Jump to content

Was I hacked? (Lost domain trust and local admin access has been disabled)

Recommended Posts

Ok so I work in a domain environment and one of my machines has somehow lost domain trust relationship. 

I attempted to reset the account in AD and no luck so then I think no big deal Ill log in as a local admin and then rejoin it right? Wrong.

I log in as the local admin account that is standard on our network when we image a machine and somehow it is no longer part of the group "administrators."

So I have a few backup accounts to try.. One being a admin account for our help desk and one service account for auditing and other use. 

Both of these accounts are also either not part of the local administrators group anymore or they have been disabled. 

I tried unplugging the network cable and logging in as well as power-shell scripts and other things from safe-mode but so far cannot get admin level access.

I can login to the desktop but im stuck.  How do you think these accounts got removed from the administrators group and how the machine randomly lost domain trust? 

Were we hacked? 

Link to comment
Share on other sites

Have you checked the logs for anything suspicious?

Is the system reachable from somewhere outside its LAN?

By the way, which OS exactly?

Link to comment
Share on other sites

Most common cause of DC trust relationships being lost is time syncing. Could be the PC's time had been changed, or the server it was grabbing time from when down for a while (or was just wrong). Daylight savings could have done that, for example, and that was only a few days ago, which makes sense because you would have encountered it at a similar time, posting here maybe a day after thinking it was a hack and going to some hacking forums to seek advice.

Although, just to be safe I would re-image it and change DC passwords.

Can't be too careful.

Link to comment
Share on other sites

I second Dave-ee on time.  It has bitten me many times in an AD environment.  Normally, hackers do not knock machines off the domain.  They would want them to stay on the domain so they can interact with it.  Of course a script kitty knows no better.  Anyway, I would reimage to be safe.  Since you logged in with all your Domain Admin accounts I would change those too hehe.

Link to comment
Share on other sites

  • 2 weeks later...

Just to update the thread you guys were right..

I spoke to the GPO team and they said in rare occasions they have seen something in the GPO knock the machine off the domain during updates on reboot and then the local admin accounts get wiped also. They were surprised that the Enterprise admin account could not be activated when they tried but I ended up having to re-image this machine to remedy the issue.. thanks to everyone who responded quickly . 

Link to comment
Share on other sites

Yea its pretty decent sized. We are under the umbrella of a company called BCG that buys up a bunch of smaller companies to leverage their ability to control the market share in that industry. The one I work for is pretty big also by itself  http://www.ngkf.com/ we have about 400 offices around the world, so yea there is a team that manages GPO along with other things for us and our subsidiaries / partners. It becomes a huge mess though because as you can imagine the communication and ability to keep everyone on the same page gets more and more difficult the larger you become. I myself just do general IT but would like to move into info security in the future. Just trying to wrap my head around all ive missed over the years. Love this site and their YouTube channel though. Great source of info. 

Link to comment
Share on other sites

  • 6 months later...
  • 9 months later...



Had something similar happen on a NAS Server I needed to update once . It would update most packages from designated repos, but once it got to the ones that were secure connections (SSL), it would fail to download them .

After some time passed and other methods where tried all failed. It wasnt until I read installation notes just trying to find anything that could be missed and checking each one. This is when I noticed daylight savings time was set incorrectly as well as date and time . After correction, SSL based repos updated all packages as they were supposed to since they could now properly verify certificates with proper date time.

Needless to say "We ALMOST" Re-Imaged this box! Which may have fixed it at the time, since we probably would have done date and time etc upon new install, instead of excitedly clicking through things. But, we would have lost alot of time as well, since alot of data would have been missing with previous image saved .

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...