troubleshooting Question
Security and Directory services expertise required for the Analysis of service account weird behavior
Hello Experts,
I am running into a weird situation where a service account it was compromised according to analysis. The service account is set to never expires, and starts a service in a Windows server.
The service which runs under this service account was stopped for only a few minutes, then start again. When I checked ADUC, and ADSI edit, the accounts appears to be updated a week ago, and from that moment last logon and last logon timestamp differs.
I wonder what else can be done to identify the root cause of this issue. why all the sudden the service stopped and started again?
Why this accounts shows that was updated a week ago without human intervention?
Can you please provide a full analysis of the root cause of this issue? See screenshots below
by the way, the password of the service account was never changed or locked before and after the incident.
Any ideas?
Windows 2012 forest, multiple DCs and sites, Azure hybrid organization , Exchange hybrid org
EE1.jpg
EE2.jpg
EE3.jpg
EE4.jpg
I am running into a weird situation where a service account it was compromised according to analysis. The service account is set to never expires, and starts a service in a Windows server.
The service which runs under this service account was stopped for only a few minutes, then start again. When I checked ADUC, and ADSI edit, the accounts appears to be updated a week ago, and from that moment last logon and last logon timestamp differs.
I wonder what else can be done to identify the root cause of this issue. why all the sudden the service stopped and started again?
Why this accounts shows that was updated a week ago without human intervention?
Can you please provide a full analysis of the root cause of this issue? See screenshots below
by the way, the password of the service account was never changed or locked before and after the incident.
Any ideas?
Windows 2012 forest, multiple DCs and sites, Azure hybrid organization , Exchange hybrid org
EE1.jpg
EE2.jpg
EE3.jpg
EE4.jpg
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.