Detect Computer Changed with Anonymous Account

Author: Rod Soto, Jose Hernandez, Splunk
Source: upstream

The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON". This activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1210` Exploitation of Remote Services

Event coverage

Provider	Event ID	Title
Security-Auditing	4742	A computer account was changed.

Stages and Predicates

Stage 1: `search`

search EventCode=4742 PasswordLastSet="*" SubjectUserName="ANONYMOUS LOGON"

Stage 2: `stats`

stats BY action, app, dest, ProcessID, PasswordLastSet, signature, signature_id, src_user, status, SubjectDomainName, user, user_group, vendor_product

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`4742` corpus 4 (splunk 4)
`PasswordLastSet`	eq	`"*"`
`SubjectUserName`	eq	`"ANONYMOUS LOGON"` corpus 2 (splunk 2)

Detect Computer Changed with Anonymous Account

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: search