Hey everyone! I have a bit of a puzzler on my hands. One of our users reported that while his workstation was in sleep mode, it woke up and seemed to have someone navigating through some Excel files for about 15-30 seconds. He primarily uses a Windows virtual desktop monitored by Defender for Endpoint. My team checked with him but couldn't get in touch. They looked into the security event logs and didn't find any logins aside from service accounts. I even ran a full scan from the Defender portal and nothing suspicious came up. We checked various logs, existing remote access tools, and firewall logs without finding anything out of the ordinary. I'm worried it might be technical issues or a user misinterpretation, but I'm not sure what other steps I should take. Any advice on what else to investigate or check would be hugely appreciated! I've been working on this for over a week without much luck.
6 Answers
I don't think this is a breach. If ScreenConnect is your remote access method, check its web UI for a timeline. If someone accidentally connected to the wrong device and logged off quickly, that should show up there.
Sounds like a weird situation! I had a similar issue where a user thought their laptop was being hacked, but it turned out someone had borrowed their wireless mouse and was accidentally controlling the laptop from across the room. It might be worth checking if any wireless devices in the area could have interfered.
This sounds more like a misunderstanding than an actual hack. I once dealt with a user who couldn't explain their issue well, and it turned out it's just a confusing setup causing them to believe they were hacked. It might help to walk your user through what they experienced to clear things up.
Sometimes, it’s just dirty hardware playing tricks. Dirty keyboards can send all sorts of weird signals, leading users to think something sinister is at play. It might be worth checking that as a first step too!
I've seen this often due to CPU throttle on wake-up. Sometimes it seems like random programs are being opened during wake-up events, but it’s usually nothing malicious. Just check the logs around the time and see if there's anything unusual.
Just to clarify, did the user see the mouse actually moving around or just opening files? If they had recent files accessed, it might be worthwhile for them to check that list to see if anything was looked at during that time.
Haha, I can relate! I once had a mouse connect to my computer and started moving the cursor around without me touching anything, and it freaked me out. Could definitely be something funny like that!