Active Directory Rogue Account Detection

Using Active Directory Users and Computers to find malicious accounts disguised as legitimate accounts.

Relevance

Last Review: February 3, 2021

Product(s): Windows Server

Author(s): Matt Born

Delta

A cyberist created this article using the patented Delta Method by modernizing a typical approach.

Reference

Monitoring Active Directory for Signs of Compromise

Summary

Malicious actors that gain access to an administrative account will create accounts or modify permissions of other accounts they can access to create backdoors.

These will often be disguised as legitimate accounts, copying naming standards.

Requirements

Domain Administrator credentials.
List of users in your organization.
Microsoft recommends limiting Domain Administrator accounts to a minimum of 2 and no more than 5 accounts.
Service account logons should use Domain User accounts with assigned permissions and NOT Domain Admin.
Estimated time for completion is 30 minutes.

Steps

Open Active Directory Users and Computers on a Domain Controller or connect using Remote Desktop Services.
Right click on the domain and click ‘find’.
Leave the ‘name’ and ‘description’ fields blank and click ‘Find Now’. This will list all user, contact, and group objects in your Active Directory.
Sort by name, as the first thing you will be looking for are imposter accounts.
Open Administrators and click Members tab. Remove any unnecessary accounts and do the same for Domain Admins and Enterprise Admins.
Verify every account on the list is a legitimate, authorized user. Look for accounts that do not belong to real people and duplicate accounts, indicating a potential imposter account.

Follow-up

Disable any suspicious account and investigate for legitimacy.

Refer to Microsoft’s official policy for monitoring Active Directory for signs of compromise to institute policies to further decrease the threat of such attack angles.