LoFP LoFP / none thus far found

Techniques

Sample rules

Detect Computer Changed with Anonymous Account

Description

The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to “ANONYMOUS LOGON” and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.

Detection logic

`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3 
| stats count min(_time) as firstTime max(_time) as lastTime by action app authentication_method dest dvc process process_id process_name process_path signature signature_id src src_port status subject user user_group vendor_product 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_computer_changed_with_anonymous_account_filter`