Local user not in S...
 
Notifications
Clear all

Local user not in SAM

4 Posts
4 Users
0 Likes
285 Views
(@forensicandy)
Posts: 3
New Member
Topic starter
 

Dear,

Friends, hope you can help me

I got an local user, it has the same machine id like other local user plus 1003, but it is not in the SAM registry.

I can see it in the Profilelist key in the Software registry an had begun session as I saw in the NTUSER.DAT and Usr.

Do you have any idea how this user could be created?

PS I has some artifacts that Mimikatz was user.

Many thanks for your help

 
Posted : 21/11/2016 12:25 am
(@athulin)
Posts: 1156
Noble Member
 

I got an local user, it has the same machine id like other local user plus 1003, but it is not in the SAM registry.

You need to clarify that. A local user is defined by having corresponding record in SAM. If there is no such entry, it's not a local user.

(I assume you're saying that the user RID is 1003?)

I can see it in the Profilelist key in the Software registry an had begun session as I saw in the NTUSER.DAT and Usr.

So, is it a possibility that the user was created some time ago, and then deleted? Or are you able to exclude that?

Do you have any other local users with RID > 1003? If you do, you may be able to say within what timespan that SID was created.

 
Posted : 21/11/2016 1:30 am
(@randomaccess)
Posts: 385
Reputable Member
 

This post may give you some ideas as to what happened
http//windowsir.blogspot.com.au/2016/11/the-joy-of-open-source.html

 
Posted : 21/11/2016 9:50 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This post may give you some ideas as to what happened
http//windowsir.blogspot.com.au/2016/11/the-joy-of-open-source.html

How timely! 😉

 
Posted : 27/11/2016 6:20 pm
Share: