What triggers Event ID 4738?

Event 4738 fires on any modification to a user account object's attributes — not membership (that is 4728/4732) and not creation or deletion (4720/4726). Common legitimate triggers: IT admin updating a user's display name or description, password policy changes (account expiry, lockout settings), HR-driven account renames after a legal name change, and automated provisioning tools that set UAC flags. The security-relevant triggers are UAC flag changes (especially DONT_EXPIRE_PASSWORD, delegation flags), account renames that change the SAM Account Name, and expiry date removal or extension on privileged accounts.

Which User Account Control (UAC) flag changes in Event ID 4738 should I alert on?

Four flags warrant immediate investigation when added to privileged accounts: (1) DONT_EXPIRE_PASSWORD (0x10000) — ensures a credential never rotates out; (2) TRUSTED_FOR_DELEGATION (0x80000) — enables unconstrained Kerberos delegation, allowing the account to impersonate any user; (3) TRUSTED_TO_AUTH_FOR_DELEGATION (0x1000000) — enables S4U2Self protocol transition, a Kerberos abuse vector; (4) NOT_DELEGATED cleared — removes a protection that was explicitly set to prevent the account from being delegated. These flag changes on domain admin accounts, service accounts, or DC machine accounts should be treated as critical incidents unless they correlate with documented AD architecture changes.

How do attackers use Event ID 4738 to maintain persistence?

Three common techniques: (1) Setting DONT_EXPIRE_PASSWORD on a compromised account ensures the credential remains valid indefinitely regardless of your password rotation policy — the account does not generate any alert when the policy would normally expire it; (2) Renaming a backdoor account to match your legitimate naming conventions makes it invisible in membership reports and AD group reviews; (3) Setting TRUSTED_FOR_DELEGATION on a service account enables Kerberos unconstrained delegation abuse — the attacker can then use that account to capture TGTs from any user who authenticates to it and replay them to any service in the domain. These are all post-exploitation persistence moves that require only admin-level AD write access.

What is the difference between Event ID 4738 and Event ID 4720?

Event 4720 fires exactly once when an account is created — it captures initial attributes. Event 4738 fires on every subsequent attribute modification. In attack terms: 4720 is the creation of a backdoor account, 4738 is the configuration of that account to make it persistent and stealthy (setting password-never-expires, removing expiry, renaming to blend in). Monitor both: 4720 catches account creation, 4738 catches post-creation hardening that maximizes the account's operational lifespan.

Scan your Security and Sysmon logs·Detection guides

Event ID 4738Audit SuccessSecurityT1098

Windows Event ID 4738 — User Account Changed

Logged when a user account's attributes are modified — not creation, deletion, or group membership. Covers changes to account flags (UAC), account name, description, expiry, and other AD object properties. Fires on both the local machine and domain controller depending on whether the account is local or domain-joined.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Account attribute changes are one of the most overlooked persistence vectors. An attacker with admin access can modify existing accounts to extend their usefulness: setting 'password never expires' ensures a compromised credential stays valid indefinitely, removing account expiry prevents automatic lockout, and disabling UAC restrictions on a service account lowers the barrier for abuse. Account renames (SAM account name changes) can camouflage a known-bad account — an account named 'hacker01' renamed to 'svc_monitor' becomes far less visible in membership reports. Unlike 4720 (creation) and 4726 (deletion), 4738 events on existing high-privilege accounts are rarely alerted on, making them a low-noise persistence channel.

Key Fields

Target Account NameThe account whose attributes were changed — domain admin and service accounts are highest priority. Changes to machine accounts (ending in $) are also worth reviewing.

Changed AttributesWhich properties changed — the most security-relevant: SAM Account Name (account renamed), User Account Control (flags changed — see below), Account Expires (expiry removed or extended), Password Last Set (may indicate a covert reset), Display Name (cosmetic change to camouflage the account)

User Account ControlHex flags indicating account behavior changes. Key flags to alert on: 0x10000 = DONT_EXPIRE_PASSWORD set (credential never expires); 0x80000 = TRUSTED_FOR_DELEGATION set (can impersonate any user — Kerberos delegation abuse); 0x1000000 = TRUSTED_TO_AUTH_FOR_DELEGATION set (S4U2Self — protocol transition abuse); 0x10 = LOCKOUT cleared (account unlocked via attribute write rather than 4767)

Subject Account NameWho made the change — should be IT admin or an authorized HR/provisioning system. A service account or regular user changing account attributes is a privilege escalation indicator.

Subject Logon IDLinks to the modifier's 4624 session — correlate to verify the admin performing the change logged in from a known workstation via the expected authentication protocol

Investigation Tips

1.DONT_EXPIRE_PASSWORD (UAC flag 0x10000) set on a domain admin or service account outside a documented policy change is a persistence signal — the attacker is ensuring their compromised credential does not expire. Alert on this flag being added to accounts in privileged groups.
2.Account rename (SAM Account Name change) on an existing account is an unusual operation outside of HR name changes. A rename that makes an account name match your naming convention for service or system accounts (e.g., 'svc_backup', 'IT_monitor') may be camouflage. Cross-reference against HR records and your service account inventory.
3.Delegation flag changes are critical on any account: TRUSTED_FOR_DELEGATION and TRUSTED_TO_AUTH_FOR_DELEGATION enable Kerberos constrained/unconstrained delegation abuse — an attacker can use these to impersonate any user to any service or perform protocol transition attacks. These flags should only be set by deliberate AD configuration changes with a corresponding ticket.
4.Correlate 4738 with surrounding events in the same session (Subject Logon ID): a 4738 that changes UAC flags immediately preceded by a 4728 (group membership add) or followed by a 4769 (service ticket request) in the same session context is part of a privilege-building sequence.
5.Expiry removal: check Account Expires field — changing from a date value to 'Never' on accounts that were expiry-limited (contractors, temp accounts) extends unauthorized access. Cross-reference with contract end dates and HR records.

Seeing Event ID 4738 in your own logs? Upload an .evtx file — EventPeeker flags user account changed automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4720Account created — initial attribute set at creation

4722Account enabled — re-enable often accompanies attribute changes

4728Added to global group — group changes often pair with attribute changes in the same attacker session

4624Successful logon — trace Subject Logon ID to verify the session performing the change

4769Kerberos service ticket — delegation flag changes enable service ticket abuse

Frequently Asked Questions

What triggers Event ID 4738?: Event 4738 fires on any modification to a user account object's attributes — not membership (that is 4728/4732) and not creation or deletion (4720/4726). Common legitimate triggers: IT admin updating a user's display name or description, password policy changes (account expiry, lockout settings), HR-driven account renames after a legal name change, and automated provisioning tools that set UAC flags. The security-relevant triggers are UAC flag changes (especially DONT_EXPIRE_PASSWORD, delegation flags), account renames that change the SAM Account Name, and expiry date removal or extension on privileged accounts.
Which User Account Control (UAC) flag changes in Event ID 4738 should I alert on?: Four flags warrant immediate investigation when added to privileged accounts: (1) DONT_EXPIRE_PASSWORD (0x10000) — ensures a credential never rotates out; (2) TRUSTED_FOR_DELEGATION (0x80000) — enables unconstrained Kerberos delegation, allowing the account to impersonate any user; (3) TRUSTED_TO_AUTH_FOR_DELEGATION (0x1000000) — enables S4U2Self protocol transition, a Kerberos abuse vector; (4) NOT_DELEGATED cleared — removes a protection that was explicitly set to prevent the account from being delegated. These flag changes on domain admin accounts, service accounts, or DC machine accounts should be treated as critical incidents unless they correlate with documented AD architecture changes.
How do attackers use Event ID 4738 to maintain persistence?: Three common techniques: (1) Setting DONT_EXPIRE_PASSWORD on a compromised account ensures the credential remains valid indefinitely regardless of your password rotation policy — the account does not generate any alert when the policy would normally expire it; (2) Renaming a backdoor account to match your legitimate naming conventions makes it invisible in membership reports and AD group reviews; (3) Setting TRUSTED_FOR_DELEGATION on a service account enables Kerberos unconstrained delegation abuse — the attacker can then use that account to capture TGTs from any user who authenticates to it and replay them to any service in the domain. These are all post-exploitation persistence moves that require only admin-level AD write access.
What is the difference between Event ID 4738 and Event ID 4720?: Event 4720 fires exactly once when an account is created — it captures initial attributes. Event 4738 fires on every subsequent attribute modification. In attack terms: 4720 is the creation of a backdoor account, 4738 is the configuration of that account to make it persistent and stealthy (setting password-never-expires, removing expiry, renaming to blend in). Monitor both: 4720 catches account creation, 4738 catches post-creation hardening that maximizes the account's operational lifespan.

Go deeper: the full Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide →

See Event ID 4738 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects user account changed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →