Sponsored: Get 25% off Blinkist premium and enjoy 2 memberships for the price of 1! Start your 7-day free trial by clicking here: www.blinkist.com/thiojoe
@testvideos4837 I mean the computer itself. I don't even have a webcam on my monitor... Who even has a webcam with their PC. And even so just put it in the wall and bring it out when you need.
6:39 A way to effect group policy editing changes on a Home edition is to do it on a Pro/Enterprise/Server version then go to the registry and export the policy that was set, copy the exported .reg file to a Home version and then merge into its registry.
@@Valorshine Indeed. It only takes two lines of code and doesn't require downloading anything, the files are already present, they just need to be installed. Almost like using the "Windows Features" dialog.
You can also enable auditing by running the following commands as administrator Auditpol /set /subcategory:"Detailed File Share" /success:enable Auditpol /set /subcategory:"File System" /success:enable Auditpol /set /subcategory:"Detailed File Share" /failure:enable Auditpol /set /subcategory:"File System" /failure:enable
Another trap potential: an autohotkey macro. You let the script run while you AFK, and if any button is pressed except the one specified, another script runs.
I don't get this trick however... why not just using Windows password and lock the computer when leaving the computer via Win+L or something like that?
@@Lofote This video is about when that level has breached (or not set up). Maybe you just forgot to log out, someone has guessed the password, or hacked into remote desktop. Naturally, people normally wouldn't let others get to their computers, but there are additional ways to make it completely unusable to anyone beside you.
I've seen a different scam-baiter have a similar folder full of photos of Indians. I think it was Lewis or one of the other ones that stopped baiting a long time ago. 🤔
It would also be useful to set up a trigger for if anyone tries to change Group Policy, as smarter malware might mess with that before copying anything.
Simply don't leave your computer unlocked. Create a desktop shortcut to immediately lock the OS and use it. You can even create a script to not only lock the screen but to display a fake background of some kind of work/development taking place to throw off the nosy busy bodies.
Hahaha, that reminds me of a prank I did on my friends computer (while he watched me do it, so it was just for laughs) where I took a screenshot of the desktop with all the icons and then used photo editing to mildly warp the screen/icons, then set that as the wallpaper. Unfortunately, I didn't know the computer was used by other people and another person called their tech support friend to troubleshoot the problem with the distorted icons. Of course the normal looking icons were on top of the distorted ones, but it still looked messed up.
Even better, use WinKey+L to instantly lock your computer. If you get into a habit of using it every time you walk away (and have bitlocker enabled), you'd have yourself a pretty secure PC :P
@@Lofote Better to set it to activate the screensaver automatically after some downtime, it is much more user-proof. At least in 2 minutes, the session will be blocked.
I think every Group Policy setting can be changed directly in the registry if you know where, regardless of whether you have Home or Pro versions of Windows. So that might be worth looking into for anybody stuck with Home.
I do have to say I'm so glad you got away from troll content, as much as I loved it back then too, to something so much more useful overall to everyone. Definitely seems like a good pay it forward!
Here's an easy-to-make "silent alarm" type of trap: Make a shortcut to a batch script that looks like a folder, and make that batch script write a file somewhere or otherwise alert you, then open the folder as normal. I dunno how to make CMD run silently though. You could also pull a prank and make it do the shutdown command instead, preferably with a custom message :P
@@wojtekpolska1013 That just hides the output, it doesn't hide the command prompt window itself. I guess I could configure it to run minimized but 1) they might notice the taskbar icon flash, and 2) it might start the explorer window minimized as well.
Windows will cache icons so the folder token probably stopped working for that reason. I imagine the idea is once it's triggered once you don't necessarily care if you miss subsequent triggers, so it's fine if the icon cache causes it not to retrigger. Keep in mind auditing is off by default as it tends to slow down file access. So this may not be the best solution depending on your hardware. That said if you set it up for only specific files you're probably ok. Also keep in mind as you said lots of applications have legitimate reasons to sneak a peak at arbitrary files, but this extends beyond the search indexer. For example AV scanners, Windows Explorer trying to generate a thumbnail, etc so audits may not be as useful as you might think.
Canary token can also be used for defenders and security professionals because they can use to lure attackers into revealing their presence or actions. great content!
pro gives you the nice management console gui, but you can still do all these things from cmd/powershell and registry if you have a good reference handy. Some people in the comments are saying it's possible to install those features even in home, might want to come back and browse the comments section again. I will say though, when I did buy Windows I always bought Pro, but after all the BS with 11 I'm just done.
So this could help solve a very niche problem where I want to log every time a computer opens edits or changes ANY file and save the result to a .CSV file (yes I'm aware this would create billions of entries) I've been trying to narrow down what a malware is doing - and logging everything it touches is very valuable.
If a hacker gets access to your machine and lists files not via RDP session with GUI but via some API calls or command line - the "token" won't be triggered, because there will be no showing of the icon. So it's rather unlikely this "token" will help you to know when you've been hacked - let alone CATCH the hacker.
That is really useful. I was wondering if something could be similarly made for USB Drives, where it can log whoever accesses the drive, whether on the network or outside. Maybe even stopping access entirely?
Here's an idea for unattended machines... Upon trigger, using powershell, add firewall rule that blocks all incoming/outgoing traffic, wait X minutes, then disable the rule...
I think there's got to be a way to just make an EXE, VBS or whatever just be associated with a different file extension and icon. So it could appear as a folder, but it's actually code that runs and you could make it do whatever you want. This is actually a sketch thing though cause malware could potentially use the same idea.
That only works with people that have the setting disabled, and if the person is acessing your computer, probably they know if they have extensions enabled, and they will probably check if it's actually a folder(and if they see it in explorer, it will appear as X.exe)
@@gabrielloredodematosfelix7807 Maybe, but I'm wondering what would happen if you went in the registry and made a new file type, copy the folder file type data into it, and copy only the action part from the EXE file type. Now because folders never have a file extension, it would get hidden regardless of that setting, but it would run with the action of an EXE. It might not work, but I might try it sometime. I just don't want to completely mess up my system.
@ThioJoe I'm still going to like the video cause I do. I'm just upset that you just NOW made this video. This should've been your 1st video. Great information
I will use it to fix..... this --> "What do you mean a file is in used? I closed everything. I said safely remove hardware! Again WHICH FILE IS IN USED!??". (I know, Windows said you "don't need" to do it but it still give me peace of mind when I saw my spinning disk external HDD's light goes off before I unplug it.)
I don't know if you have a trojan virus and you want to remove it then the trigger activates, right? I think this will be a problem, because it will trigger it always when you turn up the pc (especially for shutdown task)
That's when you boot into safe mode, or in extreme cases mount the partition offline and use dism or a live linux cd. But it only triggers if the trojan tries to access that same file again. It might, or it could take a while. Removing the trojan file wouldn't by itself trigger it, and anyway it's best to remove things when they aren't running.
You don't need group policy. If you know programming you can simply subscribe to file events and then you can get your custom code called every time something happens. Kinda like Process Monitor by Sysinternals but write it yourself.
Hey there... I don't understand, why you use the Group Poilicy Editor. Just edit the security of the file or folder itself, unter Advanced there is "Auditing". No need for any group policy. Group policies are there to deploy things over a complete domain, i.e. all computers in a company. Also this all should work with Windows Vista and after, because while Windows NT had auditing since 3.1 in 1993, the scheduled task being triggered by an event was added in Windows Vista.
@@internetdoggo4839 Use the URL token, and have powershell request the url in the task scheduler. If you give a folder the same auditing perms as you would the txt file in the video, it will trigger as soon as someone tries to list the directory for the folder within powershell. Once you lock the task scheduler, the only way around it, far as I'm aware, is if they don't go into that folder.
So is it normal to have a ssh shell open port on a tp link router from wal mart,? Port 22 and 80 is open , and a random device keeps popping up on the fing app that says iphone 5, and iphone 7 same device , how can there even be iphone 5 and ,,7 same dam time , but nobody on the network has a iphone and for the life of me, can someone please go indepth with the iocs of this parent monitoring spyware Bs, my location seems like there is some kinda beacon some where that keeps sniffing every new device I get and side loads 300 something apks of B's that just spanks all my permissions to hell and back , samsung had 500 apps , and android forums flat out lie, why can't normies actually get any help with this bs,
Your method is so smart! Out of curiosity, is there any real reason to shutdown the computer as opposed to just disabling the network adapters? Especially if you're likely to restore a backup anyway? Seems like false positives would be less annoying if all you have to do is reenable your network when you ascertain why it happened through event viewer.
Shutdown stops the malware doing any more local bad things it has on its to do list. However, with fast start, you might restart the malware on start. Ideally you want a full shutdown without any of the fast start stuff...
Can you make a method which doesn't require group policy editor though for people without pro editions. This is some very cool stuff which I would love to have on my laptop
If you just do the shutdown -s -t 4 -c "blah blah blah" it might take awhile for the computer to shutdown as it doesn't force close all the programs. My way to turn off the computer is to include the -f argument as it forces everything to close with no notice, so the command would look like : shutdown -s -f -t 4 -c "blah blah blah". Which will force all open programs to shutdown and speeds up the process allowing even less time for a hacker to do anything.
I have set this up to trigger a batch file that creates a log file with a snapshot of the active network connections with PID and a snapshot of active process.
On Linux you can take it as far as creating a custom service that encrypts your entire hdd with a public key if a file is accessed or some other conditions are met
Would the first one work if it was a remote shell that copied the files over? I don't think that would be the same as double clicking the folder to open it but I could be wrong. edit: Saw the rest of the video, and yeah I guess most hackers would be using linux/a shell to gain access
Yes! I was gonna say this! If you have a reverse shell that just runs CMD or PowerShell commands this wont work. So dumb. This technique will only catch people sneaking onto your PC
An India based tech support scam "hacker" is likely using Windows. Although I just call them a "scammer", which is a completely shameful title with no redeeming qualities.
@@SuperMegaToto This triggers whenever the file is access/modified, regardless of how it was. Go ahead, test it for yourself. Open/copy the file using powershell, and it will still trigger.
Cool! Does this work if someone runs a command like tree, or indexes a list of file names on the computer using a Python script, for example? Or does it just trigger when the file is directly read?
Get any decent virus scanner, reboot into safe mode and run it. Even better, if you can boot from another partition or live cd/usb, run it from there. Just be sure to update the definitions. Offline scans like that prevent the malware from intercepting the file read operations and are the best way to detect root kits. Many years ago, McAffee had a boot CD called Stinger that you could boot from and scan your pc offline, I don't know if they still do that. Problem is it also detected pirated copies of Windows so we students had to figure out a way to spoof the results. XD
Many thanks for this video. Highly informative. Actually there is a way to add group policy editor to Windows 10 & 11 Home Editions which I came across and it works like a treat. As I have Windows 11 Home, by installing group policy editor as a batch file, I was able to undertake all the steps you outlined in this video. Thanks again. I feel more secure knowing that if a hack took place, I have a good chance to stop the hacker in their tracks.
Interesting features I wasn't aware of. However I don't think this is too useful in catching hackers. I find it way too unlikely a hacker would open your trap file, and even if they did, they'd already caused you a lot of other damage by then. When you start your computer again, the hacker would continue where they left off, this time being cautious about your trap file. However it's likely you or the system will fall to your trap yourself, causing you even more damage, trouble, and loss of work. So I just don't find it worth it. Nice idea though.
Naming the folder something important like Crypto Wallet might cause a crypto wallet stealing virus to trigger the trap which could disable the internet and shutdown the computer and than warn you of such allowing you to fix it. Also if a hacker had remote access to your computer, they would most likely scan the hard drive to see what was on it, thus triggering the trap and disabling the network adapter causing them to be disconnected hopefully before they cause irreversible damage.
I wound up in a shutdown loop, I had excluded the directory from indexing and from antivirus, but my PC was still shutting down within 5 seconds of booting, luckily gave me enough time to shift restart into safe mode to strip the task from scheduler and regedit. Wonder what was trying to access it...
The scenario that immediately popped into my mind is accidentally triggering a shutdown loop. Say for instance that you didn't realize that a particular file is accessed on startup and that file triggers shutdown. Now just by booting up, you trigger the shutdown sequence. Could you fix that if it happened? Would booting into safe mode work?
A similar technique used to be used in emails by both malicious actors and advertisers to effectively get read receipts on their emails. Ever wonder why image loading is disabled by default? Because by loading that image you're sending a signal to their servers.
6:42 You do know that there actually is a way to get the group policy editor on Windows 10/11 Home, you just have to run specific commands to enable it as the file necessary is still on the system
Don't try it with folders!! I don't know why but for some reason it executed the code everytime my computer restarted. It was a problem since i had it to shutdown, so i couldn't access computer and needed to use my bootable linux to fix it. It wasn't hard to fix i just needed to delete the files. Then i made it with a txt and it worked like a charm. I also did that it text you an SMS message every time you open the file(i did it with nexmo, but there ar others posible candidates). Great video just don't do it with folders or at least don't do it with shutdown task.
My Task isn't triggering! It shows up on Event Viewer, and it's logging everything well, but cmd doesn't open up when I access the file. I've followed the tutorial 4 times now, restart from scratch every time, and the event viewer logging works, but the Task Scheduler isn't really working well. The History tab is empty in the task scheduler too.
A couple things I can think of. Have you selected the option to "run whether user is logged in or not?" Because if that is selected, for some reason the Command Prompt window will not show even if the "echo" command is run. It will only run in the background. If you're just testing things out and want it to display the window to know when it's triggered, change it to "Run only when user is logged on". As for the history tab, you have to actually enable the tracking of history, so perhaps that isn't enabled. To enable event history tracking, at the top bar of the Task Scheduler window, click "Actions" and look for "Enable All History Tasks" and click that. Now it should show event history. Be aware though, this seems to cause lag on the computer when it is triggered, so probably only enable it for testing. Hope that helps, let me know if that solves it.
I do have a question. I noticed that my file will get triggered whenever a a gpu driver installs, a windows install or anything like that happens. Its a little sketchy to think that they are interacting with a txt file I have on my documents folder. Anyone have any clarifications or similar experiences???
Great video. You got my wheels turning. I could see a ton of additions and variations. Maybe have the file they directly access be a batch file with the icon changed. You could have that batch file trigger all kinds of things. You could trigger external things through services like IFTTT. Turn on security cameras, lock a closet door that might have valuables that might be stolen. Seems like the sky is the limit here. The file could be “sensitive financial information.docs.bat” and hide the file extension so all they see is “sensitive financial information.docs” and change the icon to match. The bat file could open other files for all kinds of purposes.
You can run a batch file using the Windows event viewer method, or if you have an external server you can use a webhook and do whatever you like that way
Eh, I dunno if I trust a third party website to automatically run an untrusted DLL for that canary thing. That seems like a recipe for disaster. Even if you currently trust that company, what if they sold off to a shadier one that doesn't respect its users? They could run cryptomining software on your box or worse.
I don't think it actually executes any code from the dll, the dll is just a resource container for the icon. Although it does seem a little suspicious that they wouldn't just use an .ico file.
12:00... the shutdown, you probably want to also use -f to force it to shutdown, and ignore anything which is trying to have the shutdown wait for them...
I am so sorry to say this, but any good sniffer attacant person the first thing that does when localy attacking a computer is to cut all it's remote access, then check if there is any live encryption so in case it is not, reboot with external OS to limit any traces, etc. and gain low lovel access to storage. Most of times it tooks less time to 1to1 copy the storage (with no so much special external cloning hardware) than to investivate and look for in place. If the attacker gains physical access to your running OS you are dead (in terms of security), no matter what you have, they simply can plug into motherboard wires an inyector/reader and make a full unencrypted read be copied to external media. That is why software full encripted drives put a barrier, but the attacker can also put a ram dumper and you are still dead. That is why i ever said, if you go away, just turn off the computer and have all your disks 100% software encripted (encription that runs inside the processor, not on the drive itself) and better if it is multi-layer with different encryption algoritms. And never have external access on the computer you use your data, for internet use a second PC and a USB thumb, etc. Paranoid way of view is the safe way and also it is not 100% safe.
Can you please please PLEASE.... do an updated video on the best type of television money can buy you? I know you did one six years ago on OLED and QLED. PLEASE help us... 🙏🏾
the /force flag for gpupdate doesn't really do anything here, since all it will do is force all existing policies to also be re-applied, but gpupdate on it's own would apply the new policy you just made, all you are doing is increasing the processing load on your pc if you have other configurations enabled
Sponsored: Get 25% off Blinkist premium and enjoy 2 memberships for the price of 1! Start your 7-day free trial by clicking here: www.blinkist.com/thiojoe
Bruh
I think I just might!
3rd
Good work, Joe 💡
"that dang thio Joe always exposing me" 🧔
The hacker watching me watch this video :
That's me rn💀
@@MalieDon 🤨
@testvideos4837 I mean the computer itself. I don't even have a webcam on my monitor... Who even has a webcam with their PC. And even so just put it in the wall and bring it out when you need.
@TESTVIDEOS I have a web cam that pops up when I click it
@testvideos4837 🤯
6:39 A way to effect group policy editing changes on a Home edition is to do it on a Pro/Enterprise/Server version then go to the registry and export the policy that was set, copy the exported .reg file to a Home version and then merge into its registry.
Thank you for this. Will definitely try it out next time I need it.🤯
You can "hack" home edition and add group policy to this version of windows
@@Valorshine yes
@@Valorshine Indeed. It only takes two lines of code and doesn't require downloading anything, the files are already present, they just need to be installed. Almost like using the "Windows Features" dialog.
You can also enable auditing by running the following commands as administrator
Auditpol /set /subcategory:"Detailed File Share" /success:enable
Auditpol /set /subcategory:"File System" /success:enable
Auditpol /set /subcategory:"Detailed File Share" /failure:enable
Auditpol /set /subcategory:"File System" /failure:enable
Another trap potential: an autohotkey macro. You let the script run while you AFK, and if any button is pressed except the one specified, another script runs.
uh i like it!
So basically a "temp lockout" where if any key except the disable key is pressed a action occurs
I don't get this trick however... why not just using Windows password and lock the computer when leaving the computer via Win+L or something like that?
@@Lofote This video is about when that level has breached (or not set up). Maybe you just forgot to log out, someone has guessed the password, or hacked into remote desktop.
Naturally, people normally wouldn't let others get to their computers, but there are additional ways to make it completely unusable to anyone beside you.
Make it F13 😉
The folder trick made me laugh, one guy who annoys scammers had a folder called “nudes” the scammer took a look and it was naked mole rats 🤣
This implies that mole rats wear clothes...
Kitboga :))
I've seen a different scam-baiter have a similar folder full of photos of Indians. I think it was Lewis or one of the other ones that stopped baiting a long time ago. 🤔
Oh yeah clicking photos of naked rats is absolutely immoral.
bro u actually got scammed 💀
It would also be useful to set up a trigger for if anyone tries to change Group Policy, as smarter malware might mess with that before copying anything.
Simply don't leave your computer unlocked. Create a desktop shortcut to immediately lock the OS and use it. You can even create a script to not only lock the screen but to display a fake background of some kind of work/development taking place to throw off the nosy busy bodies.
Hahaha, that reminds me of a prank I did on my friends computer (while he watched me do it, so it was just for laughs) where I took a screenshot of the desktop with all the icons and then used photo editing to mildly warp the screen/icons, then set that as the wallpaper.
Unfortunately, I didn't know the computer was used by other people and another person called their tech support friend to troubleshoot the problem with the distorted icons.
Of course the normal looking icons were on top of the distorted ones, but it still looked messed up.
Even better, use WinKey+L to instantly lock your computer. If you get into a habit of using it every time you walk away (and have bitlocker enabled), you'd have yourself a pretty secure PC :P
With dynamic lock in windows you can pair your phone with bluetooth and have the computer automatically lock when the phone gets disconnected
Exactly. Btw there is no need for a lock desktop icon, just use Win+L on the keyboard :)...
@@Lofote Better to set it to activate the screensaver automatically after some downtime, it is much more user-proof. At least in 2 minutes, the session will be blocked.
I think every Group Policy setting can be changed directly in the registry if you know where, regardless of whether you have Home or Pro versions of Windows. So that might be worth looking into for anybody stuck with Home.
I do have to say I'm so glad you got away from troll content, as much as I loved it back then too, to something so much more useful overall to everyone. Definitely seems like a good pay it forward!
Here's an easy-to-make "silent alarm" type of trap: Make a shortcut to a batch script that looks like a folder, and make that batch script write a file somewhere or otherwise alert you, then open the folder as normal. I dunno how to make CMD run silently though.
You could also pull a prank and make it do the shutdown command instead, preferably with a custom message :P
"I dunno how to make CMD run silently though."
just add " @echo off " at the start of a .bat file
That stops the command being entered being shown, im pretty sure @SKCro wants to hide the CMD window entirely.
@@IsaacGeorgeYT nope, it hides the cmd prompt aswel (if echo off is at the very top)
@@wojtekpolska1013 not if there’s echo output though, right??? When I start my mc server I have echo off but I still get console output
@@wojtekpolska1013 That just hides the output, it doesn't hide the command prompt window itself. I guess I could configure it to run minimized but 1) they might notice the taskbar icon flash, and 2) it might start the explorer window minimized as well.
Windows will cache icons so the folder token probably stopped working for that reason. I imagine the idea is once it's triggered once you don't necessarily care if you miss subsequent triggers, so it's fine if the icon cache causes it not to retrigger.
Keep in mind auditing is off by default as it tends to slow down file access. So this may not be the best solution depending on your hardware. That said if you set it up for only specific files you're probably ok. Also keep in mind as you said lots of applications have legitimate reasons to sneak a peak at arbitrary files, but this extends beyond the search indexer. For example AV scanners, Windows Explorer trying to generate a thumbnail, etc so audits may not be as useful as you might think.
My message for the shutdown would be something like "Warning! the self destruct sequence has been activated. The computer will explode in (seconds)
Canary token can also be used for defenders and security professionals because they can use to lure attackers into revealing their presence or actions.
great content!
Hackers watching this: 💀
Edit: Guys stop liking this my notifications explode..........
(Btw yes, my comment has 10x more likes than the creators lol)
💀
💀🗿
💀🗿☠️
Now we know....
Fr fr 💀
Now thats an actual reason to consider getting the Pro Versions of Windows
pro gives you the nice management console gui, but you can still do all these things from cmd/powershell and registry if you have a good reference handy. Some people in the comments are saying it's possible to install those features even in home, might want to come back and browse the comments section again. I will say though, when I did buy Windows I always bought Pro, but after all the BS with 11 I'm just done.
Microsoft-Activation-Scripts. look it up
Thank you. This is definitely bookmarked in case I need to use it and follow the instructions closer. Really appreciate your time in making this.
So this could help solve a very niche problem where I want to log every time a computer opens edits or changes ANY file and save the result to a .CSV file
(yes I'm aware this would create billions of entries) I've been trying to narrow down what a malware is doing - and logging everything it touches is very valuable.
Saw this tech on a another tech UA-camr channel. Still gonna watch it anyways !
If a hacker gets access to your machine and lists files not via RDP session with GUI but via some API calls or command line - the "token" won't be triggered, because there will be no showing of the icon. So it's rather unlikely this "token" will help you to know when you've been hacked - let alone CATCH the hacker.
Your channel got a shout out by Linus Tech Tips
Well done and well deserved because of your excellent content
That is really useful. I was wondering if something could be similarly made for USB Drives, where it can log whoever accesses the drive, whether on the network or outside. Maybe even stopping access entirely?
Here's an idea for unattended machines... Upon trigger, using powershell, add firewall rule that blocks all incoming/outgoing traffic, wait X minutes, then disable the rule...
Or just disable the network card via PowerShell :)... No need for firewall rules.
@@Lofote If you do that, you may lose all the custom non-persistent routes you may have added using route add commands on that network interface...
I think there's got to be a way to just make an EXE, VBS or whatever just be associated with a different file extension and icon. So it could appear as a folder, but it's actually code that runs and you could make it do whatever you want. This is actually a sketch thing though cause malware could potentially use the same idea.
That only works with people that have the setting disabled, and if the person is acessing your computer, probably they know if they have extensions enabled, and they will probably check if it's actually a folder(and if they see it in explorer, it will appear as X.exe)
@@gabrielloredodematosfelix7807 Maybe, but I'm wondering what would happen if you went in the registry and made a new file type, copy the folder file type data into it, and copy only the action part from the EXE file type. Now because folders never have a file extension, it would get hidden regardless of that setting, but it would run with the action of an EXE. It might not work, but I might try it sometime. I just don't want to completely mess up my system.
@@joeshmoe000 siiiiiiiiiick
Thank you. Very clever traps and alerts using Windows files and folders.
@ThioJoe
I'm still going to like the video cause I do. I'm just upset that you just NOW made this video. This should've been your 1st video. Great information
The enable auditing one allowed me to make failed logins make a loud noise play, thanks
Hello Joe. Thank you for all the great tips!
I will use it to fix..... this --> "What do you mean a file is in used? I closed everything. I said safely remove hardware! Again WHICH FILE IS IN USED!??".
(I know, Windows said you "don't need" to do it but it still give me peace of mind when I saw my spinning disk external HDD's light goes off before I unplug it.)
I don't know if you have a trojan virus and you want to remove it then the trigger activates, right? I think this will be a problem, because it will trigger it always when you turn up the pc (especially for shutdown task)
That's when you boot into safe mode, or in extreme cases mount the partition offline and use dism or a live linux cd.
But it only triggers if the trojan tries to access that same file again. It might, or it could take a while. Removing the trojan file wouldn't by itself trigger it, and anyway it's best to remove things when they aren't running.
This will be interesting to experiment with
You don't need group policy. If you know programming you can simply subscribe to file events and then you can get your custom code called every time something happens. Kinda like Process Monitor by Sysinternals but write it yourself.
So you just monitor an action on a file. Anyway, the idea is interesting . Thank you for this video
Hey there... I don't understand, why you use the Group Poilicy Editor. Just edit the security of the file or folder itself, unter Advanced there is "Auditing". No need for any group policy. Group policies are there to deploy things over a complete domain, i.e. all computers in a company.
Also this all should work with Windows Vista and after, because while Windows NT had auditing since 3.1 in 1993, the scheduled task being triggered by an event was added in Windows Vista.
Good ideas, thanks for this info.
Theo dropping the heat 🔥
Most competent intruders are going to be using Powershell/SSH and not moving your mouse or using the Explorer GUI
The second approach should detect this.
Still works.
This is defense-in-depth. Of course there's a way around it, but that doesn't mean it isn't worth implementing
@@internetdoggo4839 Use the URL token, and have powershell request the url in the task scheduler.
If you give a folder the same auditing perms as you would the txt file in the video, it will trigger as soon as someone tries to list the directory for the folder within powershell. Once you lock the task scheduler, the only way around it, far as I'm aware, is if they don't go into that folder.
So is it normal to have a ssh shell open port on a tp link router from wal mart,? Port 22 and 80 is open , and a random device keeps popping up on the fing app that says iphone 5, and iphone 7 same device , how can there even be iphone 5 and ,,7 same dam time , but nobody on the network has a iphone and for the life of me, can someone please go indepth with the iocs of this parent monitoring spyware Bs, my location seems like there is some kinda beacon some where that keeps sniffing every new device I get and side loads 300 something apks of B's that just spanks all my permissions to hell and back , samsung had 500 apps , and android forums flat out lie, why can't normies actually get any help with this bs,
Your method is so smart! Out of curiosity, is there any real reason to shutdown the computer as opposed to just disabling the network adapters? Especially if you're likely to restore a backup anyway? Seems like false positives would be less annoying if all you have to do is reenable your network when you ascertain why it happened through event viewer.
Shutdown stops the malware doing any more local bad things it has on its to do list.
However, with fast start, you might restart the malware on start. Ideally you want a full shutdown without any of the fast start stuff...
Can you make a method which doesn't require group policy editor though for people without pro editions. This is some very cool stuff which I would love to have on my laptop
If you just do the shutdown -s -t 4 -c "blah blah blah" it might take awhile for the computer to shutdown as it doesn't force close all the programs. My way to turn off the computer is to include the -f argument as it forces everything to close with no notice, so the command would look like : shutdown -s -f -t 4 -c "blah blah blah". Which will force all open programs to shutdown and speeds up the process allowing even less time for a hacker to do anything.
Also just use -t 0 zo just instantly shut down
Thio single-handely keeping the old ones out there save from hackers 🤔
Thanks for the video on auditing file access.
I have set this up to trigger a batch file that creates a log file with a snapshot of the active network connections with PID and a snapshot of active process.
I glad you have a VPN in Czech Republic
excellent video! this is all great information to have and I would love to learn more about what I can do with task scheduler!
thiojoe against the malware
On Linux you can take it as far as creating a custom service that encrypts your entire hdd with a public key if a file is accessed or some other conditions are met
Anti ransomware ransomware
@@ascensionunlimited4182 ransomware can just encrypt it agaim
Would the first one work if it was a remote shell that copied the files over? I don't think that would be the same as double clicking the folder to open it but I could be wrong.
edit: Saw the rest of the video, and yeah I guess most hackers would be using linux/a shell to gain access
Yes! I was gonna say this!
If you have a reverse shell that just runs CMD or PowerShell commands this wont work.
So dumb. This technique will only catch people sneaking onto your PC
An India based tech support scam "hacker" is likely using Windows.
Although I just call them a "scammer", which is a completely shameful title with no redeeming qualities.
@@SuperMegaToto This triggers whenever the file is access/modified, regardless of how it was. Go ahead, test it for yourself. Open/copy the file using powershell, and it will still trigger.
@@FusionDeveloper But they're using remote desktop software, and that may not trigger the .ini file.
@@CigsInABlanket They're talking about the first one which uses the desktop.ini file as a trigger, not the other methods ThioJoe mentioned.
Cool! Does this work if someone runs a command like tree, or indexes a list of file names on the computer using a Python script, for example? Or does it just trigger when the file is directly read?
I would add a -f to the shutdown command in case something has been launched that interrupts normal shutdown.
3:16 if you pause and use the < > keys right to the right of the space bar and next to the ? key you can see the token lol
Very good .. how about you doing a blank desktop file without a name .... to hide these great tools, trick and more.
How do I know 100 % sure, that my PC is malware and virus free ? Thanks
I suppose there is no way to be 100% certain unless you do a format and clean install
@@ThioJoe Not true.
I'm on your system32 👁️👁️
@@ThioJoe OK, then 95 %....
Get any decent virus scanner, reboot into safe mode and run it. Even better, if you can boot from another partition or live cd/usb, run it from there. Just be sure to update the definitions. Offline scans like that prevent the malware from intercepting the file read operations and are the best way to detect root kits. Many years ago, McAffee had a boot CD called Stinger that you could boot from and scan your pc offline, I don't know if they still do that. Problem is it also detected pirated copies of Windows so we students had to figure out a way to spoof the results. XD
Thanks for the in depth info. Will refer back for reference. 👍
Many thanks for this video. Highly informative. Actually there is a way to add group policy editor to Windows 10 & 11 Home Editions which I came across and it works like a treat. As I have Windows 11 Home, by installing group policy editor as a batch file, I was able to undertake all the steps you outlined in this video. Thanks again. I feel more secure knowing that if a hack took place, I have a good chance to stop the hacker in their tracks.
Great video! I'll actually setup this honeypot, it seems very handy
Interesting features I wasn't aware of. However I don't think this is too useful in catching hackers. I find it way too unlikely a hacker would open your trap file, and even if they did, they'd already caused you a lot of other damage by then. When you start your computer again, the hacker would continue where they left off, this time being cautious about your trap file. However it's likely you or the system will fall to your trap yourself, causing you even more damage, trouble, and loss of work. So I just don't find it worth it. Nice idea though.
Naming the folder something important like Crypto Wallet might cause a crypto wallet stealing virus to trigger the trap which could disable the internet and shutdown the computer and than warn you of such allowing you to fix it.
Also if a hacker had remote access to your computer, they would most likely scan the hard drive to see what was on it, thus triggering the trap and disabling the network adapter causing them to be disconnected hopefully before they cause irreversible damage.
@@EQ_EnchantXespecialy if you put it on the root directory of C: for it to act the fastest
I wound up in a shutdown loop, I had excluded the directory from indexing and from antivirus, but my PC was still shutting down within 5 seconds of booting, luckily gave me enough time to shift restart into safe mode to strip the task from scheduler and regedit. Wonder what was trying to access it...
Maybe backup program? Or Dropbox, OneDrive or anything mirroring it to the cloud?
i cant access task scheduler
@@thatpolishletter you have to delete the task item from the sys32 directory it is in and also remove the regkey in safe mode
wow great video keep up the awesome work👍
Thanks for this information!
The scenario that immediately popped into my mind is accidentally triggering a shutdown loop.
Say for instance that you didn't realize that a particular file is accessed on startup and that file triggers shutdown. Now just by booting up, you trigger the shutdown sequence.
Could you fix that if it happened? Would booting into safe mode work?
i got that problem
@@thatpolishletter So how did you fix it?
Thanks bruh..I was about to set this up but after reading your comment I've changed my mind
@@itsmanasK safe mode
@@thatpolishletter Genius 🧠
A similar technique used to be used in emails by both malicious actors and advertisers to effectively get read receipts on their emails.
Ever wonder why image loading is disabled by default? Because by loading that image you're sending a signal to their servers.
Nice - big shout out! THX!
Pretty cool ! Thanks for the video !
The video on group policy editor is helpful if the method requires the group policy editor.
What if they are using a RAT software and they are not clicking on the folder to get access to what's inside the folder?
6:42 You do know that there actually is a way to get the group policy editor on Windows 10/11 Home, you just have to run specific commands to enable it as the file necessary is still on the system
did i see a scammer replying here
UA-cam 1984 too
It's not technically "enabling" it, it's "installing" it from files already on the system, pretty much just like using the "Windows features" dialog.
But Group Policy Editor isn't even needed here, you can directly set the Auditing from Windows Explorer under Security, Advanced :)...
Don't try it with folders!! I don't know why but for some reason it executed the code everytime my computer restarted. It was a problem since i had it to shutdown, so i couldn't access computer and needed to use my bootable linux to fix it. It wasn't hard to fix i just needed to delete the files. Then i made it with a txt and it worked like a charm. I also did that it text you an SMS message every time you open the file(i did it with nexmo, but there ar others posible candidates). Great video just don't do it with folders or at least don't do it with shutdown task.
That's good you could be in a middle of something and next thing you know your PC shuts down... That would be lovely
But I do like the idea but idk on the other side of it to
Damn helpful.
My PC automatically turns off wifi when it goes to sleep, so hackers can only access my pc when it's awake and I'm on lmao
Hey Joe! I have gotten a ton of adds for apps that pay you for paying games, can you go over those?
3:36
thio: clicks twice to open once
Canary: *Triggered 3 times*
Top 10 Questions Science Still Can’t Answer
Policy editor way and task schedule working is based on that Windows be running, booting with external OS will bypass that.
Which Screen Recorder do you use my fellow Content Creator Your Video are Damn! Crips when you Pan Or Zoom them
Now Imma put a text file in the folder saying the hacker’s IP 💀💀💀💀💀
the censoring of the url isnt well made, if you really wanna hide it (around 3 min)
Thank god i finally watched this video.
My Task isn't triggering! It shows up on Event Viewer, and it's logging everything well, but cmd doesn't open up when I access the file. I've followed the tutorial 4 times now, restart from scratch every time, and the event viewer logging works, but the Task Scheduler isn't really working well. The History tab is empty in the task scheduler too.
A couple things I can think of. Have you selected the option to "run whether user is logged in or not?" Because if that is selected, for some reason the Command Prompt window will not show even if the "echo" command is run. It will only run in the background. If you're just testing things out and want it to display the window to know when it's triggered, change it to "Run only when user is logged on".
As for the history tab, you have to actually enable the tracking of history, so perhaps that isn't enabled. To enable event history tracking, at the top bar of the Task Scheduler window, click "Actions" and look for "Enable All History Tasks" and click that. Now it should show event history. Be aware though, this seems to cause lag on the computer when it is triggered, so probably only enable it for testing. Hope that helps, let me know if that solves it.
I'm pretty sure your method works on previous versions of Windows as well, for example, Windows 8 Pro and not just Windows 10 or higher.
Windows Vista or higher has those scheduled tasks depending on events.
lol i love that thumbnail
I do have a question. I noticed that my file will get triggered whenever a a gpu driver installs, a windows install or anything like that happens. Its a little sketchy to think that they are interacting with a txt file I have on my documents folder. Anyone have any clarifications or similar experiences???
Great video. You got my wheels turning. I could see a ton of additions and variations. Maybe have the file they directly access be a batch file with the icon changed. You could have that batch file trigger all kinds of things. You could trigger external things through services like IFTTT. Turn on security cameras, lock a closet door that might have valuables that might be stolen. Seems like the sky is the limit here. The file could be “sensitive financial information.docs.bat” and hide the file extension so all they see is “sensitive financial information.docs” and change the icon to match. The bat file could open other files for all kinds of purposes.
You can run a batch file using the Windows event viewer method, or if you have an external server you can use a webhook and do whatever you like that way
Eh, I dunno if I trust a third party website to automatically run an untrusted DLL for that canary thing. That seems like a recipe for disaster. Even if you currently trust that company, what if they sold off to a shadier one that doesn't respect its users? They could run cryptomining software on your box or worse.
Good point. Not only that but they're effectively tracking your usage/location. Which is probably why they're offering it as a 'free' service.
I don't think it actually executes any code from the dll, the dll is just a resource container for the icon. Although it does seem a little suspicious that they wouldn't just use an .ico file.
intrusive strategy... they can refactor the .dll anytime... :-)
if it was "baloon.dll" i'd be suspicious... ;-))
@@DFPercush A malformed DLL might buffer overflow or exploit some other vulnerability.
Interesting thing that you're not using -f flag for the shutdown command...
what about intrusion detection software, like Tripwire? Also anti virus that detects keyloggers or screen/video capture viruses?
now, is your version portable?
12:00... the shutdown, you probably want to also use -f to force it to shutdown, and ignore anything which is trying to have the shutdown wait for them...
Good point 👍
I am so sorry to say this, but any good sniffer attacant person the first thing that does when localy attacking a computer is to cut all it's remote access, then check if there is any live encryption so in case it is not, reboot with external OS to limit any traces, etc. and gain low lovel access to storage.
Most of times it tooks less time to 1to1 copy the storage (with no so much special external cloning hardware) than to investivate and look for in place.
If the attacker gains physical access to your running OS you are dead (in terms of security), no matter what you have, they simply can plug into motherboard wires an inyector/reader and make a full unencrypted read be copied to external media.
That is why software full encripted drives put a barrier, but the attacker can also put a ram dumper and you are still dead.
That is why i ever said, if you go away, just turn off the computer and have all your disks 100% software encripted (encription that runs inside the processor, not on the drive itself) and better if it is multi-layer with different encryption algoritms.
And never have external access on the computer you use your data, for internet use a second PC and a USB thumb, etc.
Paranoid way of view is the safe way and also it is not 100% safe.
If a hacker got into my pc, he’d be greeted by 20year old games. 😂
Oh man that thumbnail made me laugh so hard.
Can you please please PLEASE.... do an updated video on the best type of television money can buy you? I know you did one six years ago on OLED and QLED. PLEASE help us... 🙏🏾
6:44 There is a method to install Group Policy Editor on Windows Home
Enabling audit on file system doesn't use resources slowing down the PC?
7:08 i've seen hackers like that before. they usually show up in groups, on chilly nights.
the /force flag for gpupdate doesn't really do anything here, since all it will do is force all existing policies to also be re-applied, but gpupdate on it's own would apply the new policy you just made, all you are doing is increasing the processing load on your pc if you have other configurations enabled
Thats a good idea 💡 thanks 😀
You download the program to set this up? How safe is that?
Can you please do a similar video for Linux?
3:48 you are from czechia?
3:40 so are you American or Czech? 🤔