detection.wiki

Microsoft-Windows-Security-Auditing › Event 4693

Event ID 4693 — Recovery of data protection master key was attempted.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Detailed Tracking → DPAPI Activity
Collection Priority
Medium (Microsoft-AppendixL, others)
Opcode
Info

Description

Recovery of data protection master key was attempted.

Message #

Recovery of data protection master key was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Key Information:
	Key Identifier: %5
	Recovery Server: %6
	Recovery Key ID: %8
	Recovery Reason: %7

Status Information:
	Status Code: %9

Fields #

NameDescription
Security_ID SID[Subject] Security ID.
Account_Name UnicodeString[Subject] Account Name.
Account_Domain UnicodeString[Subject] Account Domain.
Logon_ID HexInt64[Subject] Logon ID.
Key_Identifier UnicodeString[Key Information] Key Identifier.
Recovery_Server HexInt32[Key Information] Recovery Server.
Recovery_Reason UnicodeString[Key Information] Recovery Reason.
Recovery_Key_ID UnicodeString[Key Information] Recovery Key ID.
Status_Code HexInt32[Status Information] Status Code.
SubjectUserSid SID[Subject] Security ID
SubjectUserName UnicodeString[Subject] Account Name
SubjectDomainName UnicodeString[Subject] Account Domain
SubjectLogonId HexInt64[Subject] Logon ID
MasterKeyId UnicodeString[Key Information] Key Identifier
RecoveryReason HexInt32[Key Information] Recovery Server
RecoveryServer UnicodeString[Key Information] Recovery Reason
RecoveryKeyId UnicodeString[Key Information] Recovery Key ID
FailureId HexInt32[Status Information] Status Code

Community Notes #

May appear when an attacker re-uses offline profiles or moves tokens between hosts. Correlate with LogonType 7/9 in 4624. Detecting Credential Stealing Attacks Through Active In-Network Defense

References #