4738 A user account was changed
Written when a user object’s attributes are changed. It captures setting changes that can lead to abuse, such as changes to the account control flags (UAC).
Overview
The subcategory is Audit User Account Management. It is generated whenever a user object is changed, recorded on domain controllers, member servers, and workstations alike. It includes the main attributes after the change and the state of the User Account Control flags.
How it is triggered
- Changes to user attributes (display name, account control flags, expiration, UPN, and so on).
- Password change/reset are separate events (4723/4724), but a 4738 may also appear in relation.
Security review points
- Watch for dangerous changes to the
User Account Controlflags. For example, “password not required (PASSWD_NOTREQD),” “password never expires (DONT_EXPIRE_PASSWORD),” and “trusted for delegation (TRUSTED_FOR_DELEGATION)” can lead to authentication bypass or delegation abuse. - A change to “do not require pre-authentication (DONT_REQUIRE_PREAUTH)” is a foothold for AS-REP roasting (an attack that obtains the response of a pre-auth-disabled account and cracks the password offline).
Notes for log review
- Attribute changes are frequent in legitimate operation. Focus on the type of attribute changed (especially UAC flags) and alert narrowed to enabling of dangerous flags.
- Knowing the before/after values is helpful, but 4738 centers on the post-change state. Reconcile the prior state with other records or directory auditing.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The changed account |
User Account Control | The change to the account control flags |
Subject\Account Name | The subject that made the change |
Glossary
- UAC flags (userAccountControl) — a set of bits representing an account’s nature (disabled, password never expires, trusted for delegation, and so on). Dangerous combinations are abused in attacks.