splApache-2.0from splunk/security_content
Detect Computer Changed with Anonymous Account
The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON". This activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/detect_computer_changed_with_anonymous_account.yml
`wineventlog_security`
EventCode=4742
SubjectUserName="ANONYMOUS LOGON"
PasswordLastSet="*"
| stats count min(_time) as firstTime max(_time) as lastTime
BY action app dest ProcessID PasswordLastSet
signature signature_id src_user status
SubjectDomainName user user_group vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_computer_changed_with_anonymous_account_filter`