EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4723Audit SuccessSecurity

Windows Event ID 4723Password Change Attempted

Logged when a user attempts to change their own password. Does not require admin — any user can attempt this.

Why It Matters

Unexpected password changes — especially for service accounts or admin accounts — can indicate an attacker locking out the legitimate owner or preparing an account for takeover.

Key Fields

Target Account NameThe account whose password is being changed
Subject Account NameThe account making the change — for a self-service change, these should match

Investigation Tips

  1. 1.If Subject and Target accounts differ, this is an admin reset (4724) not a self-service change.
  2. 2.Service account password changes must be coordinated with whatever service uses that account — abrupt changes cause service outages.

Related Event IDs

4724Password reset by an administrator
4794DSRM admin password set — domain controller specific

See Event ID 4723 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects password change attempted patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →