Event ID 4782 — The password hash an account was accessed.
Description
The password hash an account was accessed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Target Account] Account Name. |
Account_Domain UnicodeString | [Target Account] Account Domain. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Community Notes #
May indicate Pass-the-Hash. Legitimate use occurs during AD password migration operations under SYSTEM or a dedicated migration account.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782