Malware at the Domain Controller

The Network: A major nonprofit organization that supplements its team with EventTracker SIEMphonic, our co-managed security solution.

The Expectation: Robust and up-to-date (anti-virus, next-gen firewall, proxy) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary. Domain controllers are critical systems in any given environment and should be protected at all times with an SLA of 100% uptime (availability).

The Catch: EventTracker analysts observed multiple processes executing on a critical domain controller that resides in multiple users’ profile paths. The process activities were all observed within 12 minutes on one day and were loaded by AgentMon.exe, a legitimate Kaseya process.

The Find: Through analysis, the EventTracker team discovered that the processes were malicious (Tor Browser, adware, Trojan and riskware processes), and were related to TOR, PUP and Trojans.

The Fix: The analyst immediately notified the customer, who quickly removed these malicious programs from the critical domain controller. The EventTracker team further recommended that the customer scan the domain controller post-removal with anti-virus/anti-malware software before placing it back to the network. The customer confirmed that they followed the recommendations and got the domain controller back on the network. If not cleaned up, the customer could have faced a business outage.

The Lesson: Anti-virus will not stop all attacks, but should still be updated in a timely manner with scheduled scans. Because the customer sent their anti-virus logs to EventTracker, our analysts were able to analyze the logs and discover the attack. Also make sure to restrict users with the correct privileges.