Security logs

EventID
Info

4625

Failed Logon - Login error code: 0xC0000064 - invalid user 0xC0000070 - Logon from unauthorised workstation 0xC0000234 - Account locked, disabled or expired 0xC0000071 - Password expired 0xC000006A - Password invalid

4648

Logon using explicit credentials (RunAs)

4647

User initiated logOff for interactive / remote session

4624

Logon Type Description

2 Console/Interactive (VNC, Desktop, KVM)

3 Network (SMB / NLA)

4 Batch (i.e. scheduled task)

5 Service logon (Service startup) (non-interactive)

7 lock / Unlock; RDP session reconnect

8 Network Cleartext logon (IIS)

9 different credentials used than logged in user (RunAs/mapping drive)

10 Remote Interactive (Terminal Services, Remote Desktop or Remote Assistance) (RDP w/o NLA)

11 Cached credentials 12 Cached Remote interactive (similar to 10) 13 Cached unlock (similar to 7)

4672

Successful Logon as Admin

4634

Log Off - windows does not reliable record so also look for 4647

4698

Scheduled task creation | also event 106 in task scheduler

4699

Scheduled Task deleted | also event 141 in task scheduler

4700

Scheduled task enabled

4701

Scheduled Task disabled

4702

Scheduled Task updated

4720

New User created

4724

attempt to reset accounts password

4726

An account Deleted

4728

member added to security enabled global group

4732

member added to security enabled local group

4735

security enabled local group changed

4738

A user account was changed

4756

member added to security enabled universal group

4768

Kerberos TGT generated

4769

Kerberos ticket requested Ticket Encryption Type: 0x17 (indicates SPN)

4771

Kerberos authentication - Login error code: 0x6 - invalid user 0x7 - request server not found 0xC - Logon from unauthorised workstation 0x12 - Account locked, disabled or expired 0x17 - Password expired 0x18 - Password invalid 0x25 - Clock Skew too great

4776

computer attempted to validate the credentials for an account (NTLM) - Login error code: 0xC0000064 - invalid user 0xC0000070 - Logon from unauthorised workstation 0xC0000234 - Account locked, disabled or expired 0xC0000071 - Password expired 0xC000006A - Password invalid

1149

RDP user authenticated

4778

RDP Session Reconnected

4779

RDP Session Disconnected

4801

System unlock

4798

A users local group membership was enumerated (can indicated bloodhound - Also give process that running look for PowerShell/WMI etc)

4799

A security-enabled local group membership was enumerated (can indicated bloodhound - Also give process running - look for PowerShell/WMI etc) ignore taskhostw, mmc, services, explorerr

5140

Share mount

5142

Share created

5143

Share Modified

5144

Share deleted

1102

Clearing Event Logs (EID 104 in all other logs - appears in system log)

7034

Service crashed unexpectedly

7035

Service sent start/stop control

7036

service started or stopped

7040

Start type changed (boot | on request)

7045

New service installed on system

4697

A new service was installed on the system

Built in accounts:

Account Name
Info

System

System account - most powerful

Local Service

Access network resources via null session - limited privs

Network Service

similar to above but can network resources

<hostname>$

computer account

DWM

Desktop Windows Manager

UMFD

Font driver host

Anonymous

Null Session / w/o creds

Credential availability:

admin action
Longon Type
Credential on Target
Notes

Console logon

2

Yes

Except when Credential Guard is enables

RunAs

2

Yes

Except when Credential Guard is enables

Remote Desktop

10

Yes

Except when Credential Guard is enables

Net Use

3

No

Including /u: parameter

PowershellRemoting

3

No

Invoke-Command; EnterPSSession

PsExec alternate creds

3+2

Yes

-u -p

PsExec w/o explicit creds

3

No

Remote Scheduled task

4

Yes

Password saved as LSA secret

Run as Service

5

Yes

(w/user account) - Password saved as LSA Secret

Remote Registry

3

No

PreviousEVTXNextWMI-Activity Operations

Last updated