RE: [ActiveDir]AD SECURITY."Run As" command used - to impersonate Administrators

[Robert Rutherford]

Could be a backup system or something like that kicking off a ‘run as’… looks like it. I don’t know the product though.   Rob Robert Rutherford QuoStar Solutions Limited T:    +44 (0) 8456 440 331   F:    +44 (0) 8456 440 332   M:    +44 (0) 7974 249 494   E:    [EMAIL PROTECTED] W:    www.quostar.com     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: 13 November 2006 14:39 To: ActiveDir@mail.activedir.org Subject: [ActiveDir]AD SECURITY."Run As" command used - to impersonate Administrators   Hi, So I decided to try out GFI event monitor, I am loving it so far, but I am not a security expert so I am easy to impress. Anyway, I got a bunch of emails like the one below. Have you guys seen something similar in your logs? Is this someone trying to hack or a service trying to run something?   Thanks     Subject: 11/12/2006 12:28:38 PM "Run As" command used - to impersonate Administrators - outside work hours - Critical - <servername> - 552 Logon attempt using explicit credentials: Logged on user: User Name: administrator Domain: domain Logon ID: (0x2,0x9D018B17) Logon GUID: {ec9c7758-8375-8064-3e03-8e860a568322} User whose credentials were used: Target User Name: administrator Target Domain: domain.com Target Logon GUID: {13d439ef-0597-c23e-aa24-8ca92f9e7730} Target Server Name: server.domain.com Target Server Info: cifs/server.domain.com Caller Process ID: 1620 Source Network Address: - Source Port: - .org/