For investigative purpose, sometimes you have to freeze a terminal by throwing someone off a terminal, but at the same time preserve the evidence on the terminal. Let’s assume that if someone is using a terminal to send frustrating messages to their colleagues or having obscene chats or even an anonymous trying to hack, and you need to secure the running terminals to capture the commands that has been run.
Following process demonstrates that it is quite simple to accomplish such simple investigative task, provided you have admin privilege over the network:
- It is mandatory to change the target account’s AD password. This ensures the culprit is deprived from logging back in
- If you don’t have psexec, download the PSTools and extract the content and then target the terminal with psexec and use rundll32 to execute user32.dll with the LockWorkStation function. This will trigger the account lock. The following command can be tweaked for your purposes: H:\PSTools>PsExec.exe \\192.168.100.10 -d -u ventej\Administrator -i cmd /c "rundll32 user32.dll, LockWorkStation"
- Now it’s time to seize the terminal. Make sure you are standing by ready for this, as the victim could be distressed and shut down his workstation, essentially removing evidence.
Good Luck!
0 comments:
Post a Comment