Adversaries may attempt to authenticate using fake computer accounts to blend in with legitimate system accounts and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics leveraging compromised credentials.
KQL Query
SecurityEvent
| where TargetUserName endswith "$" and EventID in (4624,4625) and LogonTypeName in (2,7,10)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonTypeName, IpAddress
id: f68084a2-87eb-11ec-a8a3-0242ac120002
name: Fake computer account authentication attempt
description: |
'This query detects authentication attempt from a fake computer account(username ends with $).
Computer accounts are normally not authenticating via interactive logon or remote desktop neither they are unlocking the systems.'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- DefenseEvasion
relevantTechniques:
- T1564
query: |
SecurityEvent
| where TargetUserName endswith "$" and EventID in (4624,4625) and LogonTypeName in (2,7,10)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonTypeName, IpAddress
| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: Scheduled Job Using Computer Account Credentials
Description: A legitimate scheduled job (e.g., using schtasks.exe or Task Scheduler) might authenticate using a computer account username (e.g., DC01$) to access a shared resource or perform maintenance.
Filter/Exclusion: Exclude events where the source is a known scheduled task or where the authentication is part of a documented maintenance process. Example filter: ProcessName == "schtasks.exe" or EventID == 10000 (depending on the SIEM).
Scenario: Active Directory Replication Using Computer Account
Description: Domain controllers use computer accounts (e.g., DC01$) to replicate directory data between domain controllers via the Replication service.
Filter/Exclusion: Exclude events where the source is a domain controller or where the event is related to replication (e.g., EventID == 10000 or SourceComputerName matches a DC).
Scenario: Backup Software Using Computer Account Authentication
Description: Backup tools like Veeam, Commvault, or Veritas might use a computer account (e.g., BACKUP$) to authenticate and access backup shares or databases.
Filter/Exclusion: Exclude events where the process is related to backup software (e.g., ProcessName == "veeam.exe" or ProcessName == "commvault.exe").
Scenario: DNS Server Authentication Using Computer Account
Description: A DNS server (e.g., dnscmd.exe) might authenticate using a computer account (e.g., DNS01$) to manage DNS records or zone transfers.
Filter/Exclusion: Exclude events where the source is a DNS server or where the operation is related to DNS management (e.g