Data Source: Windows Event Log Security 4794

Date: 2025-01-23

ID: ec7da74f-274a-4bde-aa0e-15c68aca0426

Author: Patrick Bareiss, Splunk

Description

Logs attempts to set the Directory Services Restore Mode (DSRM) administrator password, including details about the account name and the user performing the action.

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`xmlwineventlog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">Caller_Domain</span>
  
  <span class="pill kill-chain">Caller_User_Name</span>
  
  <span class="pill kill-chain">CategoryString</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Error_Code</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Logon_ID</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">Source_Workstation</span>
  
  <span class="pill kill-chain">Status</span>
  
  <span class="pill kill-chain">SubjectDomainName</span>
  
  <span class="pill kill-chain">SubjectLogonId</span>
  
  <span class="pill kill-chain">SubjectUserName</span>
  
  <span class="pill kill-chain">SubjectUserSid</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workstation</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_nt_domain</span>
  
  <span class="pill kill-chain">src_nt_host</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">ta_windows_action</span>
  
  <span class="pill kill-chain">ta_windows_security_CategoryString</span>
  
  <span class="pill kill-chain">ta_windows_status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4794</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-08-23T04:24:05.064689300Z'/><EventRecordID>821077</EventRecordID><Correlation ActivityID='{4EC0CCF2-B67B-0004-F8CC-C04E7BB6D801}'/><Execution ProcessID='612' ThreadID='4120'/><Channel>Security</Channel><Computer>win-dc-root-17044-552.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x959c5</Data><Data Name='Workstation'>[fe80::b907:7694:d740:91bb]</Data><Data Name='Status'>0x0</Data></EventData></Event>

Source: GitHub | Version: 2