Intro
Although the primary emphasis here addresses a lost or stolen corporate computer with some type of backdoor into the machine (EDR or otherwise), some of the following suggestions may be relevant to those without.
Certain ideas posted here may be deemed unethical or potentially illegal, depending on the jurisdiction, application, and/or involvement. Consequently, it is advisable to consult with experienced legal professionals before implementing any of these ideas, as they may have far-reaching consequences beyond what is initially anticipated.
This compilation of ideas is intended solely for informational purposes.
Ideas
Quarantine the Host
A lost or stolen device is a security risk that may provide attackers with physical access to sensitive data or network resources. By quarantining the host, you isolate it from the rest of the network, limiting any unauthorized access or data leakage. These measures help to hinder attackers from exploiting vulnerabilities on the host to gain unauthorized access to network resources or sensitive data.
Collect Public IP Information
Public IP addresses are unique identifiers assigned to devices connected to the internet and are often used to track the source of network traffic or determine the geographic location of the device. This information can be used to identify potential attackers or malicious actors and provide evidence for legal proceedings or other forms of disciplinary action.
Disable Cached Logins
When an attacker gains physical access to a lost or stolen computer with cached logon data, they can attempt to decrypt the password hashes using brute-force. By setting the cached logons count to 0, you effectively disable the storage of cached logon credentials on the computer.
if (-not (Test-Path -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon")) {New-Item -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Force | Out-Null};Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "CachedLogonsCount" -Value "0"
Remove Stored Credentials
When an attacker gains physical access to a computer with stored credentials, they might use those credentials to access network resources, user accounts, or sensitive data. By employing tools or methods like memory forensics or keylogging, attackers can obtain and misuse stored credentials. By removing stored credentials, you ensure they cannot be accessed through normal means, adding an extra layer of security.
ForEach($t in (cmdkey /list)){if($t -like "*Target:*"){cmdkey /delete:($t -replace "\s*Target: ","")}}
Remove Cached Credentials
Attackers with physical access to the device can potentially use various techniques to access and misuse the cached credentials. By removing contents from the registry that manages cached credentials, you can effectively clear the cached credentials, making it more difficult for attackers to exploit them and improving the overall security of the device.
Remove-ItemProperty -Path 'HKLM:\SECURITY\Cache*'
Invalidate Kerberos Tickets
Kerberos tickets are used for authentication purposes in a domain environment and grant users access to various resources within the network. When an attacker gains physical access to a computer with valid Kerberos tickets, they might exploit these tickets to access network resources or sensitive data. Invalidating Kerberos tickets for a lost or stolen host ensures that the existing tickets are no longer valid, and any attempts to use them will fail. This helps to mitigate the risk of unauthorized access and enhances the overall security of the device and the network.
gwmi Win32_LogonSession | ?{$_.AuthenticationPackage -ne 'NTLM'} | % {klist purge -li ([Convert]::ToString($_.LogonId, 16))}
Remove Explorer.exe as the Default Logon Shell
Switching the default Windows shell from explorer.exe to calc.exe or another executable is not a reliable security measure for lost or stolen devices. It does not offer any meaningful security advantages and simply causes a minor inconvenience to attackers by removing the graphical user interface (GUI) without affecting system functionality. In practice, this measure is easily circumvented as they can start a new instance of explorer.exe to regain the GUI.
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\' -Name 'Shell' -Value 'calc.exe'
Remove Non-Default User Profiles
Deleting non-special user profiles from a lost or stolen computer is a smart move to keep your data safe. By getting rid of these profiles, whoever gets their hands on the device won’t be able to easily see your files, settings, and other personal stuff. Plus, if the computer was part of a work network, it helps keep company resources secure too. This action can save you a lot of headaches.
# Get the list of user profiles
$userProfiles = Get-WmiObject -Class Win32_UserProfile
# Iterate through each user profile
foreach ($profile in $userProfiles) {
# Check if the profile is a default, system, or local service account
if ($profile.Special -eq $false) {
# Get the username associated with the profile
$sid = New-Object System.Security.Principal.SecurityIdentifier($profile.SID)
$username = $sid.Translate([System.Security.Principal.NTAccount]).Value.Split('\')[-1]
# Optionally exclude specific users from the removal process
# if ($username -ne "ExcludeUser1" -and $username -ne "ExcludeUser2") {
try {
# Remove the user profile and suppress the method output
$profile.Delete() | Out-Null
Write-Host "Removed user profile for: $username"
}
catch {
Write-Host "Failed to remove user profile for: $username"
}
# }
}
}
Disable Computer Account in Active Directory
Disabling the computer account stops the device from connecting to the network and accessing any resources. This way, even if someone manages to control the device, they can’t use its domain access to get data or cause further trouble.
Disable-ADAccount -Identity "<ComputerName>"
Remove Computer from Domain
Removing a computer from the domain ensures the device is no longer part of the domain. This prevents the risk of potential attacks or the accessing of senstive data.
Remove-Computer -Force
Force Shutdowns on Boot
Forcing shutdown on boot is more of an annoyance than a security measure. This is because it does not prevent a knowledgeable person from circumventing the shutdown or accessing the computer’s data by using an alternative boot method or connecting the hard drive to another device.
# This causes the computer to shut down as soon as it starts up. Do NOT run this on anything you care about.
schtasks /create /tn "ShutdownAtStartup" /tr "shutdown.exe /s /f /t 0" /sc onstart /ru SYSTEM
Force Immediate Password Resets for Any Authenticated User On Host
The strategy of resetting the passwords for authenticated users on the host mitigates the risk of attackers exploiting cached or active credentials on the stolen device to gain access to the network, impersonate users, or exfiltrate confidential data. The organization can reduce the potential attack surface by promptly performing this action.
Record Audio
Using audio recordings could provide evidence of a thief’s activities, conversations, or plans, offering clues about their identity, location, or intentions. These recordings can also serve as evidence to narrow down the timeline of events, corroborate other pieces of evidence, and offer insight into the motivations of the suspects.
# The maximum recording duration is 3 hours, as per the system's design. This older command may be relevant for early Windows 10 and previous versions, but it is not applicable for newer Windows 10 releases.
soundrecorder /file c:\temp\audio_recording.wav /duration 2:59:00
Capture Screenshots
Screenshots can provide insight into the activities and intentions of the person using the computer, potentially revealing crucial information such as opened applications, accessed files, or online communication. This allows for a more comprehensive view of the suspect’s actions and can strengthen a case against them.
Capture Webcam Images or Video Recordings
Webcam recordings and images can be valuable tools for prosecuting and identifying individuals. Timestamps on the images or recordings can help establish a timeline of events, which can be crucial in building a strong case. The recorded visuals may capture additional evidence, such as the suspect’s surroundings or accomplices, providing more context and potentially leading to the recovery of stolen property.
Conclusion
Restricting authentication and collecting evidence can be beneficial in the event of lost or stolen computers, as it helps protect sensitive data and aids in the recovery process. Unauthorized less tech-savvy users can be deterred from accessing the device, preventing potential misuse of personal or confidential information. The collection of evidence, such as audio recordings, webcam images, and screenshots, could provide information about the perpetrator’s identity, location, and activities. This evidence can assist law enforcement in tracking down the individual responsible and strengthening the case against them.
Keep in mind that even if you or your company owns the device, using monitoring or recording methods might still violate privacy rights. Consult with a legal expert to ensure you’re adhering to the appropriate regulations and not infringing on anyone’s privacy before implementing any of these methods. This way, you can be confident that you’re acting within the boundaries of the law while protecting your property.