Admin AD User Account appeared and no-one knows who created it!
You can imagine the shock to find a rogue "admin" user in our Active Directory Users and Computers.
None of my engineers have owned up to creating it by mistake. I have been started researching if was created by someone who had remote access (hacked) or by some virus that my systems have not discovered.
From the User Account OBJECT tab I can see the exact time the user account was created. Now I need to look at event viewer records if there is anything that can link someone to modifying active directory at this time.
Questions :
1) Is it possible to view audit information of anyone who was creating accounts in active directory and can this be linked to an IP address or session id?
2) Is it possible for a Trojan virus to live on the local network and create user accounts. However it makes no sense to create an admin account if the virus has admin permissions enough to create a user account in AD (domain admin rights).
I am aware of possibility that RDP can be attacked, but still if RDP provided the backdoor for a hacker and they were able to create an admin account, what is the point of doing this if they clearly had domain admin rights? It only raises suspicion.
None of my engineers have owned up to creating it by mistake. I have been started researching if was created by someone who had remote access (hacked) or by some virus that my systems have not discovered.
From the User Account OBJECT tab I can see the exact time the user account was created. Now I need to look at event viewer records if there is anything that can link someone to modifying active directory at this time.
Questions :
1) Is it possible to view audit information of anyone who was creating accounts in active directory and can this be linked to an IP address or session id?
2) Is it possible for a Trojan virus to live on the local network and create user accounts. However it makes no sense to create an admin account if the virus has admin permissions enough to create a user account in AD (domain admin rights).
I am aware of possibility that RDP can be attacked, but still if RDP provided the backdoor for a hacker and they were able to create an admin account, what is the point of doing this if they clearly had domain admin rights? It only raises suspicion.
Some auditing is on by default. I think account creation in AD is audited in any supported server version. Look at the security event logs at the DC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As suggested above, if auditing is enable then you can find the answer by checking the event logs.
Here is a how-to having step by step instructions for auditing such changes in Active Directory: https://community.spiceworks.com/how_to/128476-how-to-keep-track-of-user-additions-in-active-directory
For virus - Not sure about this but you can just delete the user accounts and then restart, If its back then it may be due to virus/malware.
Hope this helps!
Here is a how-to having step by step instructions for auditing such changes in Active Directory: https://community.spiceworks.com/how_to/128476-how-to-keep-track-of-user-additions-in-active-directory
For virus - Not sure about this but you can just delete the user accounts and then restart, If its back then it may be due to virus/malware.
Hope this helps!
Trojans wreck things but normally do not create accounts.
I think some one made the account, perhaps inadvertently, and has not owned up to it at this point.