Adversaries may create fake computer accounts by generating usernames ending with $ to establish persistent access or exfiltrate data within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or long-term persistence tactics.
KQL Query
SecurityEvent
| where EventID == 4720 and TargetUserName endswith "$"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId,
TargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
id: c1faf5e8-6958-11ec-90d6-0242ac120003
name: Fake computer account created
description: |
'This query detects domain user accounts creation (event ID 4720) where the username ends with $.
Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1564
query: |
SecurityEvent
| where EventID == 4720 and TargetUserName endswith "$"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId,
TargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SubjectAccount
- identifier: Name
columnName: SubjectUserName
- identifier: NTDomain
columnName: SubjectDomainName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: SubjectUserSid
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetAccount
- identifier: Name
columnName: TargetUserName
- identifier: NTDomain
columnName: TargetDomainName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: TargetSid
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Vasileios Paschalidis
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: Scheduled Job Creation via Task Scheduler
Description: A legitimate scheduled task is created using the Task Scheduler tool, which may generate a computer account ending with $.
Filter/Exclusion: Exclude events where the source is Task Scheduler or where the account was created by a known service account (e.g., NT AUTHORITY\SYSTEM).
Scenario: Domain Controller Replication Account Creation
Description: A domain controller replication account is created during Active Directory replication setup, which may result in a computer account ending with $.
Filter/Exclusion: Exclude events where the account is created by the NTDS service or during replication-related operations.
Scenario: Virtual Machine Guest Account Creation
Description: A virtual machine (VM) guest account is created when a VM is added to the domain, which may result in a computer account ending with $.
Filter/Exclusion: Exclude events where the account is created by a VM management tool (e.g., VMware vCenter, Hyper-V) or where the computer name matches a known VM naming convention.
Scenario: Printer Spooler Service Account Creation
Description: A printer spooler service account is created when a printer is added to the domain, which may result in a computer account ending with $.
Filter/Exclusion: Exclude events where the account is created by the Print Spooler service or where the account name matches a known printer service account pattern.
Scenario: Group Policy Object (GPO) Computer Account Creation
Description: A GPO may create a computer account when deploying settings to a computer, which may result in a computer account ending with $.
Filter/Exclusion: Exclude events where the account is created by a GPO deployment tool (e.g., Group Policy Management Console) or where