I like Change Auditor from Netpro.
Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange From: Clubber Lang [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 5:54 PM To: NT System Admin Issues Subject: Re: Unknown account created and added to local admins group I'd like to be able to proactively watch for these events in the security logs of about 50 computers in one domain. This product looks good: http://www.eventlogxp.com/ Can anyone recommend it or a competitor? On Thu, Oct 30, 2008 at 4:59 AM, Ziots, Edward <[EMAIL PROTECTED]> wrote: I agree but rootkits can hide the true intention of what is going on in the system and subvert anything you are seeing in the gui or logs, and its going to be pretty hard to tell what is legit and what isn't when you have a kernel rootkit on your system. Abeit there might be a few-tell-table signs. If its been compromised, incident response measures should be put in place the system quarantined, wiped and rebuilt from trusted media. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2008 7:46 PM To: NT System Admin Issues Subject: RE: Unknown account created and added to local admins group Let's not get carried away with talk of a "rootkit" here. It could be a compromise. But rootkits are there to change the behaviour of the Windows kernel (hence "root" kit). For all we know, this is just a process running as LocalSystem (e.g. any number of services) that performed the changes. Still looks like a compromise. Cheers Ken > -----Original Message----- > From: Phil Brutsche [mailto:[EMAIL PROTECTED] > Sent: Thursday, 30 October 2008 6:17 AM > To: NT System Admin Issues > Subject: Re: Unknown account created and added to local admins group > > I bet that's what the event log would look like if a rootkit running as > SYSTEM added local administrator accounts... > > Clubber Lang wrote: > > Thanks, James. Yeah, the user was the same for all events: NT > > AUTHORITY\SYSTEM > > > > 624 - User Account Created - 9:19:13 AM > > 626 - User Account Enabled - 9:19:13 AM > > 642 - User Account Changed - 9:19:13 AM > > 628 - User Account Password Set - 9:19:13 AM > > 636 - Security Enabled Local Group Member Added - 9:19:14 AM > > 637 - Security Enabled Local Group Member Removed - 9:21:28 AM > > 633 - Security Enabled Global Group Member Removed - 9:21:28 AM > > 630 - User Account Deleted - 9:21:28 AM > > -- > > Phil Brutsche > [EMAIL PROTECTED] > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
