user account used to setup servers is being flagged for suspicion of identity theft based on abnormal behavior RRS feed

  • Question

  • hi all,

    i had an user account being flagged for suspicion of identity theft based on abnormal behavior. this user account is a domain admin and is no longer accessed by anyone. it was used to setup the hyper-v hypervisors in my environment.

    unfortunately, there seems to be alot of kerberos traffic under this account round the clock (1000 records every hourbased on the timeline). however, i did a check and there are no services running using this account. in the excel report, many legitimate servers are listed as abnormal resources. some of the hypervisors are listed as normal resouces though. may i know how can i identify the cause of these activity?

    Saturday, April 22, 2017 5:34 PM

All replies