Dear,
Friends, hope you can help me
I got an local user, it has the same machine id like other local user plus 1003, but it is not in the SAM registry.
I can see it in the Profilelist key in the Software registry an had begun session as I saw in the NTUSER.DAT and Usr.
Do you have any idea how this user could be created?
PS I has some artifacts that Mimikatz was user.
Many thanks for your help
I got an local user, it has the same machine id like other local user plus 1003, but it is not in the SAM registry.
You need to clarify that. A local user is defined by having corresponding record in SAM. If there is no such entry, it's not a local user.
(I assume you're saying that the user RID is 1003?)
I can see it in the Profilelist key in the Software registry an had begun session as I saw in the NTUSER.DAT and Usr.
So, is it a possibility that the user was created some time ago, and then deleted? Or are you able to exclude that?
Do you have any other local users with RID > 1003? If you do, you may be able to say within what timespan that SID was created.
This post may give you some ideas as to what happened
http//
This post may give you some ideas as to what happened
http//windowsir.blogspot.com.au/2016/11/the-joy-of-open-source.html
How timely! 😉