did buy Windows I always bought Pro, but after all the BS with 11 I'm just done.
Microsoft-Activation-Scripts. look it up
Cool! Does this work if someone runs a command like tree, or indexes a list of file names on the computer using a Python script, for example? Or does it just trigger when the file is directly read?
The enable auditing one allowed me to make failed logins make a loud noise play, thanks
Very interesting.
If a hacker gets access to your machine and lists files not via RDP session with GUI but via some API calls or command line - the "token" won't be triggered, because there will be no showing of the icon. So it's rather unlikely this "token" will help you to know when you've been hacked - let alone CATCH the hacker.
That is really cool wow =)
good job
this is very interesting.
This is very cool
I think there's got to be a way to just make an EXE, VBS or whatever just be associated with a different file extension and icon. So it could appear as a folder, but it's actually code that runs and you could make it do whatever you want. This is actually a sketch thing though cause malware could potentially use the same idea.
That only works with people that have the setting disabled, and if the person is acessing your computer, probably they know if they have extensions enabled, and they will probably check if it's actually a folder(and if they see it in explorer, it will appear as X.exe)
@@gabrielloredodematosfelix7807 Maybe, but I'm wondering what would happen if you went in the registry and made a new file type, copy the folder file type data into it, and copy only the action part from the EXE file type. Now because folders never have a file extension, it would get hidden regardless of that setting, but it would run with the action of an EXE. It might not work, but I might try it sometime. I just don't want to completely mess up my system.
@@joeshmoe000 siiiiiiiiiick
Thio single-handely keeping the old ones out there save from hackers 🤔
You don't need group policy. If you know programming you can simply subscribe to file events and then you can get your custom code called every time something happens. Kinda like Process Monitor by Sysinternals but write it yourself.
I do have a question. I noticed that my file will get triggered whenever a a gpu driver installs, a windows install or anything like that happens. Its a little sketchy to think that they are interacting with a txt file I have on my documents folder. Anyone have any clarifications or similar experiences???
What if they are using a RAT software and they are not clicking on the folder to get access to what's inside the folder?
Policy editor way and task schedule working is based on that Windows be running, booting with external OS will bypass that.
YAY NEW vid
thiojoe against the malware
I have set this up to trigger a batch file that creates a log file with a snapshot of the active network connections with PID and a snapshot of active process.
Here's an idea for unattended machines... Upon trigger, using powershell, add firewall rule that blocks all incoming/outgoing traffic, wait X minutes, then disable the rule...
Or just disable the network card via PowerShell :)... No need for firewall rules.
@@Lofote If you do that, you may lose all the custom non-persistent routes you may have added using route add commands on that network interface...
Can you make a method which doesn't require group policy editor though for people without pro editions. This is some very cool stuff which I would love to have on my laptop
Very good .. how about you doing a blank desktop file without a name .... to hide these great tools, trick and more.
3:16 if you pause and use the < > keys right to the right of the space bar and next to the ? key you can see the token lol
lol i love that thumbnail
I love ❤ this saga! Thanks joe,You are our antivirus 😂
Your method is so smart! Out of curiosity, is there any real reason to shutdown the computer as opposed to just disabling the network adapters? Especially if you're likely to restore a backup anyway? Seems like false positives would be less annoying if all you have to do is reenable your network when you ascertain why it happened through event viewer.
Shutdown stops the malware doing any more local bad things it has on its to do list.
However, with fast start, you might restart the malware on start. Ideally you want a full shutdown without any of the fast start stuff...
Hi joe!!
I don't know if you have a trojan virus and you want to remove it then the trigger activates, right? I think this will be a problem, because it will trigger it always when you turn up the pc (especially for shutdown task)
That's when you boot into safe mode, or in extreme cases mount the partition offline and use dism or a live linux cd.
But it only triggers if the trojan tries to access that same file again. It might, or it could take a while. Removing the trojan file wouldn't by itself trigger it, and anyway it's best to remove things when they aren't running.
I would add a -f to the shutdown command in case something has been launched that interrupts normal shutdown.
best channel
Thank god i finally watched this video.
Oh man that thumbnail made me laugh so hard.
thiojoe goated
I glad you have a VPN in Czech Republic
Which Screen Recorder do you use my fellow Content Creator Your Video are Damn! Crips when you Pan Or Zoom them
I will use it to fix..... this --> "What do you mean a file is in used? I closed everything. I said safely remove hardware! Again WHICH FILE IS IN USED!??".
(I know, Windows said you "don't need" to do it but it still give me peace of mind when I saw my spinning disk external HDD's light goes off before I unplug it.)
windows update seems to crawl the desktop files, do you have a solution for excluding the folder/file?
great info dude... keep it comming.... ;-) 👍👍👍
On Linux you can take it as far as creating a custom service that encrypts your entire hdd with a public key if a file is accessed or some other conditions are met
Anti ransomware ransomware
@@ascensionunlimited4182 ransomware can just encrypt it agaim
Hey Joe! I have gotten a ton of adds for apps that pay you for paying games, can you go over those?
Joe i'm very interested in your big things on secret computer , thank you
Hey there... I don't understand, why you use the Group Poilicy Editor. Just edit the security of the file or folder itself, unter Advanced there is "Auditing". No need for any group policy. Group policies are there to deploy things over a complete domain, i.e. all computers in a company.
Also this all should work with Windows Vista and after, because while Windows NT had auditing since 3.1 in 1993, the scheduled task being triggered by an event was added in Windows Vista.
Don't try it with folders!! I don't know why but for some reason it executed the code everytime my computer restarted. It was a problem since i had it to shutdown, so i couldn't access computer and needed to use my bootable linux to fix it. It wasn't hard to fix i just needed to delete the files. Then i made it with a txt and it worked like a charm. I also did that it text you an SMS message every time you open the file(i did it with nexmo, but there ar others posible candidates). Great video just don't do it with folders or at least don't do it with shutdown task.
3:40 so are you American or Czech? 🤔
I wound up in a shutdown loop, I had excluded the directory from indexing and from antivirus, but my PC was still shutting down within 5 seconds of booting, luckily gave me enough time to shift restart into safe mode to strip the task from scheduler and regedit. Wonder what was trying to access it...
Maybe backup program? Or Dropbox, OneDrive or anything mirroring it to the cloud?
i cant access task scheduler
@@ąććąććąććąććąćć you have to delete the task item from the sys32 directory it is in and also remove the regkey in safe mode
You download the program to set this up? How safe is that?
Hi Joe - When I go to download the zip file for the Canary Token it says it won't work with Windows 11 - is this still true?
My Task isn't triggering! It shows up on Event Viewer, and it's logging everything well, but cmd doesn't open up when I access the file. I've followed the tutorial 4 times now, restart from scratch every time, and the event viewer logging works, but the Task Scheduler isn't really working well. The History tab is empty in the task scheduler too.
A couple things I can think of. Have you selected the option to "run whether user is logged in or not?" Because if that is selected, for some reason the Command Prompt window will not show even if the "echo" command is run. It will only run in the background. If you're just testing things out and want it to display the window to know when it's triggered, change it to "Run only when user is logged on".
As for the history tab, you have to actually enable the tracking of history, so perhaps that isn't enabled. To enable event history tracking, at the top bar of the Task Scheduler window, click "Actions" and look for "Enable All History Tasks" and click that. Now it should show event history. Be aware though, this seems to cause lag on the computer when it is triggered, so probably only enable it for testing. Hope that helps, let me know if that solves it.
If you just do the shutdown -s -t 4 -c "blah blah blah" it might take awhile for the computer to shutdown as it doesn't force close all the programs. My way to turn off the computer is to include the -f argument as it forces everything to close with no notice, so the command would look like : shutdown -s -f -t 4 -c "blah blah blah". Which will force all open programs to shutdown and speeds up the process allowing even less time for a hacker to do anything.
Also just use -t 0 zo just instantly shut down
Does it also trigger when you access another hardlink to the file? 🤔
The video on group policy editor is helpful if the method requires the group policy editor.
can some help? everyone time i turn my computer on it shuts down. did i do it wrong?
the /force flag for gpupdate doesn't really do anything here, since all it will do is force all existing policies to also be re-applied, but gpupdate on it's own would apply the new policy you just made, all you are doing is increasing the processing load on your pc if you have other configurations enabled
My PC automatically turns off wifi when it goes to sleep, so hackers can only access my pc when it's awake and I'm on lmao
What if the file is accessed programmatically?? Does it still go off?
When I create the folder with Canarytokens and open it on Windows 10 it doesnt do anything, no alert nothing
A similar technique used to be used in emails by both malicious actors and advertisers to effectively get read receipts on their emails.
Ever wonder why image loading is disabled by default? Because by loading that image you're sending a signal to their servers.
now, is your version portable?