I am running into a weird situation where a service account it was compromised according to analysis. The service account is set to never expires, and starts a service in a Windows server.
The service which runs under this service account was stopped for only a few minutes, then start again. When I checked ADUC, and ADSI edit, the accounts appears to be updated a week ago, and from that moment last logon and last logon timestamp differs.
I wonder what else can be done to identify the root cause of this issue. why all the sudden the service stopped and started again?
Why this accounts shows that was updated a week ago without human intervention?
Can you please provide a full analysis of the root cause of this issue? See screenshots below
by the way, the password of the service account was never changed or locked before and after the incident.
Windows 2012 forest, multiple DCs and sites, Azure hybrid organization , Exchange hybrid org