← Back

Bogus Account Creation as a Backdoor

The Network: A financial firm headquartered in the U.S. East Coast with several hundred servers and workstations.

The Expectation: Temporary staff are needed to handle a surge of work in the IT Department. Such “experts” can be brought on as needed basis for short periods of time and for specific tasks.

The Catch: EventTracker detected the creation of a new account called hqbkp2. The naming convention follows the pattern for accounts used for backup. However this account permits interactive login.

The Find: A contract employee hired by the IT Department and provided Administrator privileges had created this account to serve as a backdoor in case the account he had been provided was disabled or the password reset when his contract expired. This person wanted to maintain access to the network.

The Fix: Remove the account hqbkp2. Look for other administrative action performed by the contract employee for evidence of improper behavior.

The Lesson: Active Directory is a favorite target for insider attacks. Organizations use Active Directory to provide authentication and authorization for employees, contractors, partners and customers. Careful scrutiny of changes made to Active Directory is essential.

Back to All Catches