{
  "id": "4780",
  "source": "windows_security",
  "category": "ObjectAccess",
  "name": "ACL was set on accounts in administrators groups",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Windows Security Event ID 4780 records AdminSDHolder ACL reset activity for protected administrative accounts.",
  "trigger_scenarios": "On the PDC emulator, Windows compares protected security principals with AdminCount=1 against the AdminSDHolder ACL about every hour and resets differing ACLs, generating this event.",
  "key_fields": [
    {
      "field": "Target Account: Security ID / Account Name / Account Domain",
      "explanation": "Identifies the protected user, group, or machine account whose ACL was reset to match AdminSDHolder."
    },
    {
      "field": "Subject: Security ID / Account Name / Logon ID",
      "explanation": "Identifies the security context associated with the reset operation and supports correlation to administrative activity."
    },
    {
      "field": "Privileges",
      "explanation": "Additional Information field in the Microsoft schema. Use it to understand whether special privileges were present during the ACL reset."
    }
  ],
  "false_positives": [
    "Expected hourly AdminSDHolder protection can generate this event after legitimate ACL drift on protected accounts.",
    "Directory cleanup or privileged group membership changes can cause new accounts with AdminCount=1 to be protected."
  ],
  "related_event_ids": [
    "4728",
    "4732",
    "4756",
    "4624"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1098",
      "technique_name": "Account Manipulation"
    }
  ],
  "detection_notes": "Use threshold=1 unexpected Target Account newly showing AdminCount=1 or appearing after privileged group changes. Microsoft documents that the PDC compares protected accounts every hour and resets ACLs to AdminSDHolder; therefore 4780 after a new 4728/4732/4756 membership event can reveal T1098 Account Manipulation that placed an account into a protected administrative group. Do not look for Access Mask 0x40000 or 0x80000 here; those fields are not in the Microsoft 4780 schema.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4780\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=4780 | table _time, host",
  "sample_log": "EventID: 4780\nTarget Account Name: svc-build\nTarget Account Domain: CORP\nSubject Account Name: DC01$\nLogon ID: 0x3e7\nPrivileges: -",
  "source_url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4780",
  "route": "/windows-events/4780/",
  "canonical_url": "https://soceventlookup.com/windows-events/4780/",
  "json_url": "/api/events/windows-security/4780.json"
}
