Windows Event ID 4743 – Microsoft-Windows-Security-Auditing: Computer Account Changed

Start by examining the specific details of Event ID 4743 to understand what was changed and by whom.

1. Open Event Viewer on the domain controller where the event occurred
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4743 using the filter option in the Actions pane
4. Double-click on the event to view detailed information
5. Review the following key fields in the event details:
   • Subject: Shows who made the change (Security ID, Account Name, Domain)
   • Target Account: Identifies the computer account that was modified
   • Changed Attributes: Lists specific attributes that were modified
   • Additional Information: Provides context about the change
6. Note the timestamp and correlate with any known administrative activities

Use PowerShell to query and analyze Event ID 4743 occurrences across multiple domain controllers for patterns and trends.

1. Open PowerShell as Administrator on a domain controller or management workstation
2. Query recent Event ID 4743 occurrences:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4743} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message

3. Filter events for specific computer accounts:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4743} | Where-Object {$_.Message -like "*COMPUTERNAME*"} | Select-Object TimeCreated, Message

4. Query events from multiple domain controllers:

   $DCs = Get-ADDomainController -Filter *
   foreach ($DC in $DCs) {
       Write-Host "Checking $($DC.Name)..."
       Get-WinEvent -ComputerName $DC.Name -FilterHashtable @{LogName='Security'; Id=4743} -MaxEvents 10 -ErrorAction SilentlyContinue
   }

5. Export events to CSV for analysis:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4743} -MaxEvents 100 | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='ComputerAccount';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[0]}}, @{Name='ModifiedBy';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject:*'})[1]}} | Export-Csv -Path "C:\Temp\Event4743_Analysis.csv" -NoTypeInformation

Ensure proper audit policy configuration to capture comprehensive computer account change information.

1. Open Group Policy Management Console on a domain controller
2. Navigate to the Default Domain Controllers Policy or create a new GPO
3. Edit the policy and go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
4. Expand Account Management and configure:
   • Audit Computer Account Management: Enable Success and Failure
   • Audit Other Account Management Events: Enable Success
5. Apply the policy and force update on domain controllers:

   gpupdate /force

6. Verify audit policy settings using auditpol:

   auditpol /get /subcategory:"Computer Account Management"

7. Configure Security log size to accommodate increased logging:

   wevtutil sl Security /ms:1073741824

Perform detailed investigation of computer account modifications using Active Directory tools and PowerShell.

1. Identify the target computer account from the Event ID 4743 details
2. Check current computer account properties:

   Get-ADComputer -Identity "COMPUTERNAME" -Properties * | Select-Object Name, Description, OperatingSystem, LastLogonDate, PasswordLastSet, MemberOf

3. Review computer account attribute history using repadmin:

   repadmin /showattr DC=domain,DC=com "CN=COMPUTERNAME,CN=Computers,DC=domain,DC=com" /allvalues

4. Check for recent password changes:

   Get-ADComputer -Identity "COMPUTERNAME" -Properties PasswordLastSet | Select-Object Name, PasswordLastSet

5. Examine group membership changes:

   Get-ADPrincipalGroupMembership -Identity "COMPUTERNAME$" | Select-Object Name, GroupCategory, GroupScope

6. Review Service Principal Names (SPNs) if applicable:

   Get-ADComputer -Identity "COMPUTERNAME" -Properties ServicePrincipalNames | Select-Object Name, ServicePrincipalNames

7. Cross-reference with other security events around the same timeframe:

   Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=(Get-Date).AddHours(-2); EndTime=(Get-Date)} | Where-Object {$_.Message -like "*COMPUTERNAME*"} | Select-Object Id, TimeCreated, Message

Set up automated monitoring for Event ID 4743 to detect unauthorized or suspicious computer account changes.

1. Create a scheduled task to monitor for Event ID 4743:

   $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-Event4743.ps1"
   $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365)
   $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
   Register-ScheduledTask -TaskName "Monitor-Event4743" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"

2. Create the monitoring script at C:\Scripts\Monitor-Event4743.ps1:

   # Monitor-Event4743.ps1
   $LastCheck = (Get-Date).AddMinutes(-15)
   $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4743; StartTime=$LastCheck} -ErrorAction SilentlyContinue
   
   if ($Events) {
       foreach ($Event in $Events) {
           $Message = "Computer account change detected: $($Event.Message)"
           Write-EventLog -LogName Application -Source "Custom-Monitor" -EventId 1001 -EntryType Warning -Message $Message
           # Add email notification or SIEM integration here
       }
   }

3. Configure Windows Event Forwarding (WEF) to centralize Event ID 4743 collection:

   wecutil cs C:\Config\Event4743-Subscription.xml

4. Create event subscription XML configuration for centralized collection
5. Set up custom event log source for monitoring alerts:

   New-EventLog -LogName Application -Source "Custom-Monitor"

6. Test the monitoring system by making a test computer account change and verifying alert generation