all InfoSec news
Account created by machine account on compromised domain controller?
I'm trying to find out what account created another domain account on the system. I looked for the 4720 account creation. The interesting thing is that it is showing up as the domain controller's machine account name.
For context, yes the domain controller was confirmed to be compromised and had a unauthorized version of teamviewer installed that was being used as a backdoor Here is an example of what the log kind of looked like. Has anyone seen this before? …!-->