Event ID 4725 — A user account was disabled.
Description
A user account was disabled.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4725,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-10-25T22:53:19.612560+00:00",
"event_record_id": 2634,
"correlation": {
"ActivityID": "D5BBEBF4-0795-0001-A8EC-BBD59507DA01"
},
"execution": {
"process_id": 824,
"thread_id": 880
},
"channel": "Security",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Administrator",
"TargetDomainName": "WINDEVEVAL",
"TargetSid": "S-1-5-21-2533829718-189860685-2477588761-500",
"SubjectUserSid": "S-1-5-21-2533829718-189860685-2477588761-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "WINDEVEVAL",
"SubjectLogonId": "0x42eea"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Accounts Disabled source: The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4725
- Example event sourced from https://github.com/NextronSystems/evtx-baseline