Detection rules › Splunk
Windows Computer Account Created by Computer Account
The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1558 Steal or Forge Kerberos Tickets |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4741 | A computer account was created. |
Stages and Predicates
Stage 1: search
search EventCode=4741 ServicePrincipalNames="*RestrictedKrbHost*" SubjectDomainName!="NT AUTHORITY" user_type="computer"
Stage 2: stats
stats BY dest, subject, action, src_user, user, user_type, SubjectUserName, SubjectDomainName
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ServicePrincipalNames | eq |
|
SubjectDomainName | ne |
|
user_type | eq |
|