Event ID 4741 — A computer account was created.
Description
A computer account was created.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [New Computer Account] Account Name. |
Account_Domain | [New Computer Account] Account Domain. |
Security_ID | [New Computer Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
SAM_Account_Name | — |
Display_Name | [Attributes] SAM Account Name. |
User_Principal_Name | [Attributes] Display Name. |
Home_Directory | [Attributes] User Principal Name. |
Home_Drive | [Attributes] Home Directory. |
Script_Path | [Attributes] Home Drive. |
Profile_Path | [Attributes] Script Path. |
User_Workstations | [Attributes] Profile Path. |
Password_Last_Set | [Attributes] User Workstations. |
Account_Expires | [Attributes] Password Last Set. |
Primary_Group_ID | [Attributes] Account Expires. |
AllowedToDelegateTo UnicodeString | [Attributes] Primary Group ID. |
Old_UAC_Value | [Attributes] AllowedToDelegateTo. UAC flags reference |
New_UAC_Value | [Attributes] Old UAC Value. UAC flags reference |
User_Account_Control | [Attributes] New UAC Value. |
User_Parameters | [Attributes] User Account Control. |
SID_History | [Attributes] User Parameters. |
Logon_Hours | [Attributes] SID History. |
DNS_Host_Name | [Attributes] Logon Hours. |
Service_Principal_Names | [Attributes] DNS Host Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4741,
"version": 0,
"level": 0,
"task": 13825,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-12-12T17:57:52.313673Z",
"event_record_id": 2982085,
"correlation": {},
"execution": {
"process_id": 624,
"thread_id": 3652
},
"channel": "Security",
"computer": "01566s-win16-ir.threebeesco.com",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "DC012$",
"TargetDomainName": "3B",
"TargetSid": "S-1-5-21-308926384-506822093-3341789130-220105",
"SubjectUserSid": "S-1-5-21-308926384-506822093-3341789130-101606",
"SubjectUserName": "labuser",
"SubjectDomainName": "3B",
"SubjectLogonId": "0x738ae4",
"PrivilegeList": "-",
"SamAccountName": "DC012$",
"DisplayName": "-",
"UserPrincipalName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"ScriptPath": "-",
"ProfilePath": "-",
"UserWorkstations": "-",
"PasswordLastSet": "12/12/2021 9:57:52 AM",
"AccountExpires": "%%1794",
"PrimaryGroupId": "515",
"AllowedToDelegateTo": "-",
"OldUacValue": "0x0",
"NewUacValue": "0x80",
"UserAccountControl": "\r\n\t\t%%2087",
"UserParameters": "-",
"SidHistory": "-",
"LogonHours": "%%1793",
"DnsHostName": "DC012.threebeesco.com",
"ServicePrincipalNames": "\r\n\t\tHOST/DC012.threebeesco.com\r\n\t\tRestrictedKrbHost/DC012.threebeesco.com\r\n\t\tHOST/DC012\r\n\t\tRestrictedKrbHost/DC012"
}
}
Detection Patterns #
Defense Evasion: Rogue Domain Controller
Security-Auditing Event ID 4741: A computer account was created.OREvent ID 4743: A computer account was deleted.
1 rule
Community Notes #
May alert on golden ticket style attacks.
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Computer Account Created by Computer Account source: The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.
- Windows Computer Account With SPN source: The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4741
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx