Event ID 4742 — A computer account was changed.
Description
A computer account was changed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | — |
Account_Domain | [Computer Account That Was Changed] Account Name. |
Security_ID | [Computer Account That Was Changed] Account Domain. |
Security_ID | [Computer Account That Was Changed] Security ID. |
Account_Name | [Subject] Security ID. |
Account_Domain | [Subject] Account Name. |
Logon_ID | [Subject] Account Domain. |
Privileges | [Subject] Logon ID. Privilege constants reference |
SAM_Account_Name | [Additional Information] Privileges. |
Display_Name | [Changed Attributes] SAM Account Name. |
User_Principal_Name | [Changed Attributes] Display Name. |
Home_Directory | [Changed Attributes] User Principal Name. |
Home_Drive | [Changed Attributes] Home Directory. |
Script_Path | [Changed Attributes] Home Drive. |
Profile_Path | [Changed Attributes] Script Path. |
User_Workstations | [Changed Attributes] Profile Path. |
Password_Last_Set | [Changed Attributes] User Workstations. |
Account_Expires | [Changed Attributes] Password Last Set. |
Primary_Group_ID | [Changed Attributes] Account Expires. |
AllowedToDelegateTo UnicodeString | [Changed Attributes] Primary Group ID. |
Old_UAC_Value | [Changed Attributes] AllowedToDelegateTo. UAC flags reference |
New_UAC_Value | [Changed Attributes] Old UAC Value. UAC flags reference |
User_Account_Control | [Changed Attributes] New UAC Value. |
User_Parameters | [Changed Attributes] User Account Control. |
SID_History | [Changed Attributes] User Parameters. |
Logon_Hours | [Changed Attributes] SID History. |
DNS_Host_Name | [Changed Attributes] Logon Hours. |
Service_Principal_Names | [Changed Attributes] DNS Host Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4742,
"version": 0,
"level": 0,
"task": 13825,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-25T13:01:41.935605Z",
"event_record_id": 198239294,
"correlation": {},
"execution": {
"process_id": 444,
"thread_id": 3948
},
"channel": "Security",
"computer": "DC1.insecurebank.local",
"security": {
"user_id": ""
}
},
"event_data": {
"ComputerAccountChange": "-",
"TargetUserName": "CLIENT01$",
"TargetDomainName": "insecurebank",
"TargetSid": "S-1-5-21-738609754-2819869699-4189121830-1120",
"SubjectUserSid": "S-1-5-21-738609754-2819869699-4189121830-1108",
"SubjectUserName": "bob",
"SubjectDomainName": "insecurebank",
"SubjectLogonId": "0x3d8e8db",
"PrivilegeList": "-",
"SamAccountName": "-",
"DisplayName": "-",
"UserPrincipalName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"ScriptPath": "-",
"ProfilePath": "-",
"UserWorkstations": "-",
"PasswordLastSet": "-",
"AccountExpires": "-",
"PrimaryGroupId": "-",
"AllowedToDelegateTo": "-",
"OldUacValue": "-",
"NewUacValue": "-",
"UserAccountControl": "-",
"UserParameters": "-",
"SidHistory": "-",
"LogonHours": "-",
"DnsHostName": "-",
"ServicePrincipalNames": "-"
}
}
Detection Patterns #
Domain Sid History Addition
Defense Evasion: Rogue Domain Controller
Security-Auditing Event ID 4742: A computer account was changed.OREvent ID 5136: A directory service object was modified.
1 rule
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- Remote Computer Account DnsHostName Update source high: Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.
Splunk # view in reference
- Detect Computer Changed with Anonymous Account source: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON". This activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
- Windows AD Domain Controller Promotion source: The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4742
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx