EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4742Audit SuccessSecurityT1098

Windows Event ID 4742Computer Account Changed

Logged when an existing computer account in Active Directory is modified. Attackers modify computer accounts to enable post-creation attack capabilities: adding SPNs for Kerberoasting, setting delegation flags for unconstrained or constrained delegation abuse, writing msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD attacks, or changing the account password to take control of it. The specific attribute modified determines the attack technique in use.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Computer account modifications are frequently the second step in a multi-stage attack sequence. A computer account created via MachineAccountQuota (4741) is often immediately modified (4742) to add the SPNs or delegation attributes that enable the actual attack payload. Changes to TrustedForDelegation or msDS-AllowedToActOnBehalfOfOtherIdentity are high-fidelity signals for delegation abuse — these attributes are almost never modified outside of intentional IT configuration changes, and modification by a non-system account is a confirmed attack indicator.

Key Fields

Computer Account NameThe computer account that was modified. If this account was recently created (correlate with 4741), a rapid create-then-modify sequence indicates the attacker is completing their attack setup against the new account.
Changed AttributesThe specific attributes that were modified — this is the most actionable field. SPN additions indicate Kerberoasting setup; changes to TrustedForDelegation or msDS-AllowedToDelegateTo indicate delegation abuse; changes to msDS-AllowedToActOnBehalfOfOtherIdentity indicate RBCD attack configuration.
Subject Account NameThe account that performed the modification. Modifications by SYSTEM or DC machine accounts are typically legitimate replication or OS operations. Modifications by a user account or non-system service account outside a provisioning window are suspicious.
Old Values / New ValuesThe before and after state of the modified attribute. For delegation flags, New Values showing TrustedForDelegation = TRUE on any non-DC machine account is an immediate escalation indicator — this grants unconstrained Kerberos delegation.

Investigation Tips

  1. 1.SPN added by non-admin = Kerberoasting: if Changed Attributes shows a ServicePrincipalName addition, immediately check Event 4769 for service ticket requests targeting that SPN within the next 24 hours. If you see a 4769 with the new SPN and TicketEncryptionType 0x17 (RC4), Kerberoasting is confirmed.
  2. 2.TrustedForDelegation = TRUE on a non-DC: unconstrained delegation allows the computer account to receive and forward Kerberos tickets for any user who authenticates to it. Any non-DC machine with TrustedForDelegation enabled is a credential theft vector — any user authenticating to that machine hands over their TGT. This is a critical finding requiring immediate reversal.
  3. 3.msDS-AllowedToActOnBehalfOfOtherIdentity modified: this is the RBCD attack attribute. If you see this field modified on a high-value server (a DC, file server, or admin workstation) and the new value points to a recently created computer account, you are likely watching an RBCD attack being configured. Correlate with the 4741 event for the computer account named in the new value.
  4. 4.Computer account password changed by non-SYSTEM: legitimate computer account password changes are performed by NETLOGON as SYSTEM. A password change where Subject Account Name is a user account means an attacker is taking control of the computer account — likely to use it as a fake DC for DCSync attacks.
  5. 5.Correlate with the preceding 4741: if the modified computer account was created within the past 24 hours by a non-admin (visible in 4741), the create-then-modify sequence is the full attack setup lifecycle. Prioritize any 4742 where the computer account is less than 24 hours old.

Seeing Event ID 4742 in your own logs? Upload an .evtx file — EventPeeker flags computer account changed automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4741Computer account created — check if the modified account was recently created by a non-admin; rapid 4741+4742 is the attack setup chain
4743Computer account deleted — post-attack cleanup; 4741+4742+4743 is the complete backdoor lifecycle
4769Kerberos service ticket — correlate for requests targeting SPNs added in 4742; RC4 encryption type confirms Kerberoasting
4662Directory service access — delegation attribute reads (msDS-AllowedToActOnBehalfOfOtherIdentity) during RBCD attack reconnaissance

Frequently Asked Questions

What does it mean when a computer account's SPN is changed?
A Service Principal Name (SPN) is a unique identifier for a service instance, used by Kerberos to issue service tickets. When an attacker adds an SPN to a computer account, they are registering that account as a Kerberoastable target — any domain user can then request a Kerberos service ticket for that SPN, receive it encrypted with the computer account's password hash, and attempt to crack it offline. Unlike user account Kerberoasting, computer accounts have automatically rotated 120-character passwords that are effectively uncrackable. However, if the attacker controls the computer account (created via MachineAccountQuota with a known password), they can set a weak password before adding the SPN — making the hash crackable. This is why the combination of 4741 (account created by non-admin) + 4742 (SPN added) is the complete Kerberoasting setup chain.
How do RBCD attacks use Event 4742?
Resource-based constrained delegation (RBCD) attacks require writing to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on a target computer account — this attribute specifies which accounts are trusted to act on behalf of users to that computer. Event 4742 captures this write. The attack sequence is: (1) attacker creates a computer account via MachineAccountQuota (4741), (2) attacker writes the new computer account's SID to msDS-AllowedToActOnBehalfOfOtherIdentity on a target server (4742 on the target server), (3) attacker uses Kerberos S4U2Proxy to obtain a service ticket impersonating a Domain Admin to the target server. The key detection is a 4742 event where Changed Attributes shows msDS-AllowedToActOnBehalfOfOtherIdentity being set and the new value references a recently created computer account.
Is Event 4742 always suspicious?
No — computer account changes are routine in well-managed environments. Legitimate triggers include computer account password rotation by NETLOGON every 30 days (Subject Account Name = SYSTEM), changes by domain provisioning tools like SCCM or Intune when enrolling devices, and OS updates that modify attributes like Operating System Version. The suspicious signals are: (1) changes by a user account rather than SYSTEM or a provisioning service account, (2) SPN additions outside of software deployment windows, (3) any change to delegation-related attributes (TrustedForDelegation, msDS-AllowedToDelegateTo, msDS-AllowedToActOnBehalfOfOtherIdentity) by a non-admin, (4) changes to a computer account that was created less than 24 hours ago by a non-admin user.

Go deeper: the full Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide

See Event ID 4742 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects computer account changed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →