4741 A computer account was created
Written when a new computer object (machine account) is created. Besides the legitimate act of domain join, it can be a foothold for some privilege-escalation attacks.
Overview
The subcategory is Audit Computer Account Management. It is generated when a new computer object is created, recorded only on domain controllers. It includes the creating subject, computer name, and main attributes.
How it is triggered
- Computer account creation via a machine’s domain join,
New-ADComputer,djoin, and so on. - By default, ordinary users can also create machine accounts up to the
MachineAccountQuota(default 10).
Security review points
- There are attacks that abuse machine-account creation by ordinary users. A prime example is noPac / sAMAccountName spoofing, where an attacker disguises the
sAMAccountNameof a machine account they created as a DC name to attempt privilege escalation. A 4741 by an unexpected creator (a non-administrator user) is notable. - Attacks abusing resource-based constrained delegation (RBCD) also begin with creating an attacker-controlled machine account. Track it together with the following account change 4742 (setting delegation attributes and so on).
Notes for log review
- It occurs daily during legitimate domain joins. Weight it by whether the creator is an administrator/provisioning system or an ordinary user. Focus monitoring on creation by ordinary users.
- If you set
MachineAccountQuotato 0, 4741 by ordinary users essentially disappears, making detection clear-cut.
Key fields
| Field | Meaning |
|---|---|
New Computer Account\Account Name | The created computer account |
Subject\Account Name | The creating subject (notable if non-administrator) |
Glossary
- MachineAccountQuota — the cap on the number of machine accounts an ordinary user can create (default 10). It is a precondition for attacks like noPac.