Security logs
4625
Failed Logon - Login error code: 0xC0000064 - invalid user 0xC0000070 - Logon from unauthorised workstation 0xC0000234 - Account locked, disabled or expired 0xC0000071 - Password expired 0xC000006A - Password invalid
4648
Logon using explicit credentials (RunAs)
4647
User initiated logOff for interactive / remote session
4624
Logon Type Description
2 Console/Interactive (VNC, Desktop, KVM)
3 Network (SMB / NLA)
4 Batch (i.e. scheduled task)
5 Service logon (Service startup) (non-interactive)
7 lock / Unlock; RDP session reconnect
8 Network Cleartext logon (IIS)
9 different credentials used than logged in user (RunAs/mapping drive)
10 Remote Interactive (Terminal Services, Remote Desktop or Remote Assistance) (RDP w/o NLA)
11 Cached credentials 12 Cached Remote interactive (similar to 10) 13 Cached unlock (similar to 7)
4672
Successful Logon as Admin
4634
Log Off - windows does not reliable record so also look for 4647
4698
Scheduled task creation | also event 106 in task scheduler
4699
Scheduled Task deleted | also event 141 in task scheduler
4700
Scheduled task enabled
4701
Scheduled Task disabled
4702
Scheduled Task updated
4720
New User created
4724
attempt to reset accounts password
4726
An account Deleted
4728
member added to security enabled global group
4732
member added to security enabled local group
4735
security enabled local group changed
4738
A user account was changed
4756
member added to security enabled universal group
4768
Kerberos TGT generated
4769
Kerberos ticket requested Ticket Encryption Type: 0x17 (indicates SPN)
4771
Kerberos authentication - Login error code: 0x6 - invalid user 0x7 - request server not found 0xC - Logon from unauthorised workstation 0x12 - Account locked, disabled or expired 0x17 - Password expired 0x18 - Password invalid 0x25 - Clock Skew too great
4776
computer attempted to validate the credentials for an account (NTLM) - Login error code: 0xC0000064 - invalid user 0xC0000070 - Logon from unauthorised workstation 0xC0000234 - Account locked, disabled or expired 0xC0000071 - Password expired 0xC000006A - Password invalid
1149
RDP user authenticated
4778
RDP Session Reconnected
4779
RDP Session Disconnected
4801
System unlock
4798
A users local group membership was enumerated (can indicated bloodhound - Also give process that running look for PowerShell/WMI etc)
4799
A security-enabled local group membership was enumerated (can indicated bloodhound - Also give process running - look for PowerShell/WMI etc) ignore taskhostw, mmc, services, explorerr
5140
Share mount
5142
Share created
5143
Share Modified
5144
Share deleted
1102
Clearing Event Logs (EID 104 in all other logs - appears in system log)
7034
Service crashed unexpectedly
7035
Service sent start/stop control
7036
service started or stopped
7040
Start type changed (boot | on request)
7045
New service installed on system
4697
A new service was installed on the system
Built in accounts:
System
System account - most powerful
Local Service
Access network resources via null session - limited privs
Network Service
similar to above but can network resources
<hostname>$
computer account
DWM
Desktop Windows Manager
UMFD
Font driver host
Anonymous
Null Session / w/o creds
Credential availability:
Console logon
2
Yes
Except when Credential Guard is enables
RunAs
2
Yes
Except when Credential Guard is enables
Remote Desktop
10
Yes
Except when Credential Guard is enables
Net Use
3
No
Including /u: parameter
PowershellRemoting
3
No
Invoke-Command; EnterPSSession
PsExec alternate creds
3+2
Yes
-u -p
PsExec w/o explicit creds
3
No
Remote Scheduled task
4
Yes
Password saved as LSA secret
Run as Service
5
Yes
(w/user account) - Password saved as LSA Secret
Remote Registry
3
No
Last updated