4782 The password hash of an account was accessed
Written when an account’s password hash is accessed. It occurs legitimately during account migration, but extracting a hash leads directly to credential theft, so it draws attention.
Overview
The subcategory is Audit Other Account Management Events. On a domain controller, it is generated when a password hash is accessed during password migration of an account by tools such as the Active Directory Migration Toolkit (ADMT).
How it is triggered
- Cross-domain password-hash migration by a migration tool such as ADMT.
- A call to the legitimate API that reads password hashes.
Security review points
- Access to a password hash can be material for
pass-the-hashor offline cracking. If 4782 appears with no migration project planned, or for an unexpected subject/target, suspect a credential-theft attempt. - It is recorded differently from hash retrieval by other paths such as DCSync (detected via 4662). Bearing in mind that 4782 indicates “hash access via the migration API,” monitor multiple theft paths together.
Notes for log review
- It is rare in normal operation. Investigate occurrences with no legitimate migration context at high priority.
- Check the target account, subject, and timing, and reconcile against migration project records.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The account whose hash was accessed |
Subject\Account Name | The subject that performed the access |