I was helping someone who experienced a ransomware attack, and now they're unable to log in with their default domain administrator account, although they can still access other domain admin accounts without issues. It seems like the malware messed with the default admin account in Active Directory; for instance, the username and domain fields are empty in the user properties, and it has been removed from the domain admin group. Even after restoring its settings, the account still won't let anyone log in. We're able to reset the password, but it still says the password is incorrect – which it shouldn't be. I'm curious about what the attackers could have done to cause this situation, even though there are alternative domain admins and the overall domain health seems fine. I've done a quick comparison with other accounts, and it looks similar. Any insights?
4 Answers
This is a classic tactic used in ransomware attacks. They often target the built-in Administrator account since it's key for recovery. Check these details:
1. Run `Get-ADUser -Identity Administrator -Properties *` and compare it with a healthy DA account, specifically looking at user account control flags which may be set to disabled or locked out, causing that "incorrect password" issue.
2. Verify if the adminSDHolder object was altered. Ransomware often messes with this to propagate permission changes.
3. Inspect the account's SID history for any foreign SIDs that could affect authentication.
4. Don't forget to check the KRBTGT account - if they altered the DA, they likely targeted this as well.
Assuming the entire Active Directory is compromised might be best — you could end up needing a clean recovery.
If you have Defender running, it might have disrupted the account due to suspicious activity. It will appear enabled but still won't work. Check the Defender console under "Actions" to see if you can rectify that issue.
First thing to check is the SID on that account. It might not be the actual Administrator account; it could be a new account that was renamed to look like it. If that's the case, get rid of it immediately. You can find the real Administrator account with the well-known SID ending in 500 by running this command: Get-ADUser -Filter {SID -like "*-500"} -Properties SID.
Isolate everything! Ensure that none of your systems are connected to the internet to stop further infections. Identify the ransomware, check for indicators, and then only work on remediation. Remember to restore from backups as rebuilding could be necessary. Don't reuse passwords either and check external systems for unusual activity.
Good tip! I'll definitely check that out.