ExtraHop named a Leader in the 2025 Forrester Wave™: Network Analysis And Visibility Solutions

ExtraHop Logo
Search
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Attack Tool Computer Account Creation Activity

Risk Factors

An attacker must obtain either domain controller (DC) credentials or hashes to send the necessary LDAP request to add a new computer account. If the attacker is successful, they can establish a rogue, authorized account to impersonate high-value users, which can lead to further attacks on your network.

Category

Lateral Movement
Detection diagram
Next in Lateral Movement: Cobalt Strike Beacon Transfer

Attack Background

An attacker runs tools such as the Impacket addcomputer.py Python script or the Powermad.ps1 PowerShell module to programmatically send an LDAP request with the addRequest method to a victim server. This method contains a specific set of attributes required by the DC to create a new, attacker-controlled computer account. This type of LDAP request typically exploits the default Machine Account Quota (MAQ) setting, which controls how many accounts non-administrative users can create. After the malicious account is created, the attacker sends subsequent LDAP requests with the modifyRequest method to add the rogue account to the trust list of the victim server. The attacker now controls a valid, fake computer account that expands their foothold within the network.

Mitigation Options

Monitor the security log for event ID 4741: A computer account was created

Implement network segmentation and network access control

Require LDAP signing, which prevents non-domain users from querying the LDAP server.

MITRE ATT&CK ID

Associated content

ExtraHop Named a Leader in Forrester Wave™ NAV Q4 2025

ExtraHop achieved the highest possible scores in 10 criteria, including Encrypted Traffic Analysis and Threat Hunting. Read why we were named a Leader in Network Analysis and Visibility.

Blog
Learn moreArrow pointing right

ExtraHop Named a Leader in First-Ever Gartner Magic Quadrant for NDR

See why Gartner recognized ExtraHop as a Leader in the inaugural Magic Quadrant for Network Detection and Response. Discover how RevealX provides complete network visibility.

News
Learn moreArrow pointing right

ExtraHop RevealX Detections Glossary & Overview

Explore the comprehensive catalog of ExtraHop detections. Learn how our NDR solution uses behavioral analysis and machine learning to identify threats, malware, and anomalies.

Docs
Learn moreArrow pointing right

2025 Global Threat Landscape Report: Dwell Time & Lateral Movement

Download the 2025 report to uncover the reality of threat actor dwell time. Insights from 1,800+ security leaders on ransomware, cloud risks, and deeper network access.

Blog
Learn moreArrow pointing right

ExtraHop RevealX Coverage for MITRE ATT&CK 2024

Learn how ExtraHop RevealX maps to the 2024 MITRE ATT&CK framework. See how our network detection coverage identifies the latest adversary tactics and techniques.

Blog
Learn moreArrow pointing right

Mapping RevealX to the MITRE ATT&CK Framework

Download the technical guide to mapping Network Detection and Response (NDR) to the MITRE framework. See how RevealX detects threats across the entire attack lifecycle.

Report
Learn moreArrow pointing right
Periodic Table of Use Cases

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right