Fake computer account created
| Id | c1faf5e8-6958-11ec-90d6-0242ac120003 |
| Rulename | Fake computer account created |
| Description | This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead. Ref: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1564 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/FakeComputerAccountCreated.yaml |
| Version | 1.0.3 |
| Arm template | c1faf5e8-6958-11ec-90d6-0242ac120003.json |
SecurityEvent
| where EventID == 4720 and TargetUserName endswith "$"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId,
TargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
tactics:
- DefenseEvasion
description: |
'This query detects domain user accounts creation (event ID 4720) where the username ends with $.
Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.
Ref: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html'
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SubjectAccount
- identifier: Name
columnName: SubjectUserName
- identifier: NTDomain
columnName: SubjectDomainName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: SubjectUserSid
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetAccount
- identifier: Name
columnName: TargetUserName
- identifier: NTDomain
columnName: TargetDomainName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: TargetSid
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
triggerThreshold: 0
query: |
SecurityEvent
| where EventID == 4720 and TargetUserName endswith "$"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId,
TargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
version: 1.0.3
metadata:
source:
kind: Community
support:
tier: Community
author:
name: Vasileios Paschalidis
categories:
domains:
- Security - Others
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/FakeComputerAccountCreated.yaml
queryFrequency: 1h
queryPeriod: 1h
severity: Medium
name: Fake computer account created
triggerOperator: gt
id: c1faf5e8-6958-11ec-90d6-0242ac120003
kind: Scheduled
relevantTechniques:
- T1564