Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1098
  • Last Modified:

Determine details surrounding rogue account creation

I see that someone created a new Active Directory account at 2am last night, suspiciously named "Admin." How can I learn details relating to this event? I'd like to know:

a) What user account was used to create the account
b) What machine it was created from
c) Whether or not this new account has actually been used

My server is Windows 2000 Server with service pack 4.
0
stevengraff
Asked:
stevengraff
  • 6
  • 5
1 Solution
 
sk_raja_rajaCommented:
Your best option is to go to the security event log on the DC and check for events at that time...you should be able to find the user who created the new account in the security event log.....

Also right click the newly created user account,object info and this will show you the created time
0
 
stevengraffAuthor Commented:
At 2:08:46 I get all three of the following, under category Account Management:

User Account password set:
     Target Account Name:    admin
     Target Domain:    PEDOMAIN
     Target Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
 

User Account Changed:
     Account Enabled.  
    'Password Not Required' - Disabled
     Target Account Name:    admin
     Target Domain:    PEDOMAIN
     Target Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -


User Account Created:
     New Account Name:    admin
     New Domain:    PEDOMAIN
     New Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
     Privileges        -


Is it significant that the Caller User Name is actually the machine name of my DC?
0
 
ChiefITCommented:
There is enhanced AD account information that you can provide yourself:
http://www.petri.co.il/add_user_account_information_to_dsa.htm

What I would do is look at the SID of this using the enhance AD account info and determine if your DC was trying to be backwards compatible with a program that uses NTLMhash authentication.

To determine this, you would get a short SID.

Also, for security reasons, Download Hijack this and post the results on this web site for analizing processes that may be running under an NTLMhash or LMhash authenication protocol. Viruses often don't try to use Kerberos SIDs to run because of how hard kerberos is to hack:

http://www.hijackthis.de/index.php?langselect=english#anl
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
stevengraffAuthor Commented:
ChiefIT,

I cannot get this to work, though I have tried on both a Windows Server 2003 machine (which is not the dc, but does have AD on it) and the DC, which is actually a Win2K Server box (so I shouldn't expect it to work?)

 regsvr32 %systemroot%\system32\acctinfo.dll

I keep getting "LoadLibrary("c:\windows\system32\acctinfo.dll") failed - The specified module could not be found."
0
 
stevengraffAuthor Commented:
Actually, I see now that this may not be supported in a 64-bit environment. Is there an equivalent for use on 64-bit? or for use on the Win2K server?
0
 
ChiefITCommented:
Terribly sorry about the slow response> Had a lot of fires to take care of.

64 bit 2000 server, I don't think there is advanced AD information available.

Since Uernames are not really related to IP address. This is probably as good as you get for trying to locate the user's machine:
http://www.experts-exchange.com/Networking/Misc/Q_21416099.html?sfQueryTermInfo=1+2003+ip+list+user

Pete makes mention of a favorite tool of mine. It is called ANGRYIPSCAN, not angey Ip Scan. This might tell you who is logged onto the machine.

0
 
stevengraffAuthor Commented:
I'll try that, thanks.

btw, this "rogue acct creation" seems to happen occasionally, i.e. a couple times per month or so. Different user name each time, usually a name that's not otherwise suspicious, like MSSQL, etc.  No one uses the machine interactively. Someone suggested it could be a virus.


0
 
ChiefITCommented:
That is definately something to look into.
0
 
ChiefITCommented:
be careful when deleting these users. Some of them sound like they could be built in accounts.

There is one called TS_interentuser, that is a built in account for terminal services. There is also a built in administrator account. And without looking, I believe there is a MSSQL account for WSUS and other Sequal based programs.
0
 
stevengraffAuthor Commented:
Thanks -- I think that that's part of the bogey's plan -- creating user accounts that sound like they could be real!!!
0
 
ChiefITCommented:
Well, if I were a hacker, that is the way I would do it.
0
 
stevengraffAuthor Commented:
Thanks, though solution doesn't apply to Win2K environment.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now