Possible security problem

T

TwistedPair

All,
I have a curious problem where stuff is changing in our AD domain, but
there's no record of those changes in the event log. For instance, just
recently, a couple of users needed to be added back into a group that they
were previously members of.

1. None of the administrators are admitting to the change.

2. Nothing shows up in the security event logs with regard to the removal of
those accounts although I see the events for the user being added back in.

3. The reason for it not appearing in the event log could not possibly be
due to recency problems, meaning, the event had to have occurred before the
log events for it were overwritten (it happened just a couple of days ago).

4. DCdiag, netdiag, and the AD-related event logs are showing no problems.

5. Additionally other suspicious event have happened, like password
expiration settings changing and no record of that occurring in the event
log . . . Things like that.

I'm not liking the conclusions this is leaving me with as you can imagine.
If we've been compromised, I need concrete evidence. If any of you happen
to have any ideas on possible other things to check, I'd be greatly
interested.

Thanks!
 
S

S. Pidgorny

What I'd do:

1. Make sure your auditing works: add/delete users from the group and
identify the audit trail
2. Set up alerting on the audit events (using eventtriggers.exe, for
example)
3. Action on the alerts - identify who's making changes, and why
4. Use smart cards only for administrative logon so that there will be no
issue with passwords


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *



"TwistedPair" <twistedpair@mail.com> wrote in message
news:O6cAN1VHIHA.1212@TK2MSFTNGP05.phx.gbl...
> All,
> I have a curious problem where stuff is changing in our AD domain, but
> there's no record of those changes in the event log. For instance, just
> recently, a couple of users needed to be added back into a group that they
> were previously members of.
>
> 1. None of the administrators are admitting to the change.
>
> 2. Nothing shows up in the security event logs with regard to the removal
> of
> those accounts although I see the events for the user being added back in.
>
> 3. The reason for it not appearing in the event log could not possibly be
> due to recency problems, meaning, the event had to have occurred before
> the
> log events for it were overwritten (it happened just a couple of days
> ago).
>
> 4. DCdiag, netdiag, and the AD-related event logs are showing no problems.
>
> 5. Additionally other suspicious event have happened, like password
> expiration settings changing and no record of that occurring in the event
> log . . . Things like that.
>
> I'm not liking the conclusions this is leaving me with as you can imagine.
> If we've been compromised, I need concrete evidence. If any of you happen
> to have any ideas on possible other things to check, I'd be greatly
> interested.
>
> Thanks!
>
>
 
T

TwistedPair

Good info, thank you!

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:O8hO1dmHIHA.824@TK2MSFTNGP02.phx.gbl...
> What I'd do:
>
> 1. Make sure your auditing works: add/delete users from the group and
> identify the audit trail
> 2. Set up alerting on the audit events (using eventtriggers.exe, for
> example)
> 3. Action on the alerts - identify who's making changes, and why
> 4. Use smart cards only for administrative logon so that there will be no
> issue with passwords
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
>
> "TwistedPair" <twistedpair@mail.com> wrote in message
> news:O6cAN1VHIHA.1212@TK2MSFTNGP05.phx.gbl...
>> All,
>> I have a curious problem where stuff is changing in our AD domain, but
>> there's no record of those changes in the event log. For instance, just
>> recently, a couple of users needed to be added back into a group that
>> they
>> were previously members of.
>>
>> 1. None of the administrators are admitting to the change.
>>
>> 2. Nothing shows up in the security event logs with regard to the removal
>> of
>> those accounts although I see the events for the user being added back
>> in.
>>
>> 3. The reason for it not appearing in the event log could not possibly be
>> due to recency problems, meaning, the event had to have occurred before
>> the
>> log events for it were overwritten (it happened just a couple of days
>> ago).
>>
>> 4. DCdiag, netdiag, and the AD-related event logs are showing no
>> problems.
>>
>> 5. Additionally other suspicious event have happened, like password
>> expiration settings changing and no record of that occurring in the event
>> log . . . Things like that.
>>
>> I'm not liking the conclusions this is leaving me with as you can
>> imagine.
>> If we've been compromised, I need concrete evidence. If any of you
>> happen
>> to have any ideas on possible other things to check, I'd be greatly
>> interested.
>>
>> Thanks!
>>
>>
>
>
 
You must log in or register to reply here.

Similar threads

C
Event Logs coming in with the wrong EventID
Replies
0
Views
12
CLAIR10
C
I
Logon Event (Event ID 4648). Events only log during a successful remote desktop in to the computer.
Replies
0
Views
31
ItsChefMatt
I
E
How can I resolve constant cases of Event ID 4798? Which I believe is to be my root cause for internet disconnection problems.
Replies
0
Views
37
Elias Ochoa
E
T
I have a lot of events in "Event Viewer -> Windows Logs -> Security", thousands per minute. Should I do something about them?
Replies
0
Views
31
TudorRr
T
J
BitLocker Drive Encryption Failure
Replies
0
Views
30
Juan Garcia9
J
Back
Top Bottom