Techniques
Sample rules
Detect Computer Changed with Anonymous Account
- source: splunk
- technicques:
- T1210
Description
The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to “ANONYMOUS LOGON” and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
Detection logic
`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3
| stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user
| `detect_computer_changed_with_anonymous_account_filter`