Web: https://www.reddit.com/r/computerforensics/comments/s1njgb/account_created_by_machine_account_on_compromised/

Jan. 11, 2022, 9:03 p.m. | /u/Mufassa810

Computer Forensics reddit.com

I'm trying to find out what account created another domain account on the system. I looked for the 4720 account creation. The interesting thing is that it is showing up as the domain controller's machine account name.

For context, yes the domain controller was confirmed to be compromised and had a unauthorized version of teamviewer installed that was being used as a backdoor Here is an example of what the log kind of looked like. Has anyone seen this before? …

computerforensics domain domain controller machine

Head of Information Security

@ Canny | Remote

Information Technology Specialist (INFOSEC)

@ U.S. Securities & Exchange Commission | Washington, D.C.

Information Security Manager - $90K-$180K - MANAG002176

@ Sound Transit | Seattle, WA

Sr. Software Security Architect

@ SAS | Remote

Senior Incident Responder

@ CipherTechs, Inc. | Remote

Data Security DevOps Engineer Senior/Intermediate

@ University of Michigan - ITS | Ann Arbor, MI