4742 A computer account was changed

Written when a computer object’s (machine account’s) attributes are changed. It is an important event for catching attribute alterations abused for privilege escalation, such as delegation setting changes.

Overview

The subcategory is Audit Computer Account Management. It is generated whenever a computer object is changed, recorded only on domain controllers. After a domain join, on the reboot for example, the Subject SID and the “changed computer account” SID may match (a self-update).

How it is triggered

• Changes to machine-account attributes (delegation settings, servicePrincipalName, userAccountControl flags, DNS name, and so on).
• It also occurs on automatic updates right after a domain join.

Security review points

• Delegation-related attribute changes are most important. If msDS-AllowedToActOnBehalfOfOtherIdentity (the resource-based constrained delegation, RBCD, setting) is rewritten, an attacker can impersonate other accounts. A flow of machine-account creation 4741 then setting delegation in 4742 is a hallmark of RBCD abuse.
• Also note enabling TRUSTED_FOR_DELEGATION (unconstrained delegation) and unexpected additions of servicePrincipalName (preparation for targeted Kerberoasting).
• Strongly suspect it if the changing subject does not normally have rights to manage that machine.

Notes for log review

• It appears frequently with domain joins and legitimate configuration changes. Focus on the type of attribute changed, and alert narrowed to delegation, SPN, and UAC flag changes.
• Self-updates (Subject = target) tend to be noise. Exclude these to surface delegation-setting changes by others.

Key fields

Glossary

• RBCD (resource-based constrained delegation) — a delegation setting that lets one account impersonate another to access a service. Abused, it is used for privilege escalation.

References

• Microsoft Learn: 4742(S) A computer account was changed.