Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Determine details surrounding rogue account creation

Posted on 2008-10-19
12
Medium Priority
?
1,096 Views
Last Modified: 2013-12-05
I see that someone created a new Active Directory account at 2am last night, suspiciously named "Admin." How can I learn details relating to this event? I'd like to know:

a) What user account was used to create the account
b) What machine it was created from
c) Whether or not this new account has actually been used

My server is Windows 2000 Server with service pack 4.
0
Comment
Question by:stevengraff
  • 6
  • 5
12 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22752726
Your best option is to go to the security event log on the DC and check for events at that time...you should be able to find the user who created the new account in the security event log.....

Also right click the newly created user account,object info and this will show you the created time
0
 
LVL 11

Author Comment

by:stevengraff
ID: 22753716
At 2:08:46 I get all three of the following, under category Account Management:

User Account password set:
     Target Account Name:    admin
     Target Domain:    PEDOMAIN
     Target Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
 

User Account Changed:
     Account Enabled.  
    'Password Not Required' - Disabled
     Target Account Name:    admin
     Target Domain:    PEDOMAIN
     Target Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -


User Account Created:
     New Account Name:    admin
     New Domain:    PEDOMAIN
     New Account ID:    PEDOMAIN\admin
     Caller User Name:    PLAINENGLISHDC$
     Caller Domain:    PEDOMAIN
     Caller Logon ID:    (0x0,0x3E7)
     Privileges        -


Is it significant that the Caller User Name is actually the machine name of my DC?
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 22753954
There is enhanced AD account information that you can provide yourself:
http://www.petri.co.il/add_user_account_information_to_dsa.htm

What I would do is look at the SID of this using the enhance AD account info and determine if your DC was trying to be backwards compatible with a program that uses NTLMhash authentication.

To determine this, you would get a short SID.

Also, for security reasons, Download Hijack this and post the results on this web site for analizing processes that may be running under an NTLMhash or LMhash authenication protocol. Viruses often don't try to use Kerberos SIDs to run because of how hard kerberos is to hack:

http://www.hijackthis.de/index.php?langselect=english#anl
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 11

Author Comment

by:stevengraff
ID: 22832269
ChiefIT,

I cannot get this to work, though I have tried on both a Windows Server 2003 machine (which is not the dc, but does have AD on it) and the DC, which is actually a Win2K Server box (so I shouldn't expect it to work?)

 regsvr32 %systemroot%\system32\acctinfo.dll

I keep getting "LoadLibrary("c:\windows\system32\acctinfo.dll") failed - The specified module could not be found."
0
 
LVL 11

Author Comment

by:stevengraff
ID: 22832937
Actually, I see now that this may not be supported in a 64-bit environment. Is there an equivalent for use on 64-bit? or for use on the Win2K server?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22902248
Terribly sorry about the slow response> Had a lot of fires to take care of.

64 bit 2000 server, I don't think there is advanced AD information available.

Since Uernames are not really related to IP address. This is probably as good as you get for trying to locate the user's machine:
http://www.experts-exchange.com/Networking/Misc/Q_21416099.html?sfQueryTermInfo=1+2003+ip+list+user

Pete makes mention of a favorite tool of mine. It is called ANGRYIPSCAN, not angey Ip Scan. This might tell you who is logged onto the machine.

0
 
LVL 11

Author Comment

by:stevengraff
ID: 22903675
I'll try that, thanks.

btw, this "rogue acct creation" seems to happen occasionally, i.e. a couple times per month or so. Different user name each time, usually a name that's not otherwise suspicious, like MSSQL, etc.  No one uses the machine interactively. Someone suggested it could be a virus.


0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22924011
That is definately something to look into.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22924025
be careful when deleting these users. Some of them sound like they could be built in accounts.

There is one called TS_interentuser, that is a built in account for terminal services. There is also a built in administrator account. And without looking, I believe there is a MSSQL account for WSUS and other Sequal based programs.
0
 
LVL 11

Author Comment

by:stevengraff
ID: 22924102
Thanks -- I think that that's part of the bogey's plan -- creating user accounts that sound like they could be real!!!
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22924388
Well, if I were a hacker, that is the way I would do it.
0
 
LVL 11

Author Closing Comment

by:stevengraff
ID: 31507589
Thanks, though solution doesn't apply to Win2K environment.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question