Forums
Main Category
General (Technical,...
Local user not in S...
 
Notifications
Clear all

Local user not in SAM

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by keydet89 9 years ago
4 Posts
4 Users
0 Reactions
627 Views
RSS
 forensicandy
(@forensicandy)
New Member
Joined: 10 years ago
Posts: 3
Topic starter 21/11/2016 1:25 am  

Dear,

Friends, hope you can help me

I got an local user, it has the same machine id like other local user plus 1003, but it is not in the SAM registry.

I can see it in the Profilelist key in the Software registry an had begun session as I saw in the NTUSER.DAT and Usr.

Do you have any idea how this user could be created?

PS I has some artifacts that Mimikatz was user.

Many thanks for your help


   
Quote
 Anonymous 6593
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
21/11/2016 2:30 am  

I got an local user, it has the same machine id like other local user plus 1003, but it is not in the SAM registry.

You need to clarify that. A local user is defined by having corresponding record in SAM. If there is no such entry, it's not a local user.

(I assume you're saying that the user RID is 1003?)

I can see it in the Profilelist key in the Software registry an had begun session as I saw in the NTUSER.DAT and Usr.

So, is it a possibility that the user was created some time ago, and then deleted? Or are you able to exclude that?

Do you have any other local users with RID > 1003? If you do, you may be able to say within what timespan that SID was created.


   
ReplyQuote
 randomaccess
(@randomaccess)
Reputable Member
Joined: 14 years ago
Posts: 385
21/11/2016 10:50 am  

This post may give you some ideas as to what happened
http//windowsir.blogspot.com.au/2016/11/the-joy-of-open-source.html


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
27/11/2016 7:20 pm  

This post may give you some ideas as to what happened
http//windowsir.blogspot.com.au/2016/11/the-joy-of-open-source.html

How timely! 😉


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: