Oct 17 2022 06:05 AM
A strange behavior is occurring on our network.
There are around 30 service accounts that were disabled ages ago. Some were disabled for 10-15 years ago.
Somehow, about a week or so ago, we began seeing that these accounts suddenly had a newly "lastLogonTimestamp" attribute in AD
There is no log in security logs at all. Yes, deep login audit is enabled. Login auditing is enabled for deep login. Yet no logs what so ever.
Has anyone experienced such behavior?
Does anyone know how to troubleshoot?
Thank you!
Oct 17 2022 06:45 AM
Simplest / safest solution may be to delete the accounts if no longer needed.
Oct 17 2022 06:56 AM
Hi Dave
thank you for that - however we have a lot of account that have the same behavior - our concern is, what if someone has got access to our network (attack or like)? how can we investigate it?
we have tried the following:
- diabled them - still same behavior
- change password with a password generator 128 bit. this was done like 10 days ago - still we se new lastLogonTimestamp = 10.16.2022 13:36:21
Oct 17 2022 07:16 AM
- diabled them - still same behavior
Doesn't seem possible. So the account gets reenabled? This does sounds like some sort of malware at work. May need to consult one of the AV vendors for assistance.
Oct 17 2022 07:19 AM
Oct 17 2022 07:22 AM
Oct 17 2022 07:24 AM - edited Oct 17 2022 07:27 AM
I'd reach out to the AV vendors for assistance. First step may be to identify it, then if it can be cleaned up or if restore from backup is necessary.
Oct 17 2022 08:54 AM
as mentioned, we are running 2 diferent AVs Cisco and Microsoft. Both have almost given up.
Nothing to see - yes the behavior is strange.
a lot of steps has been taken for the investigaion with no result, which is why I reached out to this community - just to see if other has discovered or seen such behavior.
Oct 17 2022 08:58 AM
Nope, have not seen this issue here or on Q&A forums or in the past on MSDN/TechNet forums. I'm not sure what's meant by "given up" but if you can't sort it you may need to look at restoring a known good backup.
Oct 17 2022 09:03 AM
Oct 17 2022 10:32 AM
Ok, sounds good. I guess if no one can figure it out a restore from backup may be in order.
Oct 17 2022 11:02 AM
Hi Dave
I totaly apreciate your comments and inputs.
just to clear it up for me - when you say backup/restore - would you please explaine why and how it would help to restore from backup?
Lets assume the worst case scenario - someone is attacking our network - what is your thought behinde restore from backup? I hope you will explaine it further.
Thank you :)
Oct 17 2022 11:13 AM
Generally speaking when you restore an active directory domain from a backup one would restore the PDC emulator and rebuild the other ones from scratch.