detection.wiki

Microsoft-Windows-Security-Auditing › Event 4739

Event ID 4739 — Domain Policy was changed.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Policy Change → Authentication Policy Change
Collection Priority
Recommended (Yamato Security, others)
Opcode
Info

Description

Domain Policy was changed.

Message #

Domain Policy was changed.

Change Type: %1 modified

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Domain:
	Domain Name: %2
	Domain ID: %3

Changed Attributes:
	Min. Password Age: %9
	Max. Password Age: %10
	Force Logoff: %11
	Lockout Threshold: %12
	Lockout Observation Window: %13
	Lockout Duration: %14
	Password Properties: %15
	Min. Password Length: %16
	Password History Length: %17
	Machine Account Quota: %18
	Mixed Domain Mode: %19
	Domain Behavior Version: %20
	OEM Information: %21

Additional Information:
	Privileges: %8

Fields #

NameDescription
DomainPolicyChanged UnicodeStringChange Type.
DomainName UnicodeString[Domain] Domain Name.
DomainSid SID[Domain] Domain ID.
SubjectUserSid SID[Subject] Security ID.
SubjectUserName UnicodeString[Subject] Account Name.
SubjectDomainName UnicodeString[Subject] Account Domain.
SubjectLogonId HexInt64[Subject] Logon ID.
PrivilegeList UnicodeString[Additional Information] Privileges. Privilege constants reference
MinPasswordAge UnicodeString[Changed Attributes] Min. Password Age.
MaxPasswordAge UnicodeString[Changed Attributes] Max. Password Age.
ForceLogoff UnicodeString[Changed Attributes] Force Logoff.
LockoutThreshold UnicodeString[Changed Attributes] Lockout Threshold.
LockoutObservationWindow UnicodeString[Changed Attributes] Lockout Observation Window.
LockoutDuration UnicodeString[Changed Attributes] Lockout Duration.
PasswordProperties UnicodeString[Changed Attributes] Password Properties.
MinPasswordLength UnicodeString[Changed Attributes] Min. Password Length.
PasswordHistoryLength UnicodeString[Changed Attributes] Password History Length.
MachineAccountQuota UnicodeString[Changed Attributes] Machine Account Quota.
MixedDomainMode UnicodeString[Changed Attributes] Mixed Domain Mode.
DomainBehaviorVersion UnicodeString[Changed Attributes] Domain Behavior Version.
OemInformation UnicodeString[Changed Attributes] OEM Information.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4739,
    "version": 0,
    "level": 0,
    "task": 13569,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:34.991613+00:00",
    "event_record_id": 2783,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DomainPolicyChanged": "Password Policy",
    "DomainName": "WINDEV2310EVAL",
    "DomainSid": "S-1-5-21-1992711665-1655669231-58201500",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-",
    "MinPasswordAge": "ퟏ~",
    "MaxPasswordAge": "ퟏ~",
    "ForceLogoff": "-",
    "LockoutThreshold": "-",
    "LockoutObservationWindow": "-",
    "LockoutDuration": "-",
    "PasswordProperties": "8",
    "MinPasswordLength": "0",
    "PasswordHistoryLength": "0",
    "MachineAccountQuota": "-",
    "MixedDomainMode": "-",
    "DomainBehaviorVersion": "-",
    "OemInformation": "-"
  },
  "message": ""
}

Community Notes #

Attackers with Domain Admin may weaken password/lockout requirements to speed credential attacks. May precede password spraying or Kerberos ticket forgery. Pair with 4768 and 4771. Also a prelude to DCShadow or other directory-level attacks.

References #