Techniques
Sample rules
Detect Computer Changed with Anonymous Account
- source: splunk
- technicques:
- T1210
Description
The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value “ANONYMOUS LOGON”. This activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
Detection logic
`wineventlog_security`
EventCode=4742
SubjectUserName="ANONYMOUS LOGON"
PasswordLastSet="*"
| stats count min(_time) as firstTime max(_time) as lastTime
BY action app dest ProcessID PasswordLastSet
signature signature_id src_user status
SubjectDomainName user user_group vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_computer_changed_with_anonymous_account_filter`