Hi

Two of my Windows 2008 R2 servers are compromised as follows

Server 1- Domain administrator is removed from Remote Desktop Users group hence no access is allowed through RDP. When domain administrator logs in locally  cannot add  himself to local administrators group hence we shut the system down

Server 2- Domain administrator can log in and manage system but 3 local administrator accounts are added to the group. One account is same as on Server 1. Since this is a production server and manageable I have disabled all foreign accounts leave it in production.

If possible:

I would be very grateful if you can tell me how to trace when those accounts are created I dont think it is virus can do this if it can why not jump to other servers I say.

Many thanks in advance,

Hi,

As local account, you can open C:\Users folder and right click the local user account folder to check the created time. 

As domain account, we can use PowerShell commend, or related scripts.

I am not an expert on PowerShell/script, so, below links just for your reference:
How Can I Tell On What Date an Active Directory User Account Was Created?
http://blogs.technet.com/b/heyscriptingguy/archive/2005/01/06/how-can-i-tell-on-what-date-an-active-directory-user-account-was-created.aspx

Reports of Active Directory" User Account Those are Newly Created within a Week
https://gallery.technet.microsoft.com/scriptcenter/Find-Active-Directory-26b71b73

Use PowerShell to Audit Active Directory User Account Creation
http://blogs.technet.com/b/heyscriptingguy/archive/2011/12/23/use-powershell-to-audit-active-directory-user-account-creation.aspx

Best Regards,
Eve Wang

Dear Eve Wang

I will follow above give you an update soon.

Many thanks,

Hal

Hi,

It my pleasure. 

Please let me know if you have any questions or concerns. I look forward to hearing from you.

Best Regards,
Eve Wang