Event IDs, Logging, & SIEMs

Hunting Suspicious Activity

Account Logon Events

Event ID

Description

4624

Sucessful Logon

4625

Failed Logon

4634

Sucessful Logoff

4647

User-initiated Logoff

4548

Logon using Explicit Credentials

4672

Special Privileges Assigned

4768

Kerberos Ticket (TGT) Requested

4769

Kerberos Service Ticket Requested

4771

Kerberos Pre-auth Failed

4776

Attempted to Validate Credentials

4778

Session Reconnected

4779

Session Disconnected

Account Management

Event ID

Description

4720

Account created

4722

Account enabled

4724

Attempt to reset a password

4728

User added to a global group

4732

User added to a local group

4756

User added to a universal group

Hunting Password Attacks

Hunt for event ID 4625 (Logon Failed) and Logon Type 3 (Network Logon) Looking for rapid succession of failed attempts to the same machine, or multiple machines.

PreviousThreat Hunting: Hunting the Endpoint & Endpoint Analysis NextOSCP

Last updated 1 year ago

hashtagHunting Suspicious Activity

hashtagAccount Logon Events

hashtagAccount Management

hashtagHunting Password Attacks

Hunting Suspicious Activity

Account Logon Events

Account Management

Hunting Password Attacks