detection.wiki

Microsoft-Windows-Security-Auditing › Event 4912

Event ID 4912 — Per User Audit Policy was changed.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Policy Change → Audit Policy Change
Collection Priority
Recommended (Yamato Security, others)
Opcode
Info

Description

Per User Audit Policy was changed.

Message #

Per User Audit Policy was changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Policy For Account:
	Security ID: %5

Policy Change Details:
	Category: %6
	Subcategory: %7
	Subcategory GUID: %8
	Changes: %9

Fields #

NameDescription
Security_ID SID[Subject] Security ID.
Account_Name UnicodeString[Subject] Account Name.
Account_Domain UnicodeString[Subject] Account Domain.
Logon_ID HexInt64[Subject] Logon ID.
Security_ID SID[Policy For Account] Security ID.
Category UnicodeString[Policy Change Details] Category.
Subcategory UnicodeString[Policy Change Details] Subcategory.
Subcategory_GUID GUID[Policy Change Details] Subcategory GUID.
Changes UnicodeString[Policy Change Details] Changes.
SubjectUserSid SID[Subject] Security ID
SubjectUserName UnicodeString[Subject] Account Name
SubjectDomainName UnicodeString[Subject] Account Domain
SubjectLogonId HexInt64[Subject] Logon ID
TargetUserSid SID[Policy For Account] Security ID
CategoryId UnicodeString[Policy Change Details] Category
Known values
%%8272
System
%%8273
Logon/Logoff
%%8274
Object Access
%%8275
Privilege Use
%%8276
Detailed Tracking
%%8277
Policy Change
%%8278
Account Management
%%8279
DS Access
%%8280
Account Logon
SubcategoryId UnicodeString[Policy Change Details] Subcategory
Known values
%%12288
Security State Change
%%12289
Security System Extension
%%12290
System Integrity
%%12291
IPsec Driver
%%12292
Other System Events
%%12544
Logon
%%12545
Logoff
%%12546
Account Lockout
%%12547
IPsec Main Mode
%%12548
Special Logon
%%12549
IPsec Quick Mode
%%12550
IPsec Extended Mode
%%12551
Other Logon/Logoff Events
%%12552
Network Policy Server
%%12553
User / Device Claims
%%12554
Group Membership
%%12800
File System
%%12801
Registry
%%12802
Kernel Object
%%12803
SAM
%%12804
Other Object Access Events
%%12805
Certification Services
%%12806
Application Generated
%%12807
Handle Manipulation
%%12808
File Share
%%12809
Filtering Platform Packet Drop
%%12810
Filtering Platform Connection
%%12811
Detailed File Share
%%12812
Removable Storage
%%12813
Central Policy Staging
%%13056
Sensitive Privilege Use
%%13057
Non Sensitive Privilege Use
%%13058
Other Privilege Use Events
%%13312
Process Creation
%%13313
Process Termination
%%13314
DPAPI Activity
%%13315
RPC Events
%%13316
Plug and Play Events
%%13317
Token Right Adjusted Events
%%13568
Audit Policy Change
%%13569
Authentication Policy Change
%%13570
Authorization Policy Change
%%13571
MPSSVC Rule-Level Policy Change
%%13572
Filtering Platform Policy Change
%%13573
Other Policy Change Events
%%13824
User Account Management
%%13825
Computer Account Management
%%13826
Security Group Management
%%13827
Distribution Group Management
%%13828
Application Group Management
%%13829
Other Account Management Events
%%14080
Directory Service Access
%%14081
Directory Service Changes
%%14082
Directory Service Replication
%%14083
Detailed Directory Service Replication
%%14336
Credential Validation
%%14337
Kerberos Service Ticket Operations
%%14338
Other Account Logon Events
%%14339
Kerberos Authentication Service
SubcategoryGuid GUID[Policy Change Details] Subcategory GUID
Known values
%%12288
Security State Change
%%12289
Security System Extension
%%12290
System Integrity
%%12291
IPsec Driver
%%12292
Other System Events
%%12544
Logon
%%12545
Logoff
%%12546
Account Lockout
%%12547
IPsec Main Mode
%%12548
Special Logon
%%12549
IPsec Quick Mode
%%12550
IPsec Extended Mode
%%12551
Other Logon/Logoff Events
%%12552
Network Policy Server
%%12553
User / Device Claims
%%12554
Group Membership
%%12800
File System
%%12801
Registry
%%12802
Kernel Object
%%12803
SAM
%%12804
Other Object Access Events
%%12805
Certification Services
%%12806
Application Generated
%%12807
Handle Manipulation
%%12808
File Share
%%12809
Filtering Platform Packet Drop
%%12810
Filtering Platform Connection
%%12811
Detailed File Share
%%12812
Removable Storage
%%12813
Central Policy Staging
%%13056
Sensitive Privilege Use
%%13057
Non Sensitive Privilege Use
%%13058
Other Privilege Use Events
%%13312
Process Creation
%%13313
Process Termination
%%13314
DPAPI Activity
%%13315
RPC Events
%%13316
Plug and Play Events
%%13317
Token Right Adjusted Events
%%13568
Audit Policy Change
%%13569
Authentication Policy Change
%%13570
Authorization Policy Change
%%13571
MPSSVC Rule-Level Policy Change
%%13572
Filtering Platform Policy Change
%%13573
Other Policy Change Events
%%13824
User Account Management
%%13825
Computer Account Management
%%13826
Security Group Management
%%13827
Distribution Group Management
%%13828
Application Group Management
%%13829
Other Account Management Events
%%14080
Directory Service Access
%%14081
Directory Service Changes
%%14082
Directory Service Replication
%%14083
Detailed Directory Service Replication
%%14336
Credential Validation
%%14337
Kerberos Service Ticket Operations
%%14338
Other Account Logon Events
%%14339
Kerberos Authentication Service
AuditPolicyChanges UnicodeString[Policy Change Details] Changes
Known values
%%8448
Success removed
%%8449
Success Added
%%8450
Failure removed
%%8451
Failure added
%%8452
Success include removed
%%8453
Success include added
%%8454
Success exclude removed
%%8455
Success exclude added
%%8456
Failure include removed
%%8457
Failure include added
%%8458
Failure exclude removed
%%8459
Failure exclude added

Community Notes #

If Changes is set to None or Failure include removed, this may be an attempt to hide activity. Pair with 4719, 4902, and 4624 to reconstruct a timeline.

References #