Jump to content
Hak5 Forums
OutkastN8

Was I hacked? (Lost domain trust and local admin access has been disabled)

Recommended Posts

Ok so I work in a domain environment and one of my machines has somehow lost domain trust relationship. 

I attempted to reset the account in AD and no luck so then I think no big deal Ill log in as a local admin and then rejoin it right? Wrong.

I log in as the local admin account that is standard on our network when we image a machine and somehow it is no longer part of the group "administrators."

So I have a few backup accounts to try.. One being a admin account for our help desk and one service account for auditing and other use. 

Both of these accounts are also either not part of the local administrators group anymore or they have been disabled. 

I tried unplugging the network cable and logging in as well as power-shell scripts and other things from safe-mode but so far cannot get admin level access.

I can login to the desktop but im stuck.  How do you think these accounts got removed from the administrators group and how the machine randomly lost domain trust? 

Were we hacked? 

Share this post


Link to post
Share on other sites

Have you checked the logs for anything suspicious?

Is the system reachable from somewhere outside its LAN?

By the way, which OS exactly?

Share this post


Link to post
Share on other sites

If it's just one machine, I'd just reimage it and change the domain admin passwords.  Could be a virus, could just be windows being windows.

Share this post


Link to post
Share on other sites

Most common cause of DC trust relationships being lost is time syncing. Could be the PC's time had been changed, or the server it was grabbing time from when down for a while (or was just wrong). Daylight savings could have done that, for example, and that was only a few days ago, which makes sense because you would have encountered it at a similar time, posting here maybe a day after thinking it was a hack and going to some hacking forums to seek advice.

Although, just to be safe I would re-image it and change DC passwords.

Can't be too careful.

Share this post


Link to post
Share on other sites

I second Dave-ee on time.  It has bitten me many times in an AD environment.  Normally, hackers do not knock machines off the domain.  They would want them to stay on the domain so they can interact with it.  Of course a script kitty knows no better.  Anyway, I would reimage to be safe.  Since you logged in with all your Domain Admin accounts I would change those too hehe.

Share this post


Link to post
Share on other sites
8 hours ago, PoSHMagiC0de said:

Normally, hackers do not knock machines off the domain.

Really? I thought that hackers were supposed to be as noisy as possible when infiltrating a network! :tongue:

Share this post


Link to post
Share on other sites

Just to update the thread you guys were right..

I spoke to the GPO team and they said in rare occasions they have seen something in the GPO knock the machine off the domain during updates on reboot and then the local admin accounts get wiped also. They were surprised that the Enterprise admin account could not be activated when they tried but I ended up having to re-image this machine to remedy the issue.. thanks to everyone who responded quickly . 

Share this post


Link to post
Share on other sites

Yea its pretty decent sized. We are under the umbrella of a company called BCG that buys up a bunch of smaller companies to leverage their ability to control the market share in that industry. The one I work for is pretty big also by itself  http://www.ngkf.com/ we have about 400 offices around the world, so yea there is a team that manages GPO along with other things for us and our subsidiaries / partners. It becomes a huge mess though because as you can imagine the communication and ability to keep everyone on the same page gets more and more difficult the larger you become. I myself just do general IT but would like to move into info security in the future. Just trying to wrap my head around all ive missed over the years. Love this site and their YouTube channel though. Great source of info. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×