Forum Discussion

Copper Contributor

Oct 17, 2022

ActiveDirectory – Service Accounts with mysterious behavior

A strange behavior is occurring on our network. There are around 30 service accounts that were disabled ages ago. Some were disabled for 10-15 years ago. Somehow, about a week or so ago, w...

Active Directory

Dave Patrick

MVP

Oct 17, 2022

Simplest / safest solution may be to delete the accounts if no longer needed.

Orang

Copper Contributor

Oct 17, 2022

Dave Patrick

Hi Dave

thank you for that - however we have a lot of account that have the same behavior - our concern is, what if someone has got access to our network (attack or like)? how can we investigate it?

we have tried the following:

- diabled them - still same behavior

- change password with a password generator 128 bit. this was done like 10 days ago - still we se new lastLogonTimestamp = 10.16.2022 13:36:21

Dave Patrick
MVP
Oct 17, 2022

- diabled them - still same behavior

Doesn't seem possible. So the account gets reenabled? This does sounds like some sort of malware at work. May need to consult one of the AV vendors for assistance.
- Orang
  Copper Contributor
  Oct 17, 2022
  any tips on how to dig further is realy apresiated 🙂
  - Dave Patrick
    MVP
    Oct 17, 2022
    I'd reach out to the AV vendors for assistance. First step may be to identify it, then if it can be cleaned up or if restore from backup is necessary.
- Orang
  Copper Contributor
  Oct 17, 2022
  right now we are running 2 different AV. Ciscos enpoint protection and microsofts. we have also our networking teams looking for som sort of strange behavior on the network part.
  
  nothing what so ever.