4781 The name of an account was changed
Written when an account’s name is changed. Besides legitimate renames, it carries meaning in the context of masquerading as a legitimate account or evading tracking.
Overview
The subcategory is Audit User Account Management. It is generated when a user or computer account’s name is changed, and includes the names before and after.
How it is triggered
- An account rename in AD/locally (a rename due to a surname change,
Rename-ADObject, and so on).
Security review points
- An attacker may rename an account they created to look like a legitimate one to blend in, or rename an existing account to confuse monitoring and tracking. Check the names before and after.
- Renaming a privileged account or a known important account may aim at confusion or masquerading, so investigate it.
Notes for log review
- Renames are infrequent. Check the before/after names, target, and subject, and note deviations from naming convention or confusing names.
- Together with account creation 4720 and change 4738, track the account’s history.
Key fields
| Field | Meaning |
|---|---|
Old Account Name / New Account Name | The names before and after |
Subject\Account Name | The subject that made the change |