Windows Event ID 4780 – Microsoft-Windows-Security-Auditing: Computer Account Password Changed

Start by examining the specific details of the 4780 event to understand the context and scope of the password change.

1. Open Event Viewer on the domain controller
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4780 using the filter option
4. Double-click the event to view detailed information
5. Review the Subject section to identify who initiated the change
6. Check the Target Account section for the affected computer
7. Note the timestamp and correlation with other security events

Key fields to examine:

• Subject Account Name: Shows who made the change
• Target Account Name: The computer account that was modified
• Target Domain: Domain where the account resides
• Privileges: Security privileges used for the operation

Use PowerShell to efficiently query and analyze 4780 events across multiple domain controllers or time periods.

1. Open PowerShell as Administrator
2. Query recent 4780 events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4780} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message

3. Filter events for specific computer accounts:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4780} | Where-Object {$_.Message -like "*COMPUTERNAME*"}

4. Export events to CSV for analysis:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4780; StartTime=(Get-Date).AddDays(-7)} | Select-Object TimeCreated, Id, @{Name='ComputerAccount';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[1] -replace '.*Account Name:\s*',''}}, @{Name='Subject';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject:*' -and $_ -like '*Account Name:*'})[0] -replace '.*Account Name:\s*',''}} | Export-Csv -Path "C:\Temp\Event4780_Analysis.csv" -NoTypeInformation

5. Check for unusual patterns or frequency of password changes

Investigate the domain password policy settings that control automatic computer account password changes.

1. Check the current domain password policy:

Get-ADDefaultDomainPasswordPolicy

2. Examine computer account password age registry settings on client computers:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "MaximumPasswordAge"

3. Check if password changes are disabled:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "DisablePasswordChange"

4. Review Group Policy settings affecting computer account passwords:
5. Open Group Policy Management Console
6. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options
7. Check Domain member: Maximum machine account password age
8. Verify Domain member: Disable machine account password changes is not enabled

Default values:

• MaximumPasswordAge: 30 days (2592000 seconds)
• DisablePasswordChange: Should be 0 (disabled) or not present

When 4780 events appear frequently or unexpectedly, investigate potential secure channel or trust relationship problems.

1. Test the secure channel from the affected computer:

Test-ComputerSecureChannel -Verbose

2. If the test fails, repair the secure channel:

Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

3. Check domain controller replication status:

repadmin /replsummary

4. Verify computer account status in Active Directory:

Get-ADComputer -Identity "COMPUTERNAME" -Properties PasswordLastSet, LastLogonDate, Enabled

5. Review DNS resolution for domain controllers:

nslookup -type=SRV _ldap._tcp.dc._msdcs.yourdomain.com

6. Check time synchronization between client and domain controllers:

w32tm /query /status

Implement comprehensive monitoring and analysis of 4780 events for security and compliance purposes.

1. Create a custom PowerShell script for continuous monitoring:

# Monitor 4780 events and alert on anomalies
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4780; StartTime=(Get-Date).AddHours(-1)}
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $SubjectAccount = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $TargetAccount = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    
    # Alert if password change initiated by non-system account
    if ($SubjectAccount -ne $TargetAccount -and $SubjectAccount -ne 'SYSTEM') {
        Write-Warning "Manual password change detected: $TargetAccount by $SubjectAccount at $($Event.TimeCreated)"
    }
}

2. Configure Windows Event Forwarding to centralize 4780 events:
3. On the collector server, enable the Windows Event Collector service:

wecutil qc

4. Create a subscription for 4780 events:

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>ComputerPasswordChanges</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4780]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>

5. Set up SIEM integration for automated analysis:
6. Configure log forwarding to your SIEM solution
7. Create correlation rules to detect:

• Excessive password changes from single computers
• Password changes outside maintenance windows
• Changes initiated by unexpected user accounts
• Patterns indicating potential compromise