detection.wiki

Microsoft-Windows-Security-Auditing › Event 4780

Event ID 4780 — The ACL was set on accounts which are members of administrators groups.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Account Management → User Account Management
Collection Priority
Recommended (Yamato Security, others)
Opcode
Info

Description

The ACL was set on accounts which are members of administrators groups.

Message #

The ACL was set on accounts which are members of administrators groups.


Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Additional Information:
	Privileges: %8

Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object.  If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.

Fields #

NameDescription
TargetUserName UnicodeString[Target Account] Account Name
TargetDomainName UnicodeString[Target Account] Account Domain
TargetSid SID[Target Account] Security ID
SubjectUserSid SID[Subject] Security ID
SubjectUserName UnicodeString[Subject] Account Name
SubjectDomainName UnicodeString[Subject] Account Domain
SubjectLogonId HexInt64[Subject] Logon ID
PrivilegeList UnicodeString[Additional Information] Privileges Privilege constants reference
Account_Name UnicodeString[Target Account] Account Name.
Account_Domain UnicodeString[Target Account] Account Domain.
Security_ID SID[Target Account] Security ID.
Logon_ID HexInt64[Subject] Logon ID.
Privileges UnicodeString[Additional Information] Privileges. Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4780,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-14T00:17:46.607238+00:00",
    "event_record_id": 16777470,
    "correlation": {},
    "execution": {
      "process_id": 940,
      "thread_id": 1056
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "Domain Admins",
    "TargetDomainName": "DC=ludus,DC=domain",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-512",
    "SubjectUserSid": "S-1-5-7",
    "SubjectUserName": "ANONYMOUS LOGON",
    "SubjectDomainName": "NT AUTHORITY",
    "SubjectLogonId": "0x3e6",
    "PrivilegeList": "-"
  },
  "message": ""
}

Detection Patterns #

References #