How to track a user ?

[lcm]

Hy !

I have a network with a domain controller and active directory users in one location
Also in other location i have different domain controller and active directory users, There are separate domains

My problem is that i have a person who manages to connect from one location to another

Each location that has domain controller and active directory has a firewall.....it's about fortigate machine.

This person has only user account in active directory. Local accounts of his computer are disable.
On his computer the IP adress is static.Both server and workstations are up to date.

He succeeds using the Internet to connect to other network, using administrator privileges. 
This person makes changes on other computers both locations....normal changes that are made only by the network administrator.

I think it's a virus / mallware/trojan undetectable.I would like to know how can I scan servers, services from viruses / trojan undetectable and tracing how this persoon connect. From what I knew so far the user succeed to intervene over the user's session from a different computer without the user's knowledge or realizing and make any changes he wish

.I check the logo failures and I have many attempts to acces administrator account. Location where i fiind it is every computer that i log on as administrator account and primary/ secondary domain controller.

I have a software that i manage my events ....ad audit plus...In my reports says that evet type is failure and failure reason is bad password.. That problem is that at logon time, for example, at this hour 12:33:25, the administrator account is accesed for 44 times....

I think that a sort of trojan horse try to acces my administrator accout to steal my password....

My problem is how i detect this trojan hourse/mallware stufff......and how i delete it for permanent. Where I might look for more information ? What shall i do next ?

Any suggestion / feedback / opinion is appreciated...thank you

[AdvancedSetup]

Hello and

I would suggest you enable full auditing on all workstations and sufficient auditing on the servers.

You obviously allow connections between the Domains as you say you can connect. That means that others probably can too if they know proper credentials and technique.
All that is needed is for the user to have/know Administrative credentials on another computer in his/her domain. Then connect to that system (even possibly by RDP) or other tools. Then connect to the other domain via that other breached computer that does not have the same lock down on it. They could possibly be using a bootable USB drive on another computer. If you have open ports via some Internet facing connection that could be another possible means to breach.

A bit too complex to get into but suffice to say if you're concerned and sure that someone is attempting to breach your network and you're not sure how to track it down then I would highly suggest hiring either a company or individual with this expertise. Running some malware threat scans when a network structure is involved is not sufficient to detect or prevent breach. There are many ways to try to breach a network and way beyond the scope and means of the forum as this medium is a long drawn out back and forth response mechanism but in the case of a possible breach you need quick experienced help in order to detect, and take the appropriate responses. Each business can have different responses on how they wish to address possible breaches. Some want to try as best as possible to locate the party involved, others simply want it found, closed down, and prevented from happening again. Some will even rebuild a server if they feel it's been breached. Decisions like that are up to each company but slowly working on the issue over a forum is not an acceptable practice for most, again due to the length of time it can take.

Sorry I can't offer you a faster, better solution but hopefully I've given you some advice to help move forward with this issue.

 

Edited April 12, 2016 by AdvancedSetup