New
#1
Remote Login and New admin account created on my machine - hacked?
OK so a user named Lorenco was logged into my machine today when I went to login.
This user account should not exist and was connected remotely I believe
I captured all the event logs, what do I need to verify this was a hack or a legit login?
Received user logon notification on session 4.
shell\roaming\settingsync\settingprofilehandler.cpp(24)\SettingSync errors
event log cleared the user
The audit log was cleared.
Subject:
Security ID: GROD\Lorenco
Account Name: Lorenco
Domain Name: GROD
Logon ID: 0x46D9E82
A user's local group membership was enumerated.
Subject:
Security ID: GROD\Lorenco
Account Name: Lorenco
Account Domain: GROD
Logon ID: 0x46D9EA0
User:
Security ID: GROD\Lorenco
Account Name: Lorenco
Account Domain: GROD
Process Information:
Process ID: 0x2618
Process Name: C:\Users\Lorenco\Desktop\GoogleChromePortable\App\Chrome-bin\chrome.exe
Much more in the logs..