event id 4742

Summary

Event ID 4742 is triggered when a computer object is changed, usually when a reboot is made to the domain. It is important to avoid changing any user-related settings manually for computer objects, as this will result in the computer account becoming a user account. 1 To detect the abuse of the Zerologon vulnerability, look for the event ID 4742 and hunt for ANONYMOUS LOGON users, and SID in the event ID 4742 with the Password Last Set field changed. 2 Additionally, account change-related activity of all domain controllers in the Active Directory can be monitored to prevent the ZeroLogon attack. 3

According to
1 docs.microsoft.com 2 www.logpoint.com 3 www.lares.com


See more results on Neeva

Summaries from the best pages on the web

Summary This event is generated every time a computer object is changed, usually when a reboot is made to the domain. It is important to avoid changing any user-related settings manually for computer objects, as this will result in the computer account becoming a user account. The event is triggered by the Security ID, account name, account domain, and logon ID, and can be used to correlate recent events with the same account.
4742(S) A computer account was changed. (Windows 10) - Windows security | Microsoft Docs
favIcon
microsoft.com
Summary To detect the abuse of the Zerologon vulnerability, look for the event ID 4742. To be specific, hunt for ANONYMOUS LOGON users, and SID in the event ID 4742 with the Password Last Set field changed. You can also look for account change-related activity of all domain controllers in the Active Directory.
Zerologon - Detecting the vulnerability in SIEM - Logpoint
favIcon
logpoint.com
Summary This post provides defensive strategies to mitigate the ZeroLogon (CVE-2020-1472) vulnerability, which allows attackers to set a password for the computer account of an Active Directory Domain Controller and pull credentials from the Domain Controller. It outlines the attack's telemetry, detection techniques, and recommendations for preventing the ZeroLogon attack. Additionally, it provides a link to a white paper on ZeroLogon and a vulnerability disclosure tool to help protect against this vulnerability.
From Lares Labs: Defensive Guidance for ZeroLogon (CVE-2020-1472) - Lares
favIcon
lares.com
simple and straightforward as following: QRadar Rule to detect the Zerologon Exploitation (CVE-2020-1472) the detection is based on the windows event id: 4742 ...
Detecting the Zerologon Exploitation (CVE-2020-1472)
favIcon
ibm.com
Event ID - 4742; A computer account was changed, specifically the action may have been performed by an anonymous logon event.
ZeroLogon(CVE-2020-1472) - Attacking & Defending
favIcon
zsec.uk
The exploits leave behind various artifacts which can be used for detection. The most documented artifact is Windows Event ID 4742 “A computer account was ...
Zerologon Vulnerability: Analysis and Detection Tools - Cynet
favIcon
cynet.com
Find the best Login Page Machine Account Password Reset Event Id. You will find and ... Event ID 4742 A computer account was changed …
Machine Account Password Reset Event Id | Login Pages Finder
favIcon
login-faq.com
Find the best Login Page Event Id Password Reset. You will find and access login portals ... Event ID 4742 A computer account was changed …
Event Id Password Reset | Login Pages Finder
favIcon
login-faq.com
Windows Security Log Event ID 4742 2019 and 2022 Category • Subcategory Account Management • Computer Account Management Type Success Corresponding events ...
Windows Security Log Event ID 4742 - A computer account was changed
favIcon
ultimatewindowssecurity.com
Find the best Login Page User Account Modified Event Id. You will find and access login ... Event ID 4742 A computer account was changed Password
User Account Modified Event Id | Login Pages Finder
favIcon
login-faq.com
Under the category Account Management events, What does Event ID 4742 (A computer account was changed) mean?
Event ID 4742 - A computer account was changed
favIcon
manageengine.com