Event ID 4675 — SIDs were filtered.
Description
SIDs were filtered.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Target Account] Security ID. |
Account_Name UnicodeString | [Target Account] Account Name. |
Account_Domain UnicodeString | [Target Account] Account Domain. |
Trust_Direction UInt32 | [Trust Information] Trust Direction. |
Trust_Attributes UInt32 | [Trust Information] Trust Attributes. |
Trust_Type UInt32 | [Trust Information] Trust Type. |
TDO_Domain_SID SID | [Trust Information] TDO Domain SID. |
Filtered_SIDs UnicodeString | [Trust Information] Filtered SIDs. |
TargetUserSid SID | [Target Account] Security ID |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TdoDirection UInt32 | [Trust Information] Trust Direction |
TdoAttributes UInt32 | [Trust Information] Trust Attributes |
TdoType UInt32 | [Trust Information] Trust Type |
TdoSid SID | [Trust Information] TDO Domain SID |
SidList UnicodeString | Filtered SIDs |
Detection Patterns #
Uses Authentication Normalization
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.ANDEvent ID 4647: User initiated logoff.ANDEvent ID 4648: A logon was attempted using explicit credentials.ANDEvent ID 4675: SIDs were filtered.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4675