1

I have Windows Server 2019. it is a database server(MSSQL Server) in the intranet environment. I monitor Its Process and I found sometimes the below process runs automatically without any cause.

"C:\Windows\system32\cmd.exe" /c "net localgroup administrators" "net localgroup administrators"

I check my user's list and group list and I don't see any new users. I don't know why net.exe runs with this command to create new local admin accounts. how could I check its root cause and is there any solutions to find the net.exe activity log?

Milad Habibian
  • 43
  • 1
  • 1
  • 5

1 Answers1

0

Check out event id 4688 which is logged by Windows whenever a process is started. The link also explains how to configure auditing on your system to make sure this event is actually logged.

This is definitely a little suspicious, but start with looking at the event which shows you things like parent PID so you can see which process actually started this process.

Lucky Luke
  • 1,634
  • 1
  • 11
  • 12