{
	"id": "ffd371a5-a6eb-48f4-b436-d4c156fc353b",
	"created_at": "2026-04-06T02:11:31.520214Z",
	"updated_at": "2026-04-10T03:21:03.434891Z",
	"deleted_at": null,
	"sha1_hash": "942c4fbb3855694cbfc02d0cd3cdd2f36506b7fd",
	"title": "lsadump::changentlm and lsadump::setntlm work, but generate Windows events",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64913,
	"plain_text": "lsadump::changentlm and lsadump::setntlm work, but generate\r\nWindows events\r\nBy JeffAWarren\r\nPublished: 2017-06-22 · Archived: 2026-04-06 01:55:33 UTC\r\nI noticed when using the lsadump::changentlm and lsadump::setntlm, that the SETPASSWORD privilege is still\r\nbeing requested. I see the following information in my Active Directory event logs after performing a password\r\nchange:\r\n*Event 4661 with privilege request for SetPassword (without knowledge of old password) (screenshot attached)\r\n*Event 4723 for an attempt made to change an account's password\r\n*Event 4738 for a user account being changed for the Password Last Set value\r\nDomain Controller is Windows Server 2016:\r\nMajor: 10\r\nMinor: 0\r\nBuild: 14393\r\nhttps://github.com/gentilkiwi/mimikatz/issues/92\r\nPage 1 of 2\n\nRevision: 0\r\nSource: https://github.com/gentilkiwi/mimikatz/issues/92\r\nhttps://github.com/gentilkiwi/mimikatz/issues/92\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/gentilkiwi/mimikatz/issues/92"
	],
	"report_names": [
		"92"
	],
	"threat_actors": [],
	"ts_created_at": 1775441491,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/942c4fbb3855694cbfc02d0cd3cdd2f36506b7fd.pdf",
		"text": "https://archive.orkl.eu/942c4fbb3855694cbfc02d0cd3cdd2f36506b7fd.txt",
		"img": "https://archive.orkl.eu/942c4fbb3855694cbfc02d0cd3cdd2f36506b7fd.jpg"
	}
}