Possible security problem

T

TwistedPair

All,
I have a curious problem where stuff is changing in our AD domain, but
there's no record of those changes in the event log. For instance, just
recently, a couple of users needed to be added back into a group that they
were previously members of.

1. None of the administrators are admitting to the change.

2. Nothing shows up in the security event logs with regard to the removal of
those accounts although I see the events for the user being added back in.

3. The reason for it not appearing in the event log could not possibly be
due to recency problems, meaning, the event had to have occurred before the
log events for it were overwritten (it happened just a couple of days ago).

4. DCdiag, netdiag, and the AD-related event logs are showing no problems.

5. Additionally other suspicious event have happened, like password
expiration settings changing and no record of that occurring in the event
log . . . Things like that.

I'm not liking the conclusions this is leaving me with as you can imagine.
If we've been compromised, I need concrete evidence. If any of you happen
to have any ideas on possible other things to check, I'd be greatly
interested.

Thanks!
 
S

S. Pidgorny

What I'd do:

1. Make sure your auditing works: add/delete users from the group and
identify the audit trail
2. Set up alerting on the audit events (using eventtriggers.exe, for
example)
3. Action on the alerts - identify who's making changes, and why
4. Use smart cards only for administrative logon so that there will be no
issue with passwords


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *



"TwistedPair" <twistedpair@mail.com> wrote in message
news:O6cAN1VHIHA.1212@TK2MSFTNGP05.phx.gbl...
> All,
> I have a curious problem where stuff is changing in our AD domain, but
> there's no record of those changes in the event log. For instance, just
> recently, a couple of users needed to be added back into a group that they
> were previously members of.
>
> 1. None of the administrators are admitting to the change.
>
> 2. Nothing shows up in the security event logs with regard to the removal
> of
> those accounts although I see the events for the user being added back in.
>
> 3. The reason for it not appearing in the event log could not possibly be
> due to recency problems, meaning, the event had to have occurred before
> the
> log events for it were overwritten (it happened just a couple of days
> ago).
>
> 4. DCdiag, netdiag, and the AD-related event logs are showing no problems.
>
> 5. Additionally other suspicious event have happened, like password
> expiration settings changing and no record of that occurring in the event
> log . . . Things like that.
>
> I'm not liking the conclusions this is leaving me with as you can imagine.
> If we've been compromised, I need concrete evidence. If any of you happen
> to have any ideas on possible other things to check, I'd be greatly
> interested.
>
> Thanks!
>
>
 
T

TwistedPair

Good info, thank you!

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:O8hO1dmHIHA.824@TK2MSFTNGP02.phx.gbl...
> What I'd do:
>
> 1. Make sure your auditing works: add/delete users from the group and
> identify the audit trail
> 2. Set up alerting on the audit events (using eventtriggers.exe, for
> example)
> 3. Action on the alerts - identify who's making changes, and why
> 4. Use smart cards only for administrative logon so that there will be no
> issue with passwords
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
>
> "TwistedPair" <twistedpair@mail.com> wrote in message
> news:O6cAN1VHIHA.1212@TK2MSFTNGP05.phx.gbl...
>> All,
>> I have a curious problem where stuff is changing in our AD domain, but
>> there's no record of those changes in the event log. For instance, just
>> recently, a couple of users needed to be added back into a group that
>> they
>> were previously members of.
>>
>> 1. None of the administrators are admitting to the change.
>>
>> 2. Nothing shows up in the security event logs with regard to the removal
>> of
>> those accounts although I see the events for the user being added back
>> in.
>>
>> 3. The reason for it not appearing in the event log could not possibly be
>> due to recency problems, meaning, the event had to have occurred before
>> the
>> log events for it were overwritten (it happened just a couple of days
>> ago).
>>
>> 4. DCdiag, netdiag, and the AD-related event logs are showing no
>> problems.
>>
>> 5. Additionally other suspicious event have happened, like password
>> expiration settings changing and no record of that occurring in the event
>> log . . . Things like that.
>>
>> I'm not liking the conclusions this is leaving me with as you can
>> imagine.
>> If we've been compromised, I need concrete evidence. If any of you
>> happen
>> to have any ideas on possible other things to check, I'd be greatly
>> interested.
>>
>> Thanks!
>>
>>
>
>
 
You must log in or register to reply here.

Similar threads

A
Weird Activities On Windows Security Logs In Event Viewer
Replies
0
Views
30
Ai Vo
A
A
Weird Activities On Windows Security Logs In Event Viewer
Replies
0
Views
25
Ai Vo
A
A
Suspicious Windows Security Logs In Event Viewer
Replies
0
Views
24
Ai Vo
A
S
Event Log Online Help - When will it finally be fixed?
Replies
0
Views
17
S_Scott
S
K
How to troubleshoot 521 Events in Windows Security Log
Replies
0
Views
14
Kel Koop
K
Back
Top Bottom