Event ID 4738 — A user account was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A user account was changed.

Message #

A user account was changed.

Subject:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Target Account:
	Security ID: %4
	Account Name: %2
	Account Domain: %3

Changed Attributes:
	SAM Account Name: %10
	Display Name: %11
	User Principal Name: %12
	Home Directory: %13
	Home Drive: %14
	Script Path: %15
	Profile Path: %16
	User Workstations: %17
	Password Last Set: %18
	Account Expires: %19
	Primary Group ID: %20
	AllowedToDelegateTo: %21
	Old UAC Value: %22
	New UAC Value: %23
	User Account Control: %24
	User Parameters: %25
	SID History: %26
	Logon Hours: %27

Additional Information:
	Privileges: %9

Fields #

Name	Description
`Dummy` UnicodeString	—
`TargetUserName` UnicodeString	[Target Account] Account Name.
`TargetDomainName` UnicodeString	[Target Account] Account Domain.
`TargetSid` SID	[Target Account] Security ID.
`SubjectUserSid` SID	[Subject] Security ID.
`SubjectUserName` UnicodeString	[Subject] Account Name.
`SubjectDomainName` UnicodeString	[Subject] Account Domain.
`SubjectLogonId` HexInt64	[Subject] Logon ID.
`PrivilegeList` UnicodeString	[Additional Information] Privileges. Privilege constants reference
`SamAccountName` UnicodeString	[Changed Attributes] SAM Account Name.
`DisplayName` UnicodeString	[Changed Attributes] Display Name.
`UserPrincipalName` UnicodeString	[Changed Attributes] User Principal Name.
`HomeDirectory` UnicodeString	[Changed Attributes] Home Directory.
`HomePath` UnicodeString	[Changed Attributes] Home Drive.
`ScriptPath` UnicodeString	[Changed Attributes] Script Path.
`ProfilePath` UnicodeString	[Changed Attributes] Profile Path.
`UserWorkstations` UnicodeString	[Changed Attributes] User Workstations.
`PasswordLastSet` UnicodeString	[Changed Attributes] Password Last Set.
`AccountExpires` UnicodeString	[Changed Attributes] Account Expires.
`PrimaryGroupId` UnicodeString	[Changed Attributes] Primary Group ID.
`AllowedToDelegateTo` UnicodeString	[Changed Attributes] AllowedToDelegateTo.
`OldUacValue` UnicodeString	[Changed Attributes] Old UAC Value. UAC flags reference
`NewUacValue` UnicodeString	[Changed Attributes] New UAC Value. UAC flags reference
`UserAccountControl` UnicodeString	[Changed Attributes] User Account Control.
`UserParameters` UnicodeString	[Changed Attributes] User Parameters.
`SidHistory` UnicodeString	[Changed Attributes] SID History.
`LogonHours` UnicodeString	[Changed Attributes] Logon Hours.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4738,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:37.339747+00:00",
    "event_record_id": 2855,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Dummy": "-",
    "TargetUserName": "WDAGUtilityAccount",
    "TargetDomainName": "WINDEV2310EVAL",
    "TargetSid": "S-1-5-21-1992711665-1655669231-58201500-504",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-",
    "SamAccountName": "WDAGUtilityAccount",
    "DisplayName": "%%1793",
    "UserPrincipalName": "-",
    "HomeDirectory": "%%1793",
    "HomePath": "%%1793",
    "ScriptPath": "%%1793",
    "ProfilePath": "%%1793",
    "UserWorkstations": "%%1793",
    "PasswordLastSet": "10/25/2023 8:16:53 PM",
    "AccountExpires": "%%1794",
    "PrimaryGroupId": "513",
    "AllowedToDelegateTo": "-",
    "OldUacValue": "0x11",
    "NewUacValue": "0x11",
    "UserAccountControl": "-",
    "UserParameters": "%%1793",
    "SidHistory": "-",
    "LogonHours": "%%1797"
  },
  "message": ""
}

Detection Patterns #

User Account

Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.

6 rules

Elastic

User Added to Privileged Group in Active Directory (source)

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto Query Language

User account created and deleted within 10 mins (source)

Microsoft Security Research

New user created and added to the built-in administrators group (source)

Microsoft Security Research

User account enabled and disabled within 10 mins (source)

Microsoft Security Research

Show 1 more (4 total)

User account added to built in domain local or global group (source)

Microsoft Security Research

Domain Sid History Addition

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 4742: A computer account was changed.

3 rules

Splunk

Windows AD Cross Domain SID History Addition (source)

Dean Luxton

Windows AD Privileged Account SID History Addition (source)

Dean Luxton

Windows AD Same Domain SID History Addition (source)

Dean Luxton

Persistence: Account Manipulation

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 5136: A directory service object was modified.

2 rules

Sigma

Active Directory User Backdoors (source)

@neu5ron

Elastic

Account Configured with Never-Expiring Password (source)

Elastic

Defense Evasion: SID-History Injection

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 4765: SID History was added to an account.OREvent ID 4766: An attempt to add SID History to an account failed.

1 rule

Sigma

Addition of SID History to Active Directory Object (source)

Thomas Patzke, @atc_project (improvements)

Community Notes #

User account changed, may capture priv-esc, password changes, or UAC flag changes.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Weak Encryption Enabled and Kerberoast source high: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.

Elastic # view in reference

Kerberos Pre-authentication Disabled for User source medium: Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
KRBTGT Delegation Backdoor source high: Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

Splunk # view in reference

Kerberos Pre-Authentication Flag Disabled in UserAccountControl source: The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.

Kusto Query Language # view in reference

AD account with Don't Expire Password source low: 'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to "Don't Expire Password - Enabled".'

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4738
Example event sourced from https://github.com/NextronSystems/evtx-baseline