Hello!
I've read a lot of articles for finding different user tracks in Windows, but they are all based on user profile folder. How I can get evidence that user logged in, if there is no user profile left?
My AV software notified me about suspicious file on domain controller in user profile, but I didn't see user profile of that user. Also, based on events 4624, this user never logged in to this DC.
Also, I thought, that I can get a list of cached credentials from registry, but on DC credential caching is turned off.
What else can you advice?
Thanks.
Since you say the event logs don't show the user logging on to that DC, does it make sense that the user would log on locally to that DC? If not, is it possible that you misinterpreted the alert? Could some data have been mis-correlated?
Do you have redirected profiles enabled for users (so that their profiles are stored on a file server)?
Thanks for your answer, tracedf!
No, this user could not log in with a local account. And judging by the event log, I do not see any login from users who do not have the right to do this.
I don't have redirected profiles enabled.
I'm starting to think that this is incorrect data from the antivirus. Although the computer name, IP and mac addresses are specified exactly from that DC.
Just wanted to make sure, that there is no other methods which I can use to find any traces.