Event ID 4724 — An attempt was made to reset an account's password.
Description
An attempt was made to reset an account's password.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4724,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:35.054380+00:00",
"event_record_id": 2787,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "User",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Account Passwords Changed source: The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724
- Example event sourced from https://github.com/NextronSystems/evtx-baseline