Hey everyone, I could really use your insights on an unusual situation. A user reported that while their workstation was in sleep mode, it turned on by itself and it looked like someone was navigating through their Excel files for about 15-30 seconds. The user primarily uses a Windows virtual desktop and it's being monitored by Defender for Endpoint.
My team looked into this right away. They tried reaching the user but couldn't get through. We checked the security event logs and only saw logins from service accounts. We also reviewed the Office 365 activity from the Defender activity portal and Entra ID without finding anything suspicious. I ran a complete scan of the virtual machine but no issues came up. We looked at the TerminalServices logs, and only the user's account was recorded as logging in.
The remote connection tools on the system include Remote Desktop and ScreenConnect, but nothing seemed out of the ordinary during our investigation. My colleagues checked scheduled tasks and firewall logs without finding anything concerning. We even considered if someone from IT inadvertently logged in, but couldn't find any connection records that timeframe.
I suggested that Malwarebytes or HitmanPro scans should be done on both local and virtual machines to check for malware, but my boss prefers to leave this to more experienced team members. So, I'm kind of stuck without being able to remote into the user's workstation directly. I'd love to know if there's anything else I should check, as I've been digging into this for over a week and am getting nowhere. Any ideas?
7 Answers
This isn’t uncommon. Sometimes, a CPU throttle on wake up can cause strange inputs, which might appear as if random files are being accessed. You should definitely check the logs around that time; you might find an event related to waking up but nothing else suspicious to report.
Just to clarify, when the user reported that it looked like someone was navigating through files, did they actually see movement on the screen or just files being opened? If it’s the latter, checking the recent files list might reveal what was accessed. Also, regarding the workstation turning on, was there a lock screen set up, or could it be that the monitor settings made it seem like someone made it wake up?
One possibility you might want to explore is where the user downloaded the ISO for the OS to set up the virtual machine. It's known that some hackers create malicious ISOs that can have backdoors. Just a thought to keep in mind while you investigate further!
Yeah, from what you described, it doesn't seem like a real breach. With ScreenConnect, you can check the activity timeline through the web interface. If someone did mistakenly connect to the wrong device, it should show up there.
This sounds more like a case of mistaken identity rather than a true breach. I once had a user report a similar issue with their laptop. After digging through the logs with no success, we found out the reason: they had misplaced their wireless mouse in the boardroom. Another person thought it was for the AV equipment, and they ended up controlling the laptop from across the room—it was hilarious once we figured it out!
Just a heads up: sometimes dirty keyboards can create weird input signals that can freak users out. Maybe the user accidentally pressed keys that made it look like something was happening. It’s worth considering that their perspective might be skewed due to unfamiliarity with their setup!
I had a similar case where communication was key. The user thought something nefarious was going on because of a bad search engine and OneDrive issues causing weird redirects. People often misunderstand tech glitches and think they’re hacks. Try to clarify with the user exactly what happened before jumping to conclusions!
Haha, I can relate! I had a similar experience with a recycled mouse that connected to my Mac and started moving the cursor around randomly. I was totally confused!