any utilities to locate comprimsied AD accounts? (security experts only please)

[oROEchimaru]

Hello, after a phishing attempt by a malicious outside user, what are some methods commonly used to locate compromised accounts other than finding users sending massive spam messages? Social engineering/phishing is problematic several industries..

a. any AD utilities to find access from outside countries/ips?

b. Use of stealthwatch, dc logs etc hasn't seemed to bring any data to light.

Often the sample size is 10-200 in the amount of users that clicked the link. Any tips? Thanks!

 

[Schro]

Depends on the structure of your network more than anything.... AD is typically inside the firewall and requires some sort of VPN access to get in to authenticate. If that's the case, the VPN logs will tell you more (or even consider blocking outside country IP ranges from even entering your network). If you're looking for folks that clicked the link, you might be better off with a web monitoring tool that tracks where the employees go and see who called that URL from the email and work that list.

Tell us a bit more about the network topology and we may be able give you something more concrete...

 

[oROEchimaru]

in most cases I have no problems tracking the link usage internally with websense. However if someone clicks the link from webmail or their mobile device then their account could be compromised.

looking for typical usage:
a. user sets up email on their smart phone (activesync) or connects via webmail on OWA
b. user reads their email > clicks the link
c. externally its not checked by websense if we were aware and blocked it after users reported it.

 

[Haven]

If you have Exchange, and are using OWA, one thing I found to look for in the IIS logs is "+CrazyBrowser". If you see that it is a plugin to allow scripting through a browser.

We started blocking +CrazyBrowser on our Exchange servers and alerting on that, it helped us track down compromised accounts.

Don't know if that will help or not.