The Network: A financial firm headquartered in the U.S. East Coast with several hundred servers and workstations.
The Expectation: Temporary staff are needed to handle a surge of work in the IT Department. Such “experts” can be brought on as needed basis for short periods of time and for specific tasks.
The Catch: EventTracker detected the creation of a new account called hqbkp2. The naming convention follows the pattern for accounts used for backup. However this account permits interactive login.
The Find: A contract employee hired by the IT Department and provided Administrator privileges had created this account to serve as a backdoor in case the account he had been provided was disabled or the password reset when his contract expired. This person wanted to maintain access to the network.
The Fix: Remove the account hqbkp2. Look for other administrative action performed by the contract employee for evidence of improper behavior.
The Lesson: Active Directory is a favorite target for insider attacks. Organizations use Active Directory to provide authentication and authorization for employees, contractors, partners and customers. Careful scrutiny of changes made to Active Directory is essential.