Authentication Events
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Identify lateral movement | Pass the Hash / Relay |
| Security | 4625 | Failed logon | Detect brute force / spraying | Password Spraying |
| Security | 4634 | Logoff | Session tracking | Lateral movement |
| Security | 4647 | User initiated logoff | Session termination | Investigation pivot |
| Security | 4648 | Explicit credentials used | RunAs / alternate creds | Lateral movement |
| Security | 4672 | Special privileges assigned | Admin logon | Privilege escalation |
| Security | 4776 | NTLM authentication | NTLM usage tracking | NTLM Relay |
Kerberos Authentication
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 4768 | Kerberos TGT request | Authentication baseline | Overpass the Hash |
| Security | 4769 | Kerberos service ticket | Service access monitoring | Kerberoasting |
| Security | 4770 | Kerberos ticket renewal | Long sessions | Persistence tracking |
| Security | 4771 | Kerberos pre-auth failure | Password attacks | Password spraying |
| Security | 4772 | Kerberos TGT failure | Authentication failure | Kerberos attacks |
Directory Object Access
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 4662 | Directory object access | Replication / LDAP activity | DCSync / LDAP relay |
| Security | 4661 | Handle to object requested | Object access monitoring | Recon / enumeration |
| Security | 4663 | Object access | File / registry access | Credential dumping |
Active Directory Changes
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | ACL changes | Shadow Credentials |
| Security | 5137 | Object created | Rogue objects | DCShadow / GPO abuse |
| Security | 5138 | Object undeleted | Persistence artifact | AD abuse |
| Security | 5139 | Object moved | Privilege abuse | AD manipulation |
| Security | 5141 | Object deleted | Evidence removal | Covering tracks |
Group Membership Changes
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 4728 | Member added to security group | Privilege escalation | AddMember abuse |
| Security | 4729 | Member removed from security group | Group change | Cleanup |
| Security | 4732 | Member added to local group | Admin escalation | Lateral movement |
| Security | 4733 | Member removed from local group | Privilege removal | Cleanup |
| Security | 4756 | Member added to universal group | Domain privilege escalation | Persistence |
Account Changes
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 4720 | User account created | Persistence | Rogue account |
| Security | 4722 | Account enabled | Account activation | Persistence |
| Security | 4723 | Password change attempt | Credential modification | Privilege abuse |
| Security | 4724 | Password reset | Forced password change | ForceChangePassword |
| Security | 4725 | Account disabled | Incident response action | Containment |
| Security | 4726 | Account deleted | Cleanup | Cover tracks |
Service Creation / Execution
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 7045 | Service installed | Remote command execution | PsExec / SMBExec |
| System | 7036 | Service started | Execution tracking | Lateral movement |
Process Execution
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 4688 | Process creation | Command execution | WMIExec / WinRM |
| Sysmon | 1 | Process creation | Parent-child analysis | Malware / shells |
| Sysmon | 5 | Process termination | Process lifecycle | IR timeline |
Network Activity
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 5140 | Network share accessed | SMB lateral movement | SMB relay |
| Security | 5145 | Detailed share access | File access tracking | Credential theft |
| Sysmon | 3 | Network connection | Command and control | Lateral movement |
Credential Access
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Sysmon | 10 | Process accessed another process | LSASS handle access | Mimikatz |
| Security | 4663 | File access | Registry hive access | SAM dumping |
PowerShell
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| PowerShell | 4103 | Module logging | Script activity | Recon |
| PowerShell | 4104 | Script block logging | Malicious scripts | Attack tooling |
Windows Remote Management
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| WinRM | 91 | Remote shell created | WinRM lateral movement | Evil-WinRM |
Certificate Services (ADCS)
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| Security | 4886 | Certificate issued | Certificate abuse | Golden Certificate |
| Security | 4887 | Certificate request approved | Template abuse | ADCS ESC attacks |
| Security | 4888 | Certificate request denied | Suspicious enrollment | ADCS abuse |
DNS Activity
| Log | Event ID | Meaning | Detection Use | Typical Attacks |
|---|---|---|---|---|
| DNS | 257 | DNS update request | ADIDNS abuse | DNS poisoning |
| DNS | 258 | DNS zone transfer | Unauthorized replication | DNS recon |