Fake computer account created
| Id | c1faf5e8-6958-11ec-90d6-0242ac120003 |
| Rulename | Fake computer account created |
| Description | This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead. Ref: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1564 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/FakeComputerAccountCreated.yaml |
| Version | 1.0.3 |
| Arm template | c1faf5e8-6958-11ec-90d6-0242ac120003.json |
SecurityEvent
| where EventID == 4720 and TargetUserName endswith "$"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId,
TargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
description: |
'This query detects domain user accounts creation (event ID 4720) where the username ends with $.
Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.
Ref: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html'
relevantTechniques:
- T1564
tactics:
- DefenseEvasion
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/FakeComputerAccountCreated.yaml
version: 1.0.3
queryPeriod: 1h
id: c1faf5e8-6958-11ec-90d6-0242ac120003
metadata:
support:
tier: Community
author:
name: Vasileios Paschalidis
source:
kind: Community
categories:
domains:
- Security - Others
severity: Medium
kind: Scheduled
entityMappings:
- entityType: Account
fieldMappings:
- columnName: SubjectAccount
identifier: FullName
- columnName: SubjectUserName
identifier: Name
- columnName: SubjectDomainName
identifier: NTDomain
- entityType: Account
fieldMappings:
- columnName: SubjectUserSid
identifier: Sid
- entityType: Account
fieldMappings:
- columnName: TargetAccount
identifier: FullName
- columnName: TargetUserName
identifier: Name
- columnName: TargetDomainName
identifier: NTDomain
- entityType: Account
fieldMappings:
- columnName: TargetSid
identifier: Sid
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: DnsDomain
name: Fake computer account created
queryFrequency: 1h
query: |
SecurityEvent
| where EventID == 4720 and TargetUserName endswith "$"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId,
TargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex