Solved

Determine details surrounding rogue account creation

Posted on 2008-10-19
12
1,083 Views
Last Modified: 2013-12-05
I see that someone created a new Active Directory account at 2am last night, suspiciously named "Admin." How can I learn details relating to this event? I'd like to know:

a) What user account was used to create the account
b) What machine it was created from
c) Whether or not this new account has actually been used

My server is Windows 2000 Server with service pack 4.
0
Comment
Question by:stevengraff
  • 6
  • 5
12 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22752726
Your best option is to go to the security event log on the DC and check for events at that time...you should be able to find the user who created the new account in the security event log.....

Also right click the newly created user account,object info and this will show you the created time
0
 
LVL 11

Author Comment

by:stevengraff
ID: 22753716
At 2:08:46 I get all three of the following, under category Account Management:

User Account password set:
     Target Account Name:    admin
     Target Domain:    PEDOMAIN
     Target Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
 

User Account Changed:
     Account Enabled.  
    'Password Not Required' - Disabled
     Target Account Name:    admin
     Target Domain:    PEDOMAIN
     Target Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -


User Account Created:
     New Account Name:    admin
     New Domain:    PEDOMAIN
     New Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
     Privileges        -


Is it significant that the Caller User Name is actually the machine name of my DC?
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22753954
There is enhanced AD account information that you can provide yourself:
http://www.petri.co.il/add_user_account_information_to_dsa.htm

What I would do is look at the SID of this using the enhance AD account info and determine if your DC was trying to be backwards compatible with a program that uses NTLMhash authentication.

To determine this, you would get a short SID.

Also, for security reasons, Download Hijack this and post the results on this web site for analizing processes that may be running under an NTLMhash or LMhash authenication protocol. Viruses often don't try to use Kerberos SIDs to run because of how hard kerberos is to hack:

http://www.hijackthis.de/index.php?langselect=english#anl
0
 
LVL 11

Author Comment

by:stevengraff
ID: 22832269
ChiefIT,

I cannot get this to work, though I have tried on both a Windows Server 2003 machine (which is not the dc, but does have AD on it) and the DC, which is actually a Win2K Server box (so I shouldn't expect it to work?)

 regsvr32 %systemroot%\system32\acctinfo.dll

I keep getting "LoadLibrary("c:\windows\system32\acctinfo.dll") failed - The specified module could not be found."
0
 
LVL 11

Author Comment

by:stevengraff
ID: 22832937
Actually, I see now that this may not be supported in a 64-bit environment. Is there an equivalent for use on 64-bit? or for use on the Win2K server?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22902248
Terribly sorry about the slow response> Had a lot of fires to take care of.

64 bit 2000 server, I don't think there is advanced AD information available.

Since Uernames are not really related to IP address. This is probably as good as you get for trying to locate the user's machine:
http://www.experts-exchange.com/Networking/Misc/Q_21416099.html?sfQueryTermInfo=1+2003+ip+list+user

Pete makes mention of a favorite tool of mine. It is called ANGRYIPSCAN, not angey Ip Scan. This might tell you who is logged onto the machine.

0
 
LVL 11

Author Comment

by:stevengraff
ID: 22903675
I'll try that, thanks.

btw, this "rogue acct creation" seems to happen occasionally, i.e. a couple times per month or so. Different user name each time, usually a name that's not otherwise suspicious, like MSSQL, etc.  No one uses the machine interactively. Someone suggested it could be a virus.


0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22924011
That is definately something to look into.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22924025
be careful when deleting these users. Some of them sound like they could be built in accounts.

There is one called TS_interentuser, that is a built in account for terminal services. There is also a built in administrator account. And without looking, I believe there is a MSSQL account for WSUS and other Sequal based programs.
0
 
LVL 11

Author Comment

by:stevengraff
ID: 22924102
Thanks -- I think that that's part of the bogey's plan -- creating user accounts that sound like they could be real!!!
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22924388
Well, if I were a hacker, that is the way I would do it.
0
 
LVL 11

Author Closing Comment

by:stevengraff
ID: 31507589
Thanks, though solution doesn't apply to Win2K environment.
0

Join & Write a Comment

Suggested Solutions

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now