Detect Computer Changed With Anonymous Account

Description

This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Lateral Movement

MITRE ATT&CK Techniques

Exploitation of Remote Services

Exploitation of Remote Services

MITRE Threat Groups

APT28
Threat Group-3390
Wizard Spider

Data Sources

Windows Security

   Help

Detect Computer Changed With Anonymous Account Help

This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

   Search

Open in Search