{
  "id": "4964",
  "source": "windows_security",
  "category": "Logon",
  "name": "Special groups have been assigned to a new logon",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Windows Security Event ID 4964 records a logon by an account that is a member of a configured Special Group.",
  "trigger_scenarios": "This event occurs when a member of a group SID listed in HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Audit\\SpecialGroups logs on.",
  "key_fields": [
    {
      "field": "SidList",
      "explanation": "The list of special group SIDs assigned to the new logon. Microsoft gives S-1-5-32-544 as an example and documents semicolon-delimited SID lists in the SpecialGroups registry value."
    },
    {
      "field": "TargetUserName / TargetLogonId / TargetLogonGuid",
      "explanation": "Identifies the account that performed the logon and supplies correlation keys to 4624, 4648, and 4769."
    },
    {
      "field": "SubjectLogonId",
      "explanation": "Hexadecimal logon ID for the account that requested the logon and a join key to nearby authentication events."
    }
  ],
  "false_positives": [
    "Normal administrative logons by monitored groups will generate this event by design.",
    "A broad SpecialGroups registry list can create high volume until the SID list is tuned."
  ],
  "related_event_ids": [
    "4624",
    "4648",
    "4769"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1078.002",
      "technique_name": "Valid Accounts: Domain Accounts"
    }
  ],
  "detection_notes": "Use threshold=1 for Special Group logons to non-administrative workstations or unusual servers. Microsoft documents the SpecialGroups registry path HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Audit and SID list examples such as S-1-5-32-544; when SidList contains an administrative SID and TargetLogonId correlates to 4624 Logon Type 10 or Type 3 from an unusual source, treat it as T1078.002 Valid Accounts: Domain Accounts. Correlate TargetLogonGuid with 4648 or 4769 when present.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4964\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=4964 | table _time, host",
  "sample_log": "EventID: 4964\nTargetUserName: dadmin\nTargetLogonId: 0x139faf\nTargetLogonGuid: {B03B6192-09AE-E77F-DD10-2DC430766040}\nSidList: %{S-1-5-32-544}",
  "source_url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4964",
  "route": "/windows-events/4964/",
  "canonical_url": "https://soceventlookup.com/windows-events/4964/",
  "json_url": "/api/events/windows-security/4964.json"
}
