Fake computer account created
| Id | c1faf5e8-6958-11ec-90d6-0242ac120003 |
| Rulename | Fake computer account created |
| Description | This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead. |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1564 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/FakeComputerAccountCreated.yaml |
| Version | 1.0.4 |
| Arm template | c1faf5e8-6958-11ec-90d6-0242ac120003.json |
SecurityEvent
| where EventID == 4720 and TargetUserName endswith "$"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId,
TargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
kind: Scheduled
tactics:
- DefenseEvasion
triggerThreshold: 0
metadata:
source:
kind: Community
author:
name: Vasileios Paschalidis
support:
tier: Community
categories:
domains:
- Security - Others
triggerOperator: gt
version: 1.0.4
name: Fake computer account created
queryFrequency: 1h
id: c1faf5e8-6958-11ec-90d6-0242ac120003
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
relevantTechniques:
- T1564
description: |
'This query detects domain user accounts creation (event ID 4720) where the username ends with $.
Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.'
entityMappings:
- entityType: Account
fieldMappings:
- columnName: SubjectAccount
identifier: FullName
- columnName: SubjectUserName
identifier: Name
- columnName: SubjectDomainName
identifier: NTDomain
- entityType: Account
fieldMappings:
- columnName: SubjectUserSid
identifier: Sid
- entityType: Account
fieldMappings:
- columnName: TargetAccount
identifier: FullName
- columnName: TargetUserName
identifier: Name
- columnName: TargetDomainName
identifier: NTDomain
- entityType: Account
fieldMappings:
- columnName: TargetSid
identifier: Sid
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: DnsDomain
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/FakeComputerAccountCreated.yaml
queryPeriod: 1h
severity: Medium
query: |
SecurityEvent
| where EventID == 4720 and TargetUserName endswith "$"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId,
TargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex