{
  "id": "4724",
  "source": "windows_security",
  "category": "AccountMgmt",
  "name": "An attempt was made to reset an account's password",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4724 records an attempt to reset another account's password and is important for account-takeover investigations.",
  "trigger_scenarios": "The event is logged when an administrator, helpdesk workflow, or other principal resets a user password rather than changing its own password.",
  "key_fields": [
    {
      "field": "Subject",
      "explanation": "The identity that attempted the reset. Confirm it is an approved administrator or identity-management process."
    },
    {
      "field": "Target Account",
      "explanation": "The account whose password was reset. Privileged, service, and recently created accounts deserve special attention."
    },
    {
      "field": "Status",
      "explanation": "The operation result. Failed resets can reveal attempted but blocked account abuse."
    }
  ],
  "false_positives": [
    "Helpdesk and self-service identity workflows legitimately reset passwords.",
    "Emergency access procedures may reset privileged accounts during incidents."
  ],
  "related_event_ids": [
    "4723",
    "4738",
    "4624"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1098",
      "technique_name": "Account Manipulation"
    },
    {
      "technique_id": "T1078",
      "technique_name": "Valid Accounts"
    }
  ],
  "detection_notes": "T1098 Account Manipulation is signaled when Subject resets a privileged or service Target Account and Status is 0x0, followed by 4624 from a new Client Address. A successful reset outside approved helpdesk workflows gives an attacker a new valid credential, unlike a failed policy attempt.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4724\n| project TimeGenerated, Computer, Account, TargetAccount, Activity, Status\n| order by TimeGenerated desc",
  "spl_snippet": "index=wineventlog EventCode=4724\n| table _time, host, SubjectUserName, TargetUserName, Status",
  "sample_log": "Subject: CORP\\helpdesk01\nTarget Account: CORP\\admin.ops\nStatus: 0x0",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
  "route": "/windows-events/4724/",
  "canonical_url": "https://soceventlookup.com/windows-events/4724/",
  "json_url": "/api/events/windows-security/4724.json"
}
