Friday, October 4, 2019

Event ID 4741 - A Computer Account was Created

Event ID 4741 - A computer account was created

Log Sample

{
 "EventTime": "2017/11/17 04:04:12"
 "Hostname": "MPWXDC.changme.local"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4741
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 13825
 "OpcodeValue": 0
 "RecordNumber": 490138986
 "ProcessID": 824
 "ThreadID": 20704
 "Channel": "Security"
 "Message": "A computer account was created."
 "Category": "Computer Account Management"
 "Opcode": "Info"
 "TargetUserName": "ZIGGY$"
 "TargetDomainName": "MP"
 "TargetSid": "S-1-5-21-343361891-1219768270-4058147650-9302"
 "SubjectUserSid": "S-1-5-21-343361891-1219768270-4058147650-1179"
 "SubjectUserName": "admin"
 "SubjectDomainName": "MP"
 "SubjectLogonId": "0x227bf6ce6"
 "PrivilegeList": "-"
 "SamAccountName": "ZIGGY$"
 "DisplayName": "-"
 "UserPrincipalName": "-"
 "HomeDirectory": "-"
 "HomePath": "-"
 "ScriptPath": "-"
 "ProfilePath": "-"
 "UserWorkstations": "-"
 "PasswordLastSet": "2017/11/17 04:04:12"
 "AccountExpires": "%%1794"
 "PrimaryGroupId": "515"
 "AllowedToDelegateTo": "-"
 "OldUacValue": "0x0"
 "NewUacValue": "0x80"
 "UserAccountControl": "\r\n\t\t%%2087"
 "UserParameters": "-"
 "SidHistory": "-"
 "LogonHours": "%%1793"
 "DnsHostName": "ZIGGY.changme.local"
 "ServicePrincipalNames": "\r\n\t\tHOST/ZIGGY.changme.local\r\n\t\tRestrictedKrbHost/ZIGGY.changme.local\r\n\t\tHOST/ZIGGY\r\n\t\tRestrictedKrbHost/ZIGGY"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "wineventlog_in"
 "SourceModuleType": "im_msvistalog"
}

General Description
  • This event generates every time a new computer object is created.
  • This event generates only on domain controllers.
  • If your information security monitoring policy requires you to monitor computer account creation, monitor this event.
Detail Description

Subject:

  • Security ID: SID of account that requested the “create Computer object” operation. 
  • Account Name: the name of the account that requested the “create Computer object” operation.
  • Account Domain: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
  • Logon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

New Computer Account (Target):

  • Security ID: SID of created computer account.
  • Account Name: the name of the computer account that was created. For example: WIN81$
  • Account Domain: domain name of created computer account. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

Computer Account Attributes:

  • SAM Account Name: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
  • Display Name: the value of displayName attribute of new computer object. It is a name displayed in the address book for a particular account (typically – user account) and is usually the combination of the user's first name, middle initial, and last name.
  • User Principal Name: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name.
  • Home Directory: user's home directory. This parameter might not be captured in the event, and in that case appears as “-”.
  • Home Drive: specifies the drive letter to which to map the UNC path specified by homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For example – “H:”. 
  • Script Path: specifies the path of the account's logon script. 
  • Profile Path: specifies a path to the account's profile.
  • User Workstations: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma.
  • Password Last Set: last time the account’s password was modified. 
  • Account Expires: the date when the account expires.
  • Primary Group ID: Relative Identifier (RID) of computer’s object primary group.
Note  Relative identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.

Typically, Primary Group field for new computer accounts has the following values:

516 (Domain Controllers) – for domain controllers.

521 (Read-only Domain Controllers) – for read-only domain controllers (RODC).

515 (Domain Computers) – for member servers and workstations.
  • AllowedToDelegateTo: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of computer account.
Note  Service Principal Name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
  • Old UAC Value: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. Old UAC value always “0x0” for new computer accounts. This parameter contains the previous value of userAccountControl attribute of computer object.
  • New UAC Value: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of userAccountControl attribute of new computer object.
  • User Parameters: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see <value changed, but not displayed> in this field in “4742(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”.
  • SID History: contains previous SIDs used for the object if the object was moved from another domain. 
  • Logon Hours: hours that the account is allowed to logon to the domain. 
  • DNS Host Name: name of computer account as registered in DNS. 
  • Service Principal Names: The list of SPNs, registered for computer account.
Additional Information:
  • Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)