Finding where the domain admin account is in use

It’s bound to happen. Too many people become aware of the domain administrator password, and then it becomes used all over the place for bad – *bad* things. So, how do you find out where it’s being used? Here is a good start.

On each domain controller in the site (or domain if you want to go that wide) save the security log to an EVTX file. Be sure to take a look at how much information is contained in there. Your logs may roll over so quickly that it may contain less than a day, so this may need to be ran several times over a weeks period of time to catch it all.

Once you have that done, download and install Log Parser Studio from Microsoft. Run this, and create a new query. In the query field, replace whatever is there (if anything) with this:


SELECT
timegenerated,
EXTRACT_TOKEN(Strings,6,'|') AS Domain,
RESOLVE_SID(EXTRACT_TOKEN(Strings,0,'|')) AS User,
EXTRACT_TOKEN(Strings,3,'|') AS SessionName,
RESOLVE_SID(EXTRACT_TOKEN(Strings,4,'|')) AS UserName,
EXTRACT_TOKEN(Strings,18,'|') AS ClientAddress,
EventID
FROM 'c:\temp\logname.evtx'
WHERE EventID=4624 AND UserName='domain\Administrator' /* xp/2003 = 682 */
ORDER BY timegenerated

The result is Log Parser Studio going through each of these logs that you specify in your own path above, and combing out only the results for the Administrator account. Much easier than doing it yourself! Do this for each log from the domain controllers that you have collected.

Now, seek and destroy where the account is being used!

Leave a Reply

Your email address will not be published. Required fields are marked *