Forum Discussion

Copper Contributor

Oct 17, 2022

ActiveDirectory – Service Accounts with mysterious behavior

A strange behavior is occurring on our network. There are around 30 service accounts that were disabled ages ago. Some were disabled for 10-15 years ago. Somehow, about a week or so ago, w...

Active Directory

Orang

Copper Contributor

Oct 17, 2022

Dave Patrick

Hi Dave

thank you for that - however we have a lot of account that have the same behavior - our concern is, what if someone has got access to our network (attack or like)? how can we investigate it?

we have tried the following:

- diabled them - still same behavior

- change password with a password generator 128 bit. this was done like 10 days ago - still we se new lastLogonTimestamp = 10.16.2022 13:36:21

Dave Patrick

MVP

Oct 17, 2022

- diabled them - still same behavior

Doesn't seem possible. So the account gets reenabled? This does sounds like some sort of malware at work. May need to consult one of the AV vendors for assistance.

Orang
Copper Contributor
Oct 17, 2022
any tips on how to dig further is realy apresiated 🙂
- Dave Patrick
  MVP
  Oct 17, 2022
  I'd reach out to the AV vendors for assistance. First step may be to identify it, then if it can be cleaned up or if restore from backup is necessary.
  - Orang
    Copper Contributor
    Oct 17, 2022
    Dave Patrick
    as mentioned, we are running 2 diferent AVs Cisco and Microsoft. Both have almost given up.
    Nothing to see - yes the behavior is strange.
    
    a lot of steps has been taken for the investigaion with no result, which is why I reached out to this community - just to see if other has discovered or seen such behavior.
Orang
Copper Contributor
Oct 17, 2022
right now we are running 2 different AV. Ciscos enpoint protection and microsofts. we have also our networking teams looking for som sort of strange behavior on the network part.

nothing what so ever.