Windows Event ID 4964: Special groups have been assigned to a new logon
Windows Security Event ID 4964 records a logon by an account that is a member of a configured Special Group.
- Applicable version
- Windows Server 2008 R2 and later
- Last reviewed
- 2026-07-13
Trigger Scenarios
This event occurs when a member of a group SID listed in HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups logs on.
Key Fields
SidList
The list of special group SIDs assigned to the new logon. Microsoft gives S-1-5-32-544 as an example and documents semicolon-delimited SID lists in the SpecialGroups registry value.
TargetUserName / TargetLogonId / TargetLogonGuid
Identifies the account that performed the logon and supplies correlation keys to 4624, 4648, and 4769.
SubjectLogonId
Hexadecimal logon ID for the account that requested the logon and a join key to nearby authentication events.
Common False Positives
- Normal administrative logons by monitored groups will generate this event by design.
- A broad SpecialGroups registry list can create high volume until the SID list is tuned.
Related Events
MITRE ATT&CK Mapping
- T1078.002Valid Accounts: Domain Accounts
Detection Notes
Use threshold=1 for Special Group logons to non-administrative workstations or unusual servers. Microsoft documents the SpecialGroups registry path HKLM\System\CurrentControlSet\Control\Lsa\Audit and SID list examples such as S-1-5-32-544; when SidList contains an administrative SID and TargetLogonId correlates to 4624 Logon Type 10 or Type 3 from an unusual source, treat it as T1078.002 Valid Accounts: Domain Accounts. Correlate TargetLogonGuid with 4648 or 4769 when present.
SecurityEvent
| where EventID == 4964
| project TimeGenerated, Computer, Accountindex=wineventlog EventCode=4964 | table _time, hostEventID: 4964
TargetUserName: dadmin
TargetLogonId: 0x139faf
TargetLogonGuid: {B03B6192-09AE-E77F-DD10-2DC430766040}
SidList: %{S-1-5-32-544}