Event ID 4781 — The name of an account was changed.
Description
The name of an account was changed.
Message #
Fields #
| Name | Description |
|---|---|
OldTargetUserName UnicodeString | [Target Account] Old Account Name. |
NewTargetUserName UnicodeString | [Target Account] New Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4781,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:37.340432+00:00",
"event_record_id": 2857,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"OldTargetUserName": "None",
"NewTargetUserName": "None",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-513",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Masquerading
Defense Evasion: Domain Accounts
Security-Auditing Event ID 4781: The name of an account was changed.→Event ID 4768: A Kerberos authentication ticket (TGT) was requested.
1 rule
Community Notes #
Attackers may rename an existing, highly privileged account to blend in.
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- Potential Privileged Escalation via SamAccountName Spoofing source high: Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
Splunk # view in reference
- Suspicious Computer Account Name Change source: The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a `$`. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
- Example event sourced from https://github.com/NextronSystems/evtx-baseline