Remediation Questions After a Failed Attack

Recently a client’s desktop was compromised with what we believe was an attempted Emotet Malware attack. We found a trojan password stealer during remediation. The computer was taken offline, completely reimaged, well tested, data scrubbed then introduced back into the network. Everything appears to be well but we’re obviously watching over the network closely.

 So, on to my question. The compromised computer displayed something I’d never witnessed before. When I added users to the Domain Admin group on the local computer, the names resolved in Active Directory, the line appeared underneath them, everything appeared normal up to this point. When I hit “Ok” closed out of Local Users and Groups and went back in the names had the SID displaying behind them like in the below image. I’ve never seen this behavior before. I’ve seen SIDs alone after an account was disabled or removed but can’t say I’ve seen an account resolve and come back with both the name and SID. 


Trying to gather as much information as possible regarding this attack. Remediation went well but my experience tells me the attackers are still going to make every attempt to get back in. Especially if they feel they got a foot in the door. So, I’m gathering as much information as possible for educational purposes and preparation for future attacks.

 Has anyone seen this type of behavior before? Is it weird timing, meaning there was an attack at the same time this computer began showing this behavior?

 Or, and our thinking is more like this, was this an attempt to take control of my client’s computer, brute-forcing their way into their computer? Is this what a bruce-force attack looks like in Local Users and Groups?

Comments

  • Alex_Dr
    Alex_Dr BD Staff

    Hello @works2020,


    In this case i would strongly suggest getting in contact with the Enterprise Support Team as additional troubleshooting needs to take place. It is a weird behavior indeed, especially since the endpoint in question has been reformated before being introduced back in the network.


    Do let me know how the contact with the Support team goes.


    All the best,

    Alex D.

  • Hi Alex, further review determined there was an issue with DNS and Active Directory. Can't say for sure what it was because others that witnessed this behavior weren't exactly sure how/why it started. Similarly though they did have security issues prior and determined that DNS/AD cache may need to be flushed out and reset.

    Research also showed that Bitdefender was paramount in analyzing, blocking, and preventing the attack from going any further, which is great news. We cleaned up our DNS cache, reset old files, etc, and did the same with SID's in Active Directory and this no longer happens.

    Appreciate the follow-up, hope this finds you well.