I am currently working on searching for failed "computer accounts" in windows event ID 4776.
2018 Jun 14 16:21:31 WinEvtLog: Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security-Auditing: (no user): no domain: somedoman.com: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: CCOMPUTERNAME$ Source Workstation: CCOMPUTERNAME Error Code: 0xc0000064
Basicly I am just trying to do
data.id:4776 AND full_log: "Account: CC*$"
or computers that start with CC.
I just cant seem to get it working.
Thanks for the help in advance.