Malware at the Domain Controller

The Network: A major nonprofit organization that supplements its team with Netsurion’s co-managed security solution.

The Expectation: Robust and up-to-date (Anti-Virus, Next-Gen Firewall, Proxy) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary. Domain controllers are critical systems in any given environment and should be protected at all times with an SLA of 100% uptime (availability).

The Catch: Netsurion’s Security Operations Center (SOC) analysts observed multiple processes executing on a critical domain controller that resides in multiple users’ profile paths. The process activities were all observed within 12 minutes on one day and were loaded by AgentMon.exe, a legitimate Kaseya process.

The Find: Through analysis, Netsurion’s SOC team discovered that the processes were malicious (Tor Browser, adware, Trojan and riskware processes), and were related to TOR, Potentially Unwanted Programs (PUP), and Trojans.

The Fix: The SOC analyst immediately notified the customer, who quickly removed these malicious programs from the critical domain controller. Netsurion’s SOC team further recommended that the customer scan the domain controller post-removal with Anti-Virus/Anti-Malware software before placing it back to the network. The customer confirmed that they followed the recommendations and got the domain controller back on the network. If not cleaned up, the customer could have faced a business outage.

The Lesson: Anti-Virus will not stop all attacks, but should still be updated in a timely manner with scheduled scans. Because the customer sent their Anti-Virus logs to Netsurion’s, our SOC analysts were able to analyze the correlated logs and discover the attack. Also make sure to restrict users with the correct Role-Based-Access-Control (RBAC) privileges.