SOC Event Lookup
Event ID 4724AccountMgmtP1

Windows Event ID 4724: An attempt was made to reset an account's password

Windows Security Event ID 4724 records an attempt to reset another account's password and is important for account-takeover investigations.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

The event is logged when an administrator, helpdesk workflow, or other principal resets a user password rather than changing its own password.

Key Fields

Subject

The identity that attempted the reset. Confirm it is an approved administrator or identity-management process.

Target Account

The account whose password was reset. Privileged, service, and recently created accounts deserve special attention.

Status

The operation result. Failed resets can reveal attempted but blocked account abuse.

Common False Positives

  • Helpdesk and self-service identity workflows legitimately reset passwords.
  • Emergency access procedures may reset privileged accounts during incidents.

Related Events

MITRE ATT&CK Mapping

  • T1098Account Manipulation
  • T1078Valid Accounts

Detection Notes

T1098 Account Manipulation is signaled when Subject resets a privileged or service Target Account and Status is 0x0, followed by 4624 from a new Client Address. A successful reset outside approved helpdesk workflows gives an attacker a new valid credential, unlike a failed policy attempt.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4724
| project TimeGenerated, Computer, Account, TargetAccount, Activity, Status
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4724
| table _time, host, SubjectUserName, TargetUserName, Status
Sample Log
Subject: CORP\helpdesk01
Target Account: CORP\admin.ops
Status: 0x0

Source