{
  "id": "4723",
  "source": "windows_security",
  "category": "AccountMgmt",
  "name": "An attempt was made to change an account's password",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-11",
  "definition": "Event ID 4723 records an attempt by an account to change its own password.",
  "trigger_scenarios": "It is generated for self-service password changes, including unsuccessful attempts.",
  "key_fields": [
    {
      "field": "Subject",
      "explanation": "The account attempting the change."
    },
    {
      "field": "Target Account",
      "explanation": "Usually the same account; a mismatch needs investigation."
    },
    {
      "field": "Status",
      "explanation": "0x0 indicates success; failures help diagnose stale or policy-rejected attempts."
    }
  ],
  "false_positives": [
    "Normal password rotation and self-service changes are expected.",
    "Password-expiry reminders can cause repeated attempts."
  ],
  "related_event_ids": [
    "4724",
    "4738",
    "4624"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1098",
      "technique_name": "Account Manipulation"
    }
  ],
  "detection_notes": "A successful Status 0x0 4723 with a Subject/Target Account mismatch, followed by Type 10 4624 within 60 minutes, supports T1098 account manipulation. The normal self-service case has identical Subject and Target Account.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4723\n| project TimeGenerated, Computer, Account, TargetAccount, Status",
  "spl_snippet": "index=wineventlog EventCode=4723 | table _time, host, SubjectUserName, TargetUserName, Status",
  "sample_log": "Subject: CORP\\jsmith\nTarget Account: CORP\\jsmith\nStatus: 0x0",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723",
  "route": "/windows-events/4723/",
  "canonical_url": "https://soceventlookup.com/windows-events/4723/",
  "json_url": "/api/events/windows-security/4723.json"
}
