Recently a client’s desktop was compromised with what we believe was an attempted Emotet Malware attack. We found a trojan password stealer during remediation. The computer was taken offline, completely reimaged, well tested, data scrubbed then introduced back into the network. Everything appears to be well but we’re obviously watching over the network closely.
So, on to my question. The compromised computer displayed something I’d never witnessed before. When I added users to the Domain Admin group on the local computer, the names resolved in Active Directory, the line appeared underneath them, everything appeared normal up to this point. When I hit “Ok” closed out of Local Users and Groups and went back in the names had the SID displaying behind them like in the below image. I’ve never seen this behavior before. I’ve seen SIDs alone after an account was disabled or removed but can’t say I’ve seen an account resolve and come back with both the name and SID.
Trying to gather as much information as possible regarding this attack. Remediation went well but my experience tells me the attackers are still going to make every attempt to get back in. Especially if they feel they got a foot in the door. So, I’m gathering as much information as possible for educational purposes and preparation for future attacks.
Has anyone seen this type of behavior before? Is it weird timing, meaning there was an attack at the same time this computer began showing this behavior?
Or, and our thinking is more like this, was this an attempt to take control of my client’s computer, brute-forcing their way into their computer? Is this what a bruce-force attack looks like in Local Users and Groups?
