Microsoft-Windows-Security-Auditing
423 events across 1 channel
Event ID 4608 — Windows is starting up.
Message
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4608
version: 0
level: 0
task: 12288
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:27.349587+00:00'
event_record_id: 2754
correlation: {}
execution:
process_id: 808
thread_id: 812
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data: {}
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4608
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4609 — Windows is shutting down.
Message
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4609
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4609
Event ID 4610 — An authentication package has been loaded by the Local Security Authority.
Message
Fields
| Name | Description |
|---|---|
AuthenticationPackageName | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4610
version: 0
level: 0
task: 12289
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:13.483248+00:00'
event_record_id: 25342
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 616
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
AuthenticationPackageName: 'C:\Windows\system32\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4610
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4610
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4611 — A trusted logon process has been registered with the Local Security Authority.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
LogonProcessName | [Subject] Logon Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4611
version: 0
level: 0
task: 12289
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:50:33.878854+00:00'
event_record_id: 31791
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 3232
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WIN-TKC15D7KHUR$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
LogonProcessName: UserManager
message: ''
Community Notes
May be seen when a process injects into LSASS.Sigma Rules
- Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4611
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4612 — Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Message
Fields
| Name | Description |
|---|---|
AuditsDiscarded | — |
References
Event ID 4614 — A notification package has been loaded by the Security Account Manager.
Message
Fields
| Name | Description |
|---|---|
NotificationPackageName | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4614
version: 0
level: 0
task: 12289
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:13.532261+00:00'
event_record_id: 25349
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 616
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
NotificationPackageName: scecli
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4614
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4614
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4615 — Invalid use of LPC port.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Invalid_Use | [Process Information] Invalid Use. |
LPC_Server_Port_Name | [Process Information] LPC Server Port Name. |
PID | [Process Information] PID. |
Name | [Process Information] Name. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
InvalidCallName | — |
ServerPortName | — |
ProcessId | — |
ProcessName | — |
References
Event ID 4616 — The system time was changed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PreviousTime | [Process Information] Previous Time. |
NewTime | [Process Information] New Time. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4616
version: 1
level: 0
task: 12288
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-05T22:32:22.236565+00:00'
event_record_id: 3458
correlation: {}
execution:
process_id: 4
thread_id: 52
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PreviousTime: '2023-11-05T22:32:20.942615Z'
NewTime: '2023-11-05T22:32:22.232000Z'
ProcessId: '0xcec'
ProcessName: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
message: ''
Sigma Rules
- Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4616
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4618 — A monitored security event pattern has occurred.
Message
Fields
| Name | Description |
|---|---|
EventId | — |
ComputerName | — |
TargetUserSid | — |
TargetUserName | — |
TargetUserDomain | — |
TargetLogonId | — |
EventCount | — |
Duration | — |
References
Event ID 4621 — Administrator recovered system from CrashOnAuditFail.
Message
Fields
| Name | Description |
|---|---|
CrashOnAuditFailValue | — |
References
Event ID 4622 — A security package has been loaded by the Local Security Authority.
Message
Fields
| Name | Description |
|---|---|
SecurityPackageName | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4622
version: 0
level: 0
task: 12289
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:13.482782+00:00'
event_record_id: 25341
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 616
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
SecurityPackageName: 'C:\Windows\system32\schannel.DLL : Microsoft Unified Security
Protocol Provider'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4622
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4622
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4624 — An account was successfully logged on.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. Indicates the account on the local system which requested the logon. |
SubjectUserName | [Subject] Account Name. Indicates the account on the local system which requested the logon. |
SubjectDomainName | [Subject] Account Domain. Indicates the account on the local system which requested the logon. |
SubjectLogonId | [Subject] Logon ID. Indicates the account on the local system which requested the logon. |
TargetUserSid | [New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetUserName | [New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetDomainName | [New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetLogonId | [New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
LogonType | [Logon Information] Logon Type. Indicates the kind of logon that occurred. |
LogonProcessName | [Detailed Authentication Information] Logon Process. Provides detailed information about this specific logon request. |
AuthenticationPackageName | [Detailed Authentication Information] Authentication Package. Provides detailed information about this specific logon request. |
WorkstationName | [Network Information] Workstation Name. Indicates where a remote logon request originated. |
LogonGuid | [New Logon] Logon GUID. Is a unique identifier that can be used to correlate this event with a KDC event. |
TransmittedServices | [Detailed Authentication Information] Transited Services. Indicate which intermediate services have participated in this logon request. |
LmPackageName | [Detailed Authentication Information] Package Name (NTLM only). Indicates which sub-protocol was used among the NTLM protocols. |
KeyLength | [Detailed Authentication Information] Key Length. Indicates the length of the generated session key. This will be 0 if no session key was requested. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
IpAddress | [Network Information] Source Network Address. Indicates where a remote logon request originated. |
IpPort | [Network Information] Source Port. Indicates where a remote logon request originated. |
ImpersonationLevel | [Logon Information] Impersonation Level. Indicates the extent to which a process in the logon session can impersonate. |
RestrictedAdminMode | [Logon Information] Restricted Admin Mode. |
RemoteCredentialGuard | [Logon Information] Remote Credential Guard. |
TargetOutboundUserName | [New Logon] Network Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetOutboundDomainName | [New Logon] Network Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
VirtualAccount | [Logon Information] Virtual Account. |
TargetLinkedLogonId | [New Logon] Linked Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
ElevatedToken | [Logon Information] Elevated Token. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4624
version: 3
level: 0
task: 12544
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:52.440978+00:00'
event_record_id: 2948
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: '0x3e7'
LogonType: 5
LogonProcessName: 'Advapi '
AuthenticationPackageName: Negotiate
WorkstationName: '-'
LogonGuid: 00000000-0000-0000-0000-000000000000
TransmittedServices: '-'
LmPackageName: '-'
KeyLength: 0
ProcessId: '0x30c'
ProcessName: C:\Windows\System32\services.exe
IpAddress: '-'
IpPort: '-'
ImpersonationLevel: '%%1833'
RestrictedAdminMode: '-'
RemoteCredentialGuard: '-'
TargetOutboundUserName: '-'
TargetOutboundDomainName: '-'
VirtualAccount: '%%1843'
TargetLinkedLogonId: '0x0'
ElevatedToken: '%%1842'
message: ''
Community Notes
- LogonType 3 (Network) from localhost (127.0.0.1) may indicate service account activity or local COM activation rather than a true remote logon.
- LogonType 3 and 10 are indicators of remote access
- LogonType 3 and LogonProcess “NtLmSsp” may indicate an NTLM relay attack (correlate source IP with Event ID 8004 to find mismatches, check for Anonymous Logon user)
- LogonType 9 and Logon Process “seclogo” are common indicators of Pass-the-Hash
| LogonType | Description |
|---|---|
| 2 | Console/Interactive (most commonly occurs when a user physically signs in, but may also be seen with a server KVM or VNC) |
| 3 | Network (ex: a user accesses a file share, a vuln scanner auths to perform checks, an admin is remotely using PS, or an attacker uses PsExec to run a payload on a remote system) |
| 4 | Batch (Scheduled Tasks): non-interactive |
| 5 | Windows Services: non-interactive |
| 7 | Screen Lock/Unlock (can include RDP unlock/reconnect) |
| 8 | Network (Cleartext Logon). May indicate a downgrade attack or older admin tool |
| 9 | Alternate Credentials Specified (The caller cloned its current token and specified new credentials for outbound connections. RunAs with /netonly flag, CreateProcessWithLogonW using the LOGON_NETCREDENTIALS_ONLY flag, or LogonUserW with LOGON32_LOGON_NEW_CREDENTIALS) |
| 10 | Remote Interactive (RDP: a user logged on to this computer remotely using Terminal Services or Remote Desktop) |
| 11 | Cached Credentials (e.g. Offline DC: a user physically logged on to the computer and the computer used domain credentials stored locally for authentication) |
| 12 | Cached Remote Interactive (RDP, similar to Type 10). Now also seen more often when Microsoft Live accounts are used for auth on standalone workstations |
| 13 | Cached Unlock (Similar to Type 7) |
Sigma Rules
- Potential Access Token Abuse
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag". - Admin User Remote Logon
Detect remote login by Administrator user (depending on internal pattern). - DiagTrackEoP Default Login Username
Detects the default "UserName" used by the DiagTrackEoP POC - Successful Overpass the Hash Attempt
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. - Pass the Hash Activity 2
Detects the attack technique pass the hash which is used to move laterally inside the network
Showing 5 of 14 matching Sigma rules.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4625 — An account failed to log on.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. Indicates the account on the local system which requested the logon. |
Account_Name | [Subject] Account Name. Indicates the account on the local system which requested the logon. |
Account_Domain | [Subject] Account Domain. Indicates the account on the local system which requested the logon. |
Logon_ID | [Subject] Logon ID. Indicates the account on the local system which requested the logon. |
Security_ID | [Account For Which Logon Failed] Security ID. |
Account_Name | [Account For Which Logon Failed] Account Name. |
Account_Domain | [Account For Which Logon Failed] Account Domain. |
Status | [Failure Information] Status. |
Failure_Reason | [Failure Information] Failure Reason. |
Sub_Status | [Failure Information] Sub Status. |
Logon_Type | [Subject] Logon Type. Indicates the account on the local system which requested the logon. |
Logon_Process | [Detailed Authentication Information] Logon Process. Provides detailed information about this specific logon request. |
Authentication_Package | [Detailed Authentication Information] Authentication Package. Provides detailed information about this specific logon request. |
Workstation_Name | [Network Information] Workstation Name. Indicates where a remote logon request originated. |
Transited_Services | [Detailed Authentication Information] Transited Services. Indicate which intermediate services have participated in this logon request. |
Package_Name_NTLM_only | [Detailed Authentication Information] Package Name (NTLM only). Indicates which sub-protocol was used among the NTLM protocols. |
Key_Length | [Detailed Authentication Information] Key Length. Indicates the length of the generated session key. This will be 0 if no session key was requested. |
Caller_Process_ID | [Process Information] Caller Process ID. Indicates which account and process on the system requested the logon. |
Caller_Process_Name | [Process Information] Caller Process Name. Indicates which account and process on the system requested the logon. |
Source_Network_Address | [Network Information] Source Network Address. Indicates where a remote logon request originated. |
Source_Port | [Network Information] Source Port. Indicates where a remote logon request originated. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4625
version: 0
level: 0
task: 12544
opcode: 0
keywords: 9227875636482146304
time_created: '2016-09-19T16:50:06.477878Z'
event_record_id: 2455
correlation:
'#attributes':
ActivityID: B864D168-0B7B-0000-89D1-64B87B0BD201
execution:
process_id: 752
thread_id: 4068
channel: Security
computer: DESKTOP-M5SN04R
security:
user_id: ''
event_data:
SubjectUserSid: S-1-0-0
SubjectUserName: '-'
SubjectDomainName: '-'
SubjectLogonId: '0x0'
TargetUserSid: S-1-0-0
TargetUserName: JcDfcZTc
TargetDomainName: .
Status: '0xc000006d'
FailureReason: '%%2313'
SubStatus: '0xc0000064'
LogonType: 3
LogonProcessName: 'NtLmSsp '
AuthenticationPackageName: NTLM
WorkstationName: 6hgtmVlrrFuWtO65
TransmittedServices: '-'
LmPackageName: '-'
KeyLength: 0
ProcessId: '0x0'
ProcessName: '-'
IpAddress: 192.168.198.149
IpPort: '50249'
Community Notes
| Logon Error Code | Description |
|---|---|
| 0x6 | Invalid/non-existent user account. This can also be caused by replication issues between Active Directory servers. |
| 0x7 | Requested server not found. This can also be caused by replication issues between Active Directory servers. |
| 0xC | Policy restriction prohibited logon; client system restricted from accessing resource or restricted based on time/date. |
| 0x12 | Account locked, disabled, or expired. |
| 0x17 | Expired password. |
| 0x18 | Invalid password. |
| 0x25 | Clock values between server and client are skewed too greatly; Kerberos relies on a timing system to invalidate old TGTs. |
| 0xC0000064 | Non-existent account username |
| 0xC000006A | Incorrect password (username correct) |
| 0xC000006F | Account not allowed to log on at this time |
| 0xC0000070 | Account not allowed to log on from this computer |
| 0xC0000071 | Expired password |
| 0xC0000072 | Disabled account |
| 0xC0000193 | Expired account |
| 0xC0000234 | Account locked |
Sigma Rules
- Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary. - Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost - Metasploit SMB Authentication
Alerts on Metasploit host's authentications on the domain. - Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4626 — User / Device claims information.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetLogonId | — |
LogonType | — |
EventIdx | — |
EventCountTotal | — |
UserClaims | — |
DeviceClaims | — |
References
Event ID 4627 — Group membership information.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. Indicates the account on the local system which requested the logon. |
SubjectUserName | [Subject] Account Name. Indicates the account on the local system which requested the logon. |
SubjectDomainName | [Subject] Account Domain. Indicates the account on the local system which requested the logon. |
SubjectLogonId | [Subject] Logon ID. Indicates the account on the local system which requested the logon. |
TargetUserSid | [New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetUserName | [New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetDomainName | [New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetLogonId | [New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
LogonType | [Subject] Logon Type. Indicates the account on the local system which requested the logon. |
EventIdx | [New Logon] Event in sequence. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
EventCountTotal | — |
GroupMembership | [New Logon] Group Membership. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4627
version: 0
level: 0
task: 12554
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T02:00:32.200180+00:00'
event_record_id: 310791
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 16720
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: '0x3e7'
LogonType: 5
EventIdx: 1
EventCountTotal: 1
GroupMembership: "\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-16-16384}"
message: ''
Community Notes
Shows the full AD group list for every successful logon (useful to detect changes in privileges).References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4627
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4634 — An account was logged off.
Message
Fields
| Name | Description |
|---|---|
TargetUserSid | [Subject] Security ID. |
TargetUserName | [Subject] Account Name. |
TargetDomainName | [Subject] Account Domain. |
TargetLogonId | [Subject] Logon ID. |
LogonType | [Subject] Logon Type. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4634
version: 0
level: 0
task: 12545
opcode: 0
keywords: 9232379236109516800
time_created: '2023-10-25T22:56:14.242850+00:00'
event_record_id: 2692
correlation: {}
execution:
process_id: 824
thread_id: 880
channel: Security
computer: WinDevEval
security:
user_id: ''
event_data:
TargetUserSid: S-1-5-111-3847866527-469524349-687026318-516638107-1125189541-4560
TargetUserName: sshd_4560
TargetDomainName: VIRTUAL USERS
TargetLogonId: '0x41a49'
LogonType: 5
message: ''
Sigma Rules
- User Logoff Event
Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4646 — %1
Message
Fields
| Name | Description |
|---|---|
notification | — |
References
Event ID 4647 — User initiated logoff:
Message
Fields
| Name | Description |
|---|---|
TargetUserSid | [Subject] Security ID. |
TargetUserName | [Subject] Account Name. |
TargetDomainName | [Subject] Account Domain. |
TargetLogonId | [Subject] Logon ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4647
version: 0
level: 0
task: 12545
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-05T22:31:33.526113+00:00'
event_record_id: 3363
correlation:
ActivityID: 59A0D65F-1037-0001-A7D6-A0593710DA01
execution:
process_id: 808
thread_id: 8392
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
TargetUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
TargetUserName: User
TargetDomainName: WINDEV2310EVAL
TargetLogonId: '0x580c6'
message: ''
Sigma Rules
- User Logoff Event
Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4647
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4648 — A logon was attempted using explicit credentials.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
LogonGuid | [Subject] Logon GUID. |
TargetUserName | [Account Whose Credentials Were Used] Account Name. |
TargetDomainName | [Account Whose Credentials Were Used] Account Domain. |
TargetLogonGuid | [Account Whose Credentials Were Used] Logon GUID. |
TargetServerName | [Target Server] Target Server Name. |
TargetInfo | [Target Server] Additional Information. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
IpAddress | [Network Information] Network Address. |
IpPort | [Network Information] Port. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4648
version: 0
level: 0
task: 12544
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:29.161457+00:00'
event_record_id: 2767
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
LogonGuid: 00000000-0000-0000-0000-000000000000
TargetUserName: DWM-1
TargetDomainName: Window Manager
TargetLogonGuid: 00000000-0000-0000-0000-000000000000
TargetServerName: localhost
TargetInfo: localhost
ProcessId: '0x2e0'
ProcessName: C:\Windows\System32\winlogon.exe
IpAddress: '-'
IpPort: '-'
message: ''
Community Notes
Logon with explicit credentials (RunAs, SchTasks, Pass-the-Hash, WinRM, SMB). May appear when an NTLM relayed session is used to create a service/task. Useful with 4624 (successful logon)/4634 (logoff completed) for reconstructing interactive or service logons.Sigma Rules
- Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4649 — A replay attack was detected.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Account_Name | [Credentials Which Were Replayed] Account Name. |
Account_Domain | [Credentials Which Were Replayed] Account Domain. |
Request_Type | [Detailed Authentication Information] Request Type. |
Logon_Process | [Detailed Authentication Information] Logon Process. |
Authentication_Package | [Detailed Authentication Information] Authentication Package. |
Workstation_Name | [Network Information] Workstation Name. |
Transited_Services | [Detailed Authentication Information] Transited Services. |
Process_ID | [Process Information] Process ID. |
Process_Name | [Process Information] Process Name. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TargetUserName | — |
TargetDomainName | — |
RequestType | — |
LogonProcessName | — |
AuthenticationPackage | — |
WorkstationName | — |
TransmittedServices | — |
ProcessId | — |
ProcessName | — |
Community Notes
Alerts when a copied ticket is reused.Sigma Rules
- Replay Attack Detected
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
References
Event ID 4650 — An IPsec main mode security association was established.
Message
Fields
| Name | Description |
|---|---|
Principal_Name | [Local Endpoint] Principal Name. |
Principal_Name | [Remote Endpoint] Principal Name. |
Network_Address | [Local Endpoint] Network Address. |
Keying_Module_Port | [Local Endpoint] Keying Module Port. |
Network_Address | [Remote Endpoint] Network Address. |
Keying_Module_Port | [Remote Endpoint] Keying Module Port. |
Keying_Module_Name | [Additional Information] Keying Module Name. |
Authentication_Method | [Additional Information] Authentication Method. |
Cipher_Algorithm | [Cryptographic Information] Cipher Algorithm. |
Integrity_Algorithm | [Cryptographic Information] Integrity Algorithm. |
DiffieHellman_Group | [Cryptographic Information] Diffie-Hellman Group. |
Lifetime_minutes | [Security Association Information] Lifetime (minutes). |
Quick_Mode_Limit | [Security Association Information] Quick Mode Limit. |
Role | [Additional Information] Role. |
Impersonation_State | [Additional Information] Impersonation State. |
Main_Mode_Filter_ID | [Additional Information] Main Mode Filter ID. |
Main_Mode_SA_ID | [Security Association Information] Main Mode SA ID. |
LocalMMPrincipalName | — |
RemoteMMPrincipalName | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
KeyModName | — |
MMAuthMethod | — |
MMCipherAlg | — |
MMIntegrityAlg | — |
DHGroup | — |
MMLifetime | — |
QMLimit | — |
MMImpersonationState | — |
MMFilterID | — |
MMSAID | — |
References
Event ID 4651 — An IPsec main mode security association was established.
Message
Fields
| Name | Description |
|---|---|
Principal_Name | [Local Endpoint] Principal Name. |
SHA_Thumbprint | [Local Certificate] SHA Thumbprint. |
Issuing_CA | [Local Certificate] Issuing CA. |
Root_CA | [Local Certificate] Root CA. |
Principal_Name | [Remote Endpoint] Principal Name. |
SHA_thumbprint | [Remote Certificate] SHA thumbprint. |
Issuing_CA | [Remote Certificate] Issuing CA. |
Root_CA | [Remote Certificate] Root CA. |
Network_Address | [Local Endpoint] Network Address. |
Keying_Module_Port | [Local Endpoint] Keying Module Port. |
Network_Address | [Remote Endpoint] Network Address. |
Keying_Module_Port | [Remote Endpoint] Keying Module Port. |
Keying_Module_Name | [Additional Information] Keying Module Name. |
Authentication_Method | [Additional Information] Authentication Method. |
Cipher_Algorithm | [Cryptographic Information] Cipher Algorithm. |
Integrity_Algorithm | [Cryptographic Information] Integrity Algorithm. |
DiffieHellman_Group | [Cryptographic Information] Diffie-Hellman Group. |
Lifetime_minutes | [Security Association Information] Lifetime (minutes). |
Quick_Mode_Limit | [Security Association Information] Quick Mode Limit. |
Role | [Additional Information] Role. |
Impersonation_State | [Additional Information] Impersonation State. |
Main_Mode_Filter_ID | [Additional Information] Main Mode Filter ID. |
Main_Mode_SA_ID | [Security Association Information] Main Mode SA ID. |
LocalMMPrincipalName | — |
LocalMMCertHash | — |
LocalMMIssuingCA | — |
LocalMMRootCA | — |
RemoteMMPrincipalName | — |
RemoteMMCertHash | — |
RemoteMMIssuingCA | — |
RemoteMMRootCA | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
KeyModName | — |
MMAuthMethod | — |
MMCipherAlg | — |
MMIntegrityAlg | — |
DHGroup | — |
MMLifetime | — |
QMLimit | — |
MMImpersonationState | — |
MMFilterID | — |
MMSAID | — |
References
Event ID 4652 — An IPsec main mode negotiation failed.
Message
Fields
| Name | Description |
|---|---|
Principal_Name | [Local Endpoint] Principal Name. |
SHA_Thumbprint | [Local Certificate] SHA Thumbprint. |
Issuing_CA | [Local Certificate] Issuing CA. |
Root_CA | [Local Certificate] Root CA. |
Principal_Name | [Remote Endpoint] Principal Name. |
SHA_thumbprint | [Remote Certificate] SHA thumbprint. |
Issuing_CA | [Remote Certificate] Issuing CA. |
Root_CA | [Remote Certificate] Root CA. |
Network_Address | [Local Endpoint] Network Address. |
Keying_Module_Port | [Local Endpoint] Keying Module Port. |
Network_Address | [Remote Endpoint] Network Address. |
Keying_Module_Port | [Remote Endpoint] Keying Module Port. |
Keying_Module_Name | [Additional Information] Keying Module Name. |
Failure_Point | [Failure Information] Failure Point. |
Failure_Reason | [Failure Information] Failure Reason. |
Authentication_Method | [Additional Information] Authentication Method. |
State | [Failure Information] State. |
Role | [Additional Information] Role. |
Impersonation_State | [Additional Information] Impersonation State. |
Main_Mode_Filter_ID | [Additional Information] Main Mode Filter ID. |
Initiator_Cookie | [Failure Information] Initiator Cookie. |
Responder_Cookie | [Failure Information] Responder Cookie. |
LocalMMPrincipalName | — |
LocalMMCertHash | — |
LocalMMIssuingCA | — |
LocalMMRootCA | — |
RemoteMMPrincipalName | — |
RemoteMMCertHash | — |
RemoteMMIssuingCA | — |
RemoteMMRootCA | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
KeyModName | — |
FailurePoint | — |
FailureReason | — |
MMAuthMethod | — |
MMImpersonationState | — |
MMFilterID | — |
InitiatorCookie | — |
ResponderCookie | — |
References
Event ID 4653 — An IPsec main mode negotiation failed.
Message
Fields
| Name | Description |
|---|---|
Local_Principal_Name | [Local Endpoint] Local Principal Name. |
Principal_Name | [Remote Endpoint] Principal Name. |
Network_Address | [Local Endpoint] Network Address. |
Keying_Module_Port | [Local Endpoint] Keying Module Port. |
Network_Address | [Remote Endpoint] Network Address. |
Keying_Module_Port | [Remote Endpoint] Keying Module Port. |
Keying_Module_Name | [Additional Information] Keying Module Name. |
Failure_Point | [Failure Information] Failure Point. |
Failure_Reason | [Failure Information] Failure Reason. |
Authentication_Method | [Additional Information] Authentication Method. |
State | [Failure Information] State. |
Role | [Additional Information] Role. |
Impersonation_State | [Additional Information] Impersonation State. |
Main_Mode_Filter_ID | [Additional Information] Main Mode Filter ID. |
Initiator_Cookie | [Failure Information] Initiator Cookie. |
Responder_Cookie | [Failure Information] Responder Cookie. |
LocalMMPrincipalName | — |
RemoteMMPrincipalName | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
KeyModName | — |
FailurePoint | — |
FailureReason | — |
MMAuthMethod | — |
MMImpersonationState | — |
MMFilterID | — |
InitiatorCookie | — |
ResponderCookie | — |
References
Event ID 4654 — An IPsec quick mode negotiation failed.
Message
Fields
| Name | Description |
|---|---|
Network_Address | [Local Endpoint] Network Address. |
Network_Address_mask | [Local Endpoint] Network Address mask. |
Port | [Local Endpoint] Port. |
Tunnel_Endpoint | [Local Endpoint] Tunnel Endpoint. |
Network_Address | [Remote Endpoint] Network Address. |
Address_Mask | [Remote Endpoint] Address Mask. |
Port | [Remote Endpoint] Port. |
Tunnel_Endpoint | [Remote Endpoint] Tunnel Endpoint. |
Protocol | [Additional Information] Protocol. |
Private_Address | [Remote Endpoint] Private Address. |
Keying_Module_Name | [Additional Information] Keying Module Name. |
Failure_Point | [Failure Information] Failure Point. |
Failure_Reason | [Failure Information] Failure Reason. |
Mode | [Additional Information] Mode. |
State | [Failure Information] State. |
Role | [Additional Information] Role. |
Message_ID | [Failure Information] Message ID. |
Quick_Mode_Filter_ID | [Additional Information] Quick Mode Filter ID. |
Main_Mode_SA_ID | [Additional Information] Main Mode SA ID. |
LocalAddress | — |
LocalAddressMask | — |
LocalPort | — |
LocalTunnelEndpoint | — |
RemoteAddress | — |
RemoteAddressMask | — |
RemotePort | — |
RemoteTunnelEndpoint | — |
RemotePrivateAddress | — |
KeyModName | — |
FailurePoint | — |
FailureReason | — |
MessageID | — |
QMFilterID | — |
MMSAID | — |
TunnelId | — |
TrafficSelectorId | — |
References
Event ID 4655 — An IPsec main mode security association ended.
Message
Fields
| Name | Description |
|---|---|
Local_Network_Address | — |
Remote_Network_Address | — |
Keying_Module_Name | — |
Main_Mode_SA_ID | — |
LocalAddress | — |
RemoteAddress | — |
KeyModName | — |
MMSAID | — |
References
Event ID 4656 — A handle to an object was requested.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Handle_ID | [Object] Handle ID. |
Transaction_ID | [Access Request Information] Transaction ID. |
Accesses | [Access Request Information] Accesses. |
Access_Mask | [Access Request Information] Access Reasons. |
PrivilegesUsedForAccessCheck | — |
Restricted_SID_Count | [Access Request Information] Privileges Used for Access Check. |
Process_ID | [Access Request Information] Restricted SID Count. |
Process_Name | [Process Information] Process ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4656
version: 1
level: 0
task: 12802
opcode: 0
keywords: 9232379236109516800
time_created: '2020-03-08T22:11:34.340479Z'
event_record_id: 314461
correlation: {}
execution:
process_id: 4
thread_id: 160
channel: Security
computer: MSEDGEWIN10
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-3461203602-4096304019-2269080069-1000
SubjectUserName: IEUser
SubjectDomainName: MSEDGEWIN10
SubjectLogonId: '0x33392'
ObjectServer: Security
ObjectType: Process
ObjectName: \Device\HarddiskVolume1\Windows\System32\lsass.exe
HandleId: '0x558'
TransactionId: 00000000-0000-0000-0000-000000000000
AccessList: "%%1537\r\n\t\t\t\t%%1538\r\n\t\t\t\t%%1539\r\n\t\t\t\t%%1540\r\n\t\t\t\t%%1541\r\n\t\t\t\t%%4480\r\n\t\t\t\t%%4481\r\n\t\t\t\t%%4482\r\n\t\t\t\t%%4483\r\n\t\t\t\t%%4484\r\n\t\t\t\t%%4485\r\n\t\t\t\t%%4486\r\n\t\t\t\t%%4487\r\n\t\t\t\t%%4488\r\n\t\t\t\t%%4489\r\n\t\t\t\t%%4490\r\n\t\t\t\t%%4491\r\n\t\t\t\t%%4492\r\n\t\t\t\t%%4493\r\n\t\t\t\t"
AccessReason: '-'
AccessMask: '0x1f3fff'
PrivilegeList: '-'
RestrictedSidCount: 0
ProcessId: '0x1688'
ProcessName: C:\Windows\System32\cscript.exe
ResourceAttributes: '-'
Community Notes
Combined with 4663, may reveal bulk reads of sensitive shares before data exfil.Sigma Rules
- Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. - Azure AD Health Service Agents Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. - Processes Accessing the Microphone and Webcam
Potential adversaries accessing the microphone and webcam in an endpoint. - LSASS Access From Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account - WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Showing 5 of 12 matching Sigma rules.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4656
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4657 — A registry value was modified.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
ObjectName | [Object] Object Name. |
ObjectValueName | [Object] Object Value Name. |
HandleId | [Object] Handle ID. |
OperationType | [Object] Operation Type. |
OldValueType | [Change Information] Old Value Type. |
OldValue | [Change Information] Old Value. |
NewValueType | [Change Information] New Value Type. |
NewValue | [Change Information] New Value. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4657
version: 0
level: 0
task: 12801
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:45:45.086232+00:00'
event_record_id: 292511
correlation: {}
execution:
process_id: 4
thread_id: 12116
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E
ObjectValueName: Blob
HandleId: '0x1994'
OperationType: '%%1905'
OldValueType: '%%1875'
OldValue: '%%1800'
NewValueType: '%%1875'
NewValue: '%%1800'
ProcessId: '0x328'
ProcessName: C:\Windows\System32\lsass.exe
message: ''
Community Notes
Requires AuditRegistry/SetValue SACL.Sigma Rules
- Processes Accessing the Microphone and Webcam
Potential adversaries accessing the microphone and webcam in an endpoint. - ETW Logging Disabled In .NET Processes - Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies. - NetNTLM Downgrade Attack
Detects NetNTLM downgrade attack - Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it - Windows Defender Exclusion List Modified
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4658 — The handle to an object was closed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Handle_ID | [Object] Handle ID. |
Process_ID | [Process Information] Process ID. |
Process_Name | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4658
version: 0
level: 0
task: 12804
opcode: 0
keywords: 9232379236109516800
time_created: '2017-06-12T23:39:43.512986Z'
event_record_id: 8076
correlation: {}
execution:
process_id: 4
thread_id: 252
channel: Security
computer: 2012r2srv.maincorp.local
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-2634088540-571122920-1382659128-500
SubjectUserName: Administrator
SubjectDomainName: MAINCORP
SubjectLogonId: '0x432c8'
ObjectServer: Security Account Manager
HandleId: '0xc9774b43b0'
ProcessId: '0x1f0'
ProcessName: C:\Windows\System32\lsass.exe
Sigma Rules
- Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4658
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4659 — A handle to an object was requested with intent to delete.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectServer | — |
ObjectType | — |
ObjectName | — |
HandleId | — |
TransactionId | — |
AccessList | — |
AccessMask | — |
PrivilegeList | — |
ProcessId | — |
References
Event ID 4660 — An object was deleted.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Handle_ID | [Object] Handle ID. |
Process_ID | [Process Information] Process ID. |
Process_Name | [Process Information] Process Name. |
Transaction_ID | [Process Information] Transaction ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4660
version: 0
level: 0
task: 12804
opcode: 0
keywords: 9232379236109516800
time_created: '2022-01-24T17:03:25.009874Z'
event_record_id: 1934527
correlation: {}
execution:
process_id: 4
thread_id: 4488
channel: Security
computer: fs03vuln.offsec.lan
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x14f509e2'
ObjectServer: Security Account Manager
HandleId: '0xe9a9292e70'
ProcessId: '0x1e0'
ProcessName: C:\Windows\System32\lsass.exe
TransactionId: 00000000-0000-0000-0000-000000000000
Community Notes
Could be a filesystem, kernel, or registry object. Does not track names, but is generated only during real deletes (pair with 4663).References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4660
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4661 — A handle to an object was requested.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Handle_ID | [Object] Handle ID. |
Transaction_ID | [Access Request Information] Transaction ID. |
Accesses | [Access Request Information] Accesses. |
Access_Mask | [Access Request Information] Access Reasons. |
PrivilegesUsedForAccessCheck | — |
Properties | [Access Request Information] Privileges Used for Access Check. |
Restricted_SID_Count | [Access Request Information] Properties. |
Process_ID | [Access Request Information] Restricted SID Count. |
Process_Name | [Process Information] Process ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4661
version: 0
level: 0
task: 12803
opcode: 0
keywords: 9232379236109516800
time_created: '2019-03-18T23:23:52.522462Z'
event_record_id: 565602
correlation: {}
execution:
process_id: 452
thread_id: 460
channel: Security
computer: WIN-77LTAPHIQ1R.example.corp
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1587066498-1489273250-1035260531-1106
SubjectUserName: user01
SubjectDomainName: EXAMPLE
SubjectLogonId: '0x15e1a7'
ObjectServer: Security Account Manager
ObjectType: SAM_DOMAIN
ObjectName: DC=example,DC=corp
HandleId: '0x14c7b1f20'
TransactionId: 00000000-0000-0000-0000-000000000000
AccessList: "%%1538\r\n\t\t\t\t%%5394\r\n\t\t\t\t%%5396\r\n\t\t\t\t%%5399\r\n\t\t\t\t"
AccessMask: '0x2d'
PrivilegeList: "\x94\x02-"
Properties: "---\r\n\t{19195a5a-6da0-11d0-afd3-00c04fd930c9}\r\n%%1538\r\n%%5394\r\n%%5396\r\n%%5399\r\n\t\t{c7407360-20bf-11d0-a768-00aa006e0529}\r\n\t\t\t{bf9679a4-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a6-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679bb-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c2-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c3-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a09-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a0b-0de6-11d0-a285-00aa003049e2}\r\n\t\t{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}\r\n\t\t\t{bf967a34-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a33-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a61-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967977-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf96795e-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ea-0de6-11d0-a285-00aa003049e2}\r\n\t\t{ab721a52-1e2f-11d0-9819-00aa0040529b}\r\n"
RestrictedSidCount: 0
ProcessId: '0x1c4'
ProcessName: C:\Windows\System32\lsass.exe
Community Notes
May indicate BloodHound-style LDAP reads.Sigma Rules
- AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs - Password Policy Enumerated
Detects when the password policy is enumerated. - Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4661
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4662 — An operation was performed on an object.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Operation_Type | [Operation] Operation Type. |
Handle_ID | [Object] Handle ID. |
Accesses | [Operation] Accesses. |
Access_Mask | [Operation] Access Mask. |
Properties | [Operation] Properties. |
Parameter_1 | [Additional Information] Parameter 1. |
Parameter_2 | [Additional Information] Parameter 2. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4662
version: 0
level: 0
task: 14080
opcode: 0
keywords: 9232379236109516800
time_created: '2019-03-25T10:05:30.695604Z'
event_record_id: 198238041
correlation: {}
execution:
process_id: 444
thread_id: 4200
channel: Security
computer: DC1.insecurebank.local
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: DC1$
SubjectDomainName: insecurebank
SubjectLogonId: '0xb3ac2'
ObjectServer: DS
ObjectType: '%{19195a5b-6da0-11d0-afd3-00c04fd930c9}'
ObjectName: '%{c6faf700-bfe4-452a-a766-424f84c29583}'
OperationType: Object Access
HandleId: '0x0'
AccessList: "%%7688\r\n\t\t\t\t"
AccessMask: '0x100'
Properties: "%%7688\r\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n"
AdditionalInfo: '-'
AdditionalInfo2: ''
Community Notes
Operation on AD object, may indicate enum of domain trusts, OUs, SPNs, ACLs. Also logged when an attacker uses mimikatz or similar to extract the DPAPI Domain Backup Key.Sigma Rules
- AD Object WriteDAC Access
Detects WRITE_DAC access to a domain object - Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. - Potential AD User Enumeration From Non-Machine Account
Detects read access to a domain user from a non-machine account - Mimikatz DC Sync
Detects Mimikatz DC sync security events - DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
Showing 5 of 7 matching Sigma rules.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4663 — An attempt was made to access an object.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
ObjectServer | [Object] Object Server. |
ObjectType | [Object] Object Type. |
ObjectName | [Object] Object Name. |
HandleId | [Object] Handle ID. |
AccessList | [Access Request Information] Accesses. |
AccessMask | [Access Request Information] Access Mask. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
ResourceAttributes | [Object] Resource Attributes. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4663
version: 1
level: 0
task: 12802
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:55:26.055947+00:00'
event_record_id: 304894
correlation: {}
execution:
process_id: 4
thread_id: 15220
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
ObjectServer: Security
ObjectType: Process
ObjectName: \Device\HarddiskVolume4\Windows\System32\lsass.exe
HandleId: '0x1978'
AccessList: "%%4484\r\n\t\t\t\t"
AccessMask: '0x10'
ProcessId: '0x4a28'
ProcessName: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
ResourceAttributes: '-'
message: ''
Community Notes
An attempt was made to access an object. May catch mass permission changes or tampering. Also catches renaming, and may be noisy (pair with 4660).Sigma Rules
- Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. - Azure AD Health Service Agents Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. - Processes Accessing the Microphone and Webcam
Potential adversaries accessing the microphone and webcam in an endpoint. - ISO Image Mounted
Detects the mount of an ISO image on an endpoint - LSASS Access From Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account
Showing 5 of 14 matching Sigma rules.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4664 — An attempt was made to create a hard link.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Account Name. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
FileName | [Link Information] File Name. |
LinkName | [Link Information] Link Name. |
TransactionId | [Link Information] Transaction ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4664
version: 0
level: 0
task: 12800
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:40:05.111192+00:00'
event_record_id: 275147
correlation: {}
execution:
process_id: 4
thread_id: 8800
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
FileName: C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x64__8wekyb3d8bbwe\zh-TW\Microsoft.UI.Xaml.Phone.dll.mui
LinkName: C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\zh-TW\Microsoft.UI.Xaml.Phone.dll.mui
TransactionId: 00000000-0000-0000-0000-000000000000
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4664
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4664
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4665 — An attempt was made to create an application client context.
Message
Fields
| Name | Description |
|---|---|
Application_Name | [Application Information] Application Name. |
Application_Instance_ID | [Application Information] Application Instance ID. |
Client_Name | [Subject] Client Name. |
Client_Domain | [Subject] Client Domain. |
Client_Context_ID | [Subject] Client Context ID. |
Status | [Application Information] Status. |
AppName | — |
AppInstance | — |
ClientName | — |
ClientDomain | — |
ClientLogonId | — |
References
Event ID 4666 — An application attempted an operation: Subject: Client Name: %5 Client Domain: %6 Client Context ID: %7 Object: Object Name: %3 Scope Names: %4 App...
Message
Fields
| Name | Description |
|---|---|
Application_Name | [Application Information] Application Name. |
Application_Instance_ID | [Application Information] Application Instance ID. |
Object_Name | [Object] Object Name. |
Scope_Names | [Object] Scope Names. |
Client_Name | [Subject] Client Name. |
Client_Domain | [Subject] Client Domain. |
Client_Context_ID | [Subject] Client Context ID. |
Role | [Access Request Information] Role. |
Groups | [Access Request Information] Groups. |
Operation_Name | [Access Request Information] Operation Name. |
AppName | — |
AppInstance | — |
ObjectName | — |
ScopeName | — |
ClientName | — |
ClientDomain | — |
ClientLogonId | — |
Group | — |
OperationName | — |
OperationId | — |
References
Event ID 4667 — An application client context was deleted.
Message
Fields
| Name | Description |
|---|---|
Application_Name | [Application Information] Application Name. |
Application_Instance_ID | [Application Information] Application Instance ID. |
Client_Name | [Subject] Client Name. |
Client_Domain | [Subject] Client Domain. |
Client_Context_ID | [Subject] Client Context ID. |
AppName | — |
AppInstance | — |
ClientName | — |
ClientDomain | — |
ClientLogonId | — |
References
Event ID 4668 — An application was initialized.
Message
Fields
| Name | Description |
|---|---|
Application_Name | [Application Information] Application Name. |
Application_Instance_ID | [Application Information] Application Instance ID. |
Client_Name | [Subject] Client Name. |
Client_Domain | [Subject] Client Domain. |
Client_ID | [Subject] Client ID. |
Policy_Store_URL | [Additional Information] Policy Store URL. |
AppName | — |
AppInstance | — |
ClientName | — |
ClientDomain | — |
ClientLogonId | — |
StoreUrl | — |
References
Event ID 4670 — Permissions on an object were changed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
ObjectServer | [Object] Object Server. |
ObjectType | [Object] Object Type. |
ObjectName | [Object] Object Name. |
HandleId | [Object] Handle ID. |
OldSd | [Permissions Change] Original Security Descriptor. |
NewSd | [Permissions Change] New Security Descriptor. |
ProcessId | [Process] Process ID. |
ProcessName | [Process] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4670
version: 0
level: 0
task: 13570
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T02:03:41.603666+00:00'
event_record_id: 314599
correlation: {}
execution:
process_id: 4
thread_id: 21268
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
ObjectServer: Security
ObjectType: Token
ObjectName: '-'
HandleId: '0xddc'
OldSd: D:(A;;GA;;;SY)(A;;GA;;;NS)
NewSd: D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)
ProcessId: '0x30c'
ProcessName: C:\Windows\System32\services.exe
message: ''
Community Notes
Permissions on an object were changed, may detect ACL edits on files, registry, or tokens that grant elevated rights.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4670
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4671 — An application attempted to access a blocked ordinal through the TBS.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Ordinal | [Subject] Ordinal. |
CallerUserSid | — |
CallerUserName | — |
CallerDomainName | — |
CallerLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4671
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4671
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4671
Event ID 4672 — Special privileges assigned to new logon.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Subject] Privileges. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4672
version: 0
level: 0
task: 12548
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:52.440990+00:00'
event_record_id: 2949
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: SYSTEM
SubjectDomainName: NT AUTHORITY
SubjectLogonId: '0x3e7'
PrivilegeList: "SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
message: ''
Community Notes
Detects Administrator or SYSTEM-equivalent sessions at logon time.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4673 — A privileged service was called.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
ObjectServer | [Service] Server. |
Service | [Service] Service Name. |
PrivilegeList | [Service Request Information] Privileges. |
ProcessId | [Process] Process ID. |
ProcessName | [Process] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4673
version: 0
level: 0
task: 13056
opcode: 0
keywords: 9227875636482146304
time_created: '2023-11-06T02:04:44.872475+00:00'
event_record_id: 315408
correlation: {}
execution:
process_id: 4
thread_id: 9496
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserName: User
SubjectDomainName: WINDEV2310EVAL
SubjectLogonId: '0x27844'
ObjectServer: Security
Service: '-'
PrivilegeList: SeProfileSingleProcessPrivilege
ProcessId: '0x33f0'
ProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe
message: ''
Community Notes
Logs use of SeDebugPrivilege (often precedes scraping memory), SeTcbPrivilege.Sigma Rules
- User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. - Potential Privileged System Service Operation - SeLoadDriverPrivilege
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4673
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4674 — An operation was attempted on a privileged object.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
ObjectServer | [Object] Object Server. |
ObjectType | [Object] Object Type. |
ObjectName | [Object] Object Name. |
HandleId | [Object] Object Handle. |
AccessMask | [Requested Operation] Desired Access. |
PrivilegeList | [Requested Operation] Privileges. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4674
version: 0
level: 0
task: 13056
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:39:25.936087+00:00'
event_record_id: 273230
correlation: {}
execution:
process_id: 4
thread_id: 17676
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserName: User
SubjectDomainName: WINDEV2310EVAL
SubjectLogonId: '0x277c6'
ObjectServer: Security
ObjectType: '-'
ObjectName: '-'
HandleId: '0xfffffffffffffffc'
AccessMask: '1024'
PrivilegeList: SeIncreaseBasePriorityPrivilege
ProcessId: '0x39dc'
ProcessName: C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite_2023.10.0.0_x64__8wekyb3d8bbwe\Tools\Procmon.exe
message: ''
Community Notes
Logs direct interaction with objects that require SeSecurity/SeTakeOwnership, ie SAM hives.Sigma Rules
- SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4674
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4674
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4675 — SIDs were filtered.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Target Account] Security ID. |
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Trust_Direction | [Trust Information] Trust Direction. |
Trust_Attributes | [Trust Information] Trust Attributes. |
Trust_Type | [Trust Information] Trust Type. |
TDO_Domain_SID | [Trust Information] TDO Domain SID. |
Filtered_SIDs | [Trust Information] Filtered SIDs. |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
TdoDirection | — |
TdoAttributes | — |
TdoType | — |
TdoSid | — |
SidList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4675
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4675
Event ID 4688 — A new process has been created.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Creator Subject] Security ID. |
SubjectUserName | [Creator Subject] Account Name. |
SubjectDomainName | [Creator Subject] Account Domain. |
SubjectLogonId | [Creator Subject] Logon ID. |
NewProcessId | [Process Information] New Process ID. |
NewProcessName | [Process Information] New Process Name. |
TokenElevationType | [Process Information] Token Elevation Type. |
ProcessId | [Process Information] Creator Process ID. |
CommandLine | [Process Information] Process Command Line. |
TargetUserSid | [Target Subject] Security ID. |
TargetUserName | [Target Subject] Account Name. |
TargetDomainName | [Target Subject] Account Domain. |
TargetLogonId | [Target Subject] Logon ID. |
ParentProcessName | [Process Information] Creator Process Name. |
MandatoryLabel | [Process Information] Mandatory Label. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4688
version: 2
level: 0
task: 13312
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:27.153945+00:00'
event_record_id: 2753
correlation: {}
execution:
process_id: 4
thread_id: 336
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: '-'
SubjectDomainName: '-'
SubjectLogonId: '0x3e7'
NewProcessId: '0x328'
NewProcessName: C:\Windows\System32\lsass.exe
TokenElevationType: '%%1936'
ProcessId: '0x27c'
CommandLine: ''
TargetUserSid: S-1-0-0
TargetUserName: '-'
TargetDomainName: '-'
TargetLogonId: '0x0'
ParentProcessName: C:\Windows\System32\wininit.exe
MandatoryLabel: S-1-16-16384
message: ''
Sigma Rules
- 7Zip Compressing Dump Files
Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. - Compress Data and Lock With Password for Exfiltration With 7-ZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities - Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. - Suspicious AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. - Uncommon Child Process Of AddinUtil.EXE
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Showing 5 of 1167 matching Sigma rules.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4689 — A process has exited.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
Status | [Process Information] Exit Status. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4689
version: 0
level: 0
task: 13313
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T02:04:26.563982+00:00'
event_record_id: 315178
correlation: {}
execution:
process_id: 4
thread_id: 20768
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
Status: '0x0'
ProcessId: '0x3f24'
ProcessName: C:\Windows\System32\svchost.exe
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4689
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4689
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4689
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4690 — An attempt was made to duplicate a handle to an object.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Source_Handle_ID | [Source Handle Information] Source Handle ID. |
Source_Process_ID | [Source Handle Information] Source Process ID. |
Target_Handle_ID | [New Handle Information] Target Handle ID. |
Target_Process_ID | [New Handle Information] Target Process ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4690
version: 0
level: 0
task: 12807
opcode: 0
keywords: 9232379236109516800
time_created: '2021-04-26T08:26:03.063863Z'
event_record_id: 463066
correlation: {}
execution:
process_id: 4
thread_id: 6080
channel: Security
computer: srvdefender01.offsec.lan
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: SRVDEFENDER01$
SubjectDomainName: OFFSEC
SubjectLogonId: '0x3e7'
SourceHandleId: '0x2a4'
SourceProcessId: '0xc8c'
TargetHandleId: '0x11ac'
TargetProcessId: '0x4'
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4690
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4690
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4691 — Indirect access to an object was requested.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Accesses | [Access Request Information] Accesses. |
Access_Mask | [Access Request Information] Access Mask. |
Process_ID | [Process Information] Process ID. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectType | — |
ObjectName | — |
AccessList | — |
AccessMask | — |
ProcessId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4691
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4691
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4691
Event ID 4692 — Backup of data protection master key was attempted.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Key_Identifier | [Key Information] Key Identifier. |
Recovery_Server | [Key Information] Recovery Server. |
Recovery_Key_ID | [Key Information] Recovery Key ID. |
Status_Code | [Status Information] Status Code. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
MasterKeyId | — |
RecoveryServer | — |
RecoveryKeyId | — |
FailureReason | — |
Community Notes
Backup of a user/computer master key to the DC, rarely seen after first logon. Several events may indicate key theft or mass profile creation.Sigma Rules
- DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4692
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4692
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4692
Event ID 4693 — Recovery of data protection master key was attempted.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Key_Identifier | [Key Information] Key Identifier. |
Recovery_Server | [Key Information] Recovery Server. |
Recovery_Reason | [Key Information] Recovery Reason. |
Recovery_Key_ID | [Key Information] Recovery Key ID. |
Status_Code | [Status Information] Status Code. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
MasterKeyId | — |
RecoveryReason | — |
RecoveryServer | — |
RecoveryKeyId | — |
FailureId | — |
Community Notes
May appear when an attacker re-uses offline profiles or moves tokens between hosts. Correlate with LogonType 7/9 in 4624. Detecting Credential Stealing Attacks Through Active In-Network DefenseReferences
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4693
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4693
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4693
Event ID 4694 — Protection of auditable protected data was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
DataDescription | [Protected Data] Key Identifier. |
MasterKeyId | [Protected Data] Data Description. |
ProtectedDataFlags | [Protected Data] Protected Data Flags. |
CryptoAlgorithms | [Protected Data] Protection Algorithms. |
FailureReason | [Status Information] Status Code. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4694
version: 0
level: 0
task: 13314
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:44:39.871358+00:00'
event_record_id: 290370
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 844
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserName: User
SubjectDomainName: WINDEV2310EVAL
SubjectLogonId: '0x27844'
DataDescription: ecf918da-9b78-4ed5-bd64-9ff40e3484a1
MasterKeyId: Chromium
ProtectedDataFlags: '0x10'
CryptoAlgorithms: 'AES-256 , SHA2-512 '
FailureReason: '0x0'
message: ''
Community Notes
When seen outside of software installation it may indicate payload staging hidden in DPAPI.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4694
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4694
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4694
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4695 — Unprotection of auditable protected data was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
DataDescription | [Protected Data] Key Identifier. |
MasterKeyId | [Protected Data] Data Description. |
ProtectedDataFlags | [Protected Data] Protected Data Flags. |
CryptoAlgorithms | [Protected Data] Protection Algorithms. |
FailureReason | [Status Information] Status Code. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4695
version: 0
level: 0
task: 13314
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:47:40.735119+00:00'
event_record_id: 293247
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 15768
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserName: User
SubjectDomainName: WINDEV2310EVAL
SubjectLogonId: '0x27844'
DataDescription: ecf918da-9b78-4ed5-bd64-9ff40e3484a1
MasterKeyId: Google Chrome
ProtectedDataFlags: '0x0'
CryptoAlgorithms: 'AES-256 , SHA2-512 '
FailureReason: '0x0'
message: ''
Community Notes
Pair with 4694 to identify which user accessed encrypted blobs.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4695
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4695
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4696 — A primary token was assigned to process.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
TargetUserSid | [New Token Information] Security ID. |
TargetUserName | [New Token Information] Account Name. |
TargetDomainName | [New Token Information] Account Domain. |
TargetLogonId | [New Token Information] Logon ID. |
TargetProcessId | [Target Process] Target Process ID. |
TargetProcessName | [Target Process] Target Process Name. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4696
version: 0
level: 0
task: 13312
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:19.637636+00:00'
event_record_id: 2742
correlation: {}
execution:
process_id: 4
thread_id: 96
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: '-'
SubjectDomainName: '-'
SubjectLogonId: '0x3e7'
TargetUserSid: S-1-0-0
TargetUserName: '-'
TargetDomainName: '-'
TargetLogonId: '0x3e7'
TargetProcessId: '0x64'
TargetProcessName: Registry
ProcessId: '0x4'
ProcessName: ''
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4696
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4697 — A service was installed in the system.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
ServiceName | [Service Information] Service Name. |
ServiceFileName | [Service Information] Service File Name. |
ServiceType | [Service Information] Service Type. |
ServiceStartType | [Service Information] Service Start Type. |
ServiceAccount | [Service Information] Service Account. |
ClientProcessStartKey | — |
ClientProcessId | — |
ParentProcessId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4697
version: 1
level: 0
task: 12289
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T14:08:37.173232+00:00'
event_record_id: 34393
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 3964
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WIN-TKC15D7KHUR$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
ServiceName: MpKsl6680716f
ServiceFileName: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{94297FD4-6E63-4B60-B47B-85D76376014D}\MpKslDrv.sys
ServiceType: '0x1'
ServiceStartType: 3
ServiceAccount: LocalSystem
ClientProcessStartKey: 1407374883553325
ClientProcessId: 1796
ParentProcessId: 604
message: ''
Sigma Rules
- CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement - HybridConnectionManager Service Installation
Rule to detect the Hybrid Connection Manager service installation. - Invoke-Obfuscation CLIP+ Launcher - Security
Detects Obfuscated use of Clip.exe to execute PowerShell - Invoke-Obfuscation Obfuscated IEX Invocation - Security
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references - Invoke-Obfuscation STDIN+ Launcher - Security
Detects Obfuscated use of stdin to execute PowerShell
Showing 5 of 21 matching Sigma rules.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4697
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4698 — A scheduled task was created.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_Content | [Task Information] Task Content. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4698
version: 0
level: 0
task: 12804
opcode: 0
keywords: 9232379236109516800
time_created: '2019-03-19T00:02:04.319945Z'
event_record_id: 566836
correlation: {}
execution:
process_id: 452
thread_id: 2836
channel: Security
computer: WIN-77LTAPHIQ1R.example.corp
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1587066498-1489273250-1035260531-500
SubjectUserName: Administrator
SubjectDomainName: EXAMPLE
SubjectLogonId: '0x17e2d2'
TaskName: \CYAlyNSS
TaskContent: "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\"
xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <Triggers>\r\n
\ <CalendarTrigger>\r\n <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>\r\n
\ <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n
\ </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n
\ <Principal id=\"LocalSystem\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n
\ <LogonType>InteractiveToken</LogonType>\r\n </Principal>\r\n </Principals>\r\n
\ <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n
\ <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n
\ <AllowHardTerminate>true</AllowHardTerminate>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n
\ <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n
\ </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n
\ <Hidden>true</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n
\ <ExecutionTimeLimit>P3D</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n
\ </Settings>\r\n <Actions Context=\"LocalSystem\">\r\n <Exec>\r\n <Command>cmd.exe</Command>\r\n
\ <Arguments>/C tasklist > %windir%\\Temp\\CYAlyNSS.tmp 2>&1</Arguments>\r\n
\ </Exec>\r\n </Actions>\r\n</Task>"
Community Notes
May also indicate remote creation via relayed SMB/WinRM session, PS cmdlets, DCOM over RPC, WMI, others.Sigma Rules
- Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4699 — A scheduled task was deleted.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_Content | [Task Information] Task Content. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4699
version: 0
level: 0
task: 12804
opcode: 0
keywords: 9232379236109516800
time_created: '2019-03-19T00:02:04.351252Z'
event_record_id: 566840
correlation: {}
execution:
process_id: 452
thread_id: 2836
channel: Security
computer: WIN-77LTAPHIQ1R.example.corp
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1587066498-1489273250-1035260531-500
SubjectUserName: Administrator
SubjectDomainName: EXAMPLE
SubjectLogonId: '0x17e2d2'
TaskName: \CYAlyNSS
TaskContent: "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\"
xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <Triggers>\r\n
\ <CalendarTrigger>\r\n <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>\r\n
\ <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n
\ </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n
\ <Principal id=\"LocalSystem\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n
\ <LogonType>InteractiveToken</LogonType>\r\n </Principal>\r\n </Principals>\r\n
\ <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n
\ <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n
\ <AllowHardTerminate>true</AllowHardTerminate>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n
\ <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n
\ </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n
\ <Hidden>true</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n
\ <ExecutionTimeLimit>P3D</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n
\ </Settings>\r\n <Actions Context=\"LocalSystem\">\r\n <Exec>\r\n <Command>cmd.exe</Command>\r\n
\ <Arguments>/C tasklist > %windir%\\Temp\\CYAlyNSS.tmp 2>&1</Arguments>\r\n
\ </Exec>\r\n </Actions>\r\n</Task>"
Sigma Rules
- Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4699
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4700 — A scheduled task was enabled.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_Content | [Task Information] Task Content. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TaskName | — |
TaskContent | — |
ClientProcessStartKey | — |
ClientProcessId | — |
ParentProcessId | — |
RpcCallClientLocality | — |
FQDN | — |
References
Event ID 4701 — A scheduled task was disabled.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_Content | [Task Information] Task Content. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TaskName | — |
TaskContent | — |
ClientProcessStartKey | — |
ClientProcessId | — |
ParentProcessId | — |
RpcCallClientLocality | — |
FQDN | — |
Sigma Rules
- Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
References
Event ID 4702 — A scheduled task was updated.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_New_Content | [Task Information] Task New Content. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4702
version: 0
level: 0
task: 12804
opcode: 0
keywords: 9232379236109516800
time_created: '2019-03-25T11:22:45.080609Z'
event_record_id: 198238563
correlation: {}
execution:
process_id: 444
thread_id: 2260
channel: Security
computer: DC1.insecurebank.local
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-20
SubjectUserName: DC1$
SubjectDomainName: insecurebank
SubjectLogonId: '0x3e4'
TaskName: \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
TaskContentNew: "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.4\"
xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n
\ <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\r\n <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\r\n
\ <Version>1.0</Version>\r\n <Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>\r\n
\ <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>\r\n
\ <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>\r\n
\ </RegistrationInfo>\r\n <Triggers>\r\n <CalendarTrigger>\r\n <StartBoundary>2019-03-26T11:21:44Z</StartBoundary>\r\n
\ <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n
\ </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n
\ <Principal id=\"NetworkService\">\r\n <UserId>S-1-5-20</UserId>\r\n <RunLevel>LeastPrivilege</RunLevel>\r\n
\ </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n
\ <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n
\ <AllowHardTerminate>false</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n
\ <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n
\ <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n
\ </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n
\ <Hidden>true</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\r\n
\ <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n <WakeToRun>false</WakeToRun>\r\n
\ <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n
\ <RestartOnFailure>\r\n <Interval>PT1M</Interval>\r\n <Count>3</Count>\r\n
\ </RestartOnFailure>\r\n </Settings>\r\n <Actions Context=\"NetworkService\">\r\n
\ <ComHandler>\r\n <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\r\n
\ <Data><![CDATA[timer]]></Data>\r\n </ComHandler>\r\n </Actions>\r\n</Task>"
Community Notes
May indicate path or trigger edits.Sigma Rules
- Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4702
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4703 — A user right was adjusted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
TargetUserSid | [Target Account] Security ID. |
TargetUserName | [Target Account] Account Name. |
TargetDomainName | [Target Account] Account Domain. |
TargetLogonId | [Target Account] Logon ID. |
ProcessName | [Process Information] Process Name. |
ProcessId | [Process Information] Process ID. |
EnabledPrivilegeList | Enabled Privileges |
DisabledPrivilegeList | Disabled Privileges |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4703
version: 0
level: 0
task: 13317
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T02:04:44.861115+00:00'
event_record_id: 315382
correlation: {}
execution:
process_id: 4
thread_id: 9496
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
TargetUserSid: S-1-5-18
TargetUserName: WINDEV2310EVAL$
TargetDomainName: WORKGROUP
TargetLogonId: '0x3e7'
ProcessName: C:\Windows\System32\svchost.exe
ProcessId: '0xd0c'
EnabledPrivilegeList: "SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeIncreaseQuotaPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeSystemtimePrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeShutdownPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeUndockPrivilege\r\n\t\t\tSeManageVolumePrivilege"
DisabledPrivilegeList: '-'
message: ''
Community Notes
Generated when token privileges are changed (tracks rights like SeDebugPrivilege, SeLoadDriverPrivilege).References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4703
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4704 — A user right was assigned.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
TargetSid | [Target Account] Account Name. |
PrivilegeList | [New Right] User Right. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4704
version: 0
level: 0
task: 13570
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-05T23:16:25.782413+00:00'
event_record_id: 71899
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 844
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
TargetSid: S-1-5-83-0
PrivilegeList: SeCreateSymbolicLinkPrivilege
message: ''
Community Notes
Tracks changes to token privileges.Sigma Rules
- Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4704
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4705 — A user right was removed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Account_Name | [Target Account] Account Name. |
User_Right | [Removed Right] User Right. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4705
version: 0
level: 0
task: 13570
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-12T20:23:39.973927Z'
event_record_id: 1239002
correlation: {}
execution:
process_id: 464
thread_id: 2980
channel: Security
computer: fs02.offsec.lan
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x202dac8'
TargetSid: S-1-5-21-4230534742-2542757381-3142984815-1158
PrivilegeList: SeCreateTokenPrivilege
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4705
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4705
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4706 — A new trust was created to a domain.
Message
Fields
| Name | Description |
|---|---|
Domain_Name | [Trusted Domain] Domain Name. |
Domain_ID | [Trusted Domain] Domain ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Trust_Type | [Trust Information] Trust Type. |
Trust_Direction | [Trust Information] Trust Direction. |
Trust_Attributes | [Trust Information] Trust Attributes. |
SID_Filtering | [Trust Information] SID Filtering. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4706
version: 0
level: 0
task: 13569
opcode: 0
keywords: 9232379236109516800
time_created: '2024-06-22T14:02:41.639162Z'
event_record_id: 3175612
correlation: {}
execution:
process_id: 596
thread_id: 11064
channel: Security
computer: CDCWTRDC01.mypartner.lan
security:
user_id: ''
event_data:
DomainName: rootblue.lan
DomainSid: S-1-5-21-392370121-190461309-2151315433
SubjectUserSid: S-1-5-21-1407145384-2259788832-4099636412-500
SubjectUserName: Administrator
SubjectDomainName: MYPARTNER
SubjectLogonId: '0xffad8559'
TdoType: 2
TdoDirection: 3
TdoAttributes: 8
SidFilteringEnabled: '%%1796'
Sigma Rules
- A New Trust Was Created To A Domain
Addition of domains is seldom and should be verified for legitimacy.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4706
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4707 — A trust to a domain was removed.
Message
Fields
| Name | Description |
|---|---|
Domain_Name | [Domain Information] Domain Name. |
Domain_ID | [Domain Information] Domain ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
DomainName | — |
DomainSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
Event ID 4709 — The IPsec Policy Agent service was started.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
References
Event ID 4710 — The IPsec Policy Agent service was disabled.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
param2 | — |
References
Event ID 4711 — %1
Message
Fields
| Name | Description |
|---|---|
param1 | — |
References
Event ID 4712 — IPsec Policy Agent encountered a potentially serious failure.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
References
Event ID 4713 — Kerberos policy was changed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
KerberosPolicyChange | — |
References
Event ID 4714 — Data Recovery Agent group policy for Encrypting File System (EFS) has changed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
EfsPolicyChange | — |
References
Event ID 4715 — The audit policy (SACL) on an object was changed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Original_Security_Descriptor | [Audit Policy Change] Original Security Descriptor. |
New_Security_Descriptor | [Audit Policy Change] New Security Descriptor. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
OldSd | — |
NewSd | — |
References
Event ID 4716 — Trusted domain information was modified.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Domain_Name | [Trusted Domain] Domain Name. |
Domain_ID | [Trusted Domain] Domain ID. |
Trust_Type | [New Trust Information] Trust Type. |
Trust_Direction | [New Trust Information] Trust Direction. |
Trust_Attributes | [New Trust Information] Trust Attributes. |
SID_Filtering | [New Trust Information] SID Filtering. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DomainName | — |
DomainSid | — |
TdoType | — |
TdoDirection | — |
TdoAttributes | — |
SidFilteringEnabled | — |
References
Event ID 4717 — System security access was granted to an account.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
TargetSid | [Account Modified] Account Name. |
AccessGranted | [Access Granted] Access Right. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4717
version: 0
level: 0
task: 13569
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-05T23:16:25.814727+00:00'
event_record_id: 71900
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 844
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
TargetSid: S-1-5-83-0
AccessGranted: SeServiceLogonRight
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4717
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4717
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4718 — System security access was removed from an account.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
TargetSid | [Account Modified] Account Name. |
AccessRemoved | [Access Removed] Access Right. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4718
version: 0
level: 0
task: 13569
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-07T16:44:47.045997+00:00'
event_record_id: 89
correlation:
ActivityID: C1DC836A-4A9E-0000-8485-DCC19E4AD801
execution:
process_id: 648
thread_id: 700
channel: Security
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: MINWINPC$
SubjectDomainName: ''
SubjectLogonId: '0x3e7'
TargetSid: S-1-5-90-0
AccessRemoved: SeInteractiveLogonRight
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4718
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4718
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4719 — System audit policy was changed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
CategoryId | [Audit Policy Change] Category. |
SubcategoryId | [Audit Policy Change] Subcategory. |
SubcategoryGuid | [Audit Policy Change] Subcategory GUID. |
AuditPolicyChanges | [Audit Policy Change] Changes. |
ClientProcessId | — |
ClientProcessStartKey | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4719
version: 1
level: 0
task: 13568
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-05T23:49:58.098445+00:00'
event_record_id: 112372
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 8228
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
CategoryId: '%%8279'
SubcategoryId: '%%14080'
SubcategoryGuid: 0CCE923B-69AE-11D9-BED3-505054503030
AuditPolicyChanges: '%%8449, %%8451'
ClientProcessId: 8540
ClientProcessStartKey: 3659174697239635
message: ''
Community Notes
System audit policy changed. Attackers often disable auditing to reduce detection.Sigma Rules
- Windows Event Auditing Disabled
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways. - Important Windows Event Auditing Disabled
Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4719
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4720 — A user account was created.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [New Account] Account Name. |
TargetDomainName | [New Account] Account Domain. |
TargetSid | [New Account] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | — |
SamAccountName | [Attributes] SAM Account Name. |
DisplayName | [Attributes] Display Name. |
UserPrincipalName | [Attributes] User Principal Name. |
HomeDirectory | [Attributes] Home Directory. |
HomePath | [Attributes] Home Drive. |
ScriptPath | [Attributes] Script Path. |
ProfilePath | [Attributes] Profile Path. |
UserWorkstations | [Attributes] User Workstations. |
PasswordLastSet | [Attributes] Password Last Set. |
AccountExpires | [Attributes] Account Expires. |
PrimaryGroupId | [Attributes] Primary Group ID. |
AllowedToDelegateTo | [Attributes] Allowed To Delegate To. |
OldUacValue | [Attributes] Old UAC Value. |
NewUacValue | [Attributes] New UAC Value. |
UserAccountControl | [Attributes] User Account Control. |
UserParameters | [Attributes] User Parameters. |
SidHistory | [Attributes] SID History. |
LogonHours | [Attributes] Logon Hours. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4720
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:34.963101+00:00'
event_record_id: 2779
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
TargetUserName: User
TargetDomainName: WINDEV2310EVAL
TargetSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
SamAccountName: User
DisplayName: '%%1793'
UserPrincipalName: '-'
HomeDirectory: '%%1793'
HomePath: '%%1793'
ScriptPath: '%%1793'
ProfilePath: '%%1793'
UserWorkstations: '%%1793'
PasswordLastSet: '%%1794'
AccountExpires: '%%1794'
PrimaryGroupId: '513'
AllowedToDelegateTo: '-'
OldUacValue: '0x0'
NewUacValue: '0x15'
UserAccountControl: "\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084"
UserParameters: '%%1793'
SidHistory: '-'
LogonHours: '%%1797'
message: ''
Sigma Rules
- Hidden Local User Creation
Detects the creation of a local hidden user account which should not happen for event ID 4720. - New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms. - Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. - Local User Creation
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4722 — A user account was enabled.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [Target Account] Account Name. |
TargetDomainName | [Target Account] Account Domain. |
TargetSid | [Target Account] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4722
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:34.966226+00:00'
event_record_id: 2780
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
TargetUserName: User
TargetDomainName: WINDEV2310EVAL
TargetSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4723 — An attempt was made to change an account's password.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4723
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9227875636482146304
time_created: '2021-12-04T22:47:47.872773Z'
event_record_id: 233289145
correlation:
'#attributes':
ActivityID: D96638DA-E4F9-0001-F038-66D9F9E4D701
execution:
process_id: 596
thread_id: 3492
channel: Security
computer: rootdc1.offsec.lan
security:
user_id: ''
event_data:
TargetUserName: hacker2
TargetDomainName: OFFSEC
TargetSid: S-1-5-21-4230534742-2542757381-3142984815-1242
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x10e7c4430'
PrivilegeList: '-'
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4723
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4724 — An attempt was made to reset an account's password.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [Target Account] Account Name. |
TargetDomainName | [Target Account] Account Domain. |
TargetSid | [Target Account] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4724
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:35.054380+00:00'
event_record_id: 2787
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
TargetUserName: User
TargetDomainName: WINDEV2310EVAL
TargetSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4725 — A user account was disabled.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [Target Account] Account Name. |
TargetDomainName | [Target Account] Account Domain. |
TargetSid | [Target Account] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4725
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-10-25T22:53:19.612560+00:00'
event_record_id: 2634
correlation:
ActivityID: D5BBEBF4-0795-0001-A8EC-BBD59507DA01
execution:
process_id: 824
thread_id: 880
channel: Security
computer: WinDevEval
security:
user_id: ''
event_data:
TargetUserName: Administrator
TargetDomainName: WINDEVEVAL
TargetSid: S-1-5-21-2533829718-189860685-2477588761-500
SubjectUserSid: S-1-5-21-2533829718-189860685-2477588761-500
SubjectUserName: Administrator
SubjectDomainName: WINDEVEVAL
SubjectLogonId: '0x42eea'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4725
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4726 — A user account was deleted.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4726
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2022-01-24T17:03:25.009874Z'
event_record_id: 1934526
correlation: {}
execution:
process_id: 480
thread_id: 1496
channel: Security
computer: fs03vuln.offsec.lan
security:
user_id: ''
event_data:
TargetUserName: 3teamssixf$
TargetDomainName: FS03VULN
TargetSid: S-1-5-21-2721507831-1374043488-2540227515-1008
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x14f509e2'
PrivilegeList: '-'
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4727 — A security-enabled global group was created.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [New Group] Group Name. |
TargetDomainName | [New Group] Group Domain. |
TargetSid | [New Group] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
SamAccountName | [Attributes] SAM Account Name. |
SidHistory | [Attributes] SID History. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4727
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-07T16:44:41.241410+00:00'
event_record_id: 51
correlation:
ActivityID: C1DC836A-4A9E-0000-8485-DCC19E4AD801
execution:
process_id: 648
thread_id: 652
channel: Security
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
TargetUserName: Storage Replica Administrators
TargetDomainName: Builtin
TargetSid: S-1-5-32-582
SubjectUserSid: S-1-5-18
SubjectUserName: MINWINPC$
SubjectDomainName: ''
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
SamAccountName: Storage Replica Administrators
SidHistory: '-'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4727
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4727
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4728 — A member was added to a security-enabled global group.
Message
Fields
| Name | Description |
|---|---|
MemberName | [Member] Account Name. |
MemberSid | [Member] Security ID. |
TargetUserName | [Group] Group Name. |
TargetDomainName | [Group] Group Domain. |
TargetSid | [Group] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4728
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:34.961043+00:00'
event_record_id: 2778
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
MemberName: '-'
MemberSid: S-1-5-21-1992711665-1655669231-58201500-1000
TargetUserName: None
TargetDomainName: WINDEV2310EVAL
TargetSid: S-1-5-21-1992711665-1655669231-58201500-513
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
message: ''
Community Notes
Member added to security-enabled global group. May indicate domain-level privilege escalation, ie membership in Domain Admins.Sigma Rules
- A Member Was Added to a Security-Enabled Global Group
Detects activity when a member is added to a security-enabled global group
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4728
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4729 — A member was removed from a security-enabled global group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4729
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2022-01-24T17:03:25.009874Z'
event_record_id: 1934525
correlation: {}
execution:
process_id: 480
thread_id: 1496
channel: Security
computer: fs03vuln.offsec.lan
security:
user_id: ''
event_data:
MemberName: '-'
MemberSid: S-1-5-21-2721507831-1374043488-2540227515-1008
TargetUserName: None
TargetDomainName: FS03VULN
TargetSid: S-1-5-21-2721507831-1374043488-2540227515-513
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x14f509e2'
PrivilegeList: '-'
Community Notes
A member was removed from a security-enabled global group, may be an effort to slow IR or clean-up after escalation. Security-enabled local group changed, indicates changes to local Administrators or Remote Desktop Users.Sigma Rules
- A Member Was Removed From a Security-Enabled Global Group
Detects activity when a member is removed from a security-enabled global group
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4729
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4729
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4730 — A security-enabled global group was deleted.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Deleted Group] Group Name. |
Group_Domain | [Deleted Group] Group Domain. |
Security_ID | [Deleted Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
Sigma Rules
- A Security-Enabled Global Group Was Deleted
Detects activity when a security-enabled global group is deleted
References
Event ID 4731 — A security-enabled local group was created.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [New Group] Group Name. |
TargetDomainName | [New Group] Group Domain. |
TargetSid | [New Group] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
SamAccountName | [Attributes] SAM Account Name. |
SidHistory | [Attributes] SID History. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4731
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-07T16:44:41.241162+00:00'
event_record_id: 49
correlation:
ActivityID: C1DC836A-4A9E-0000-8485-DCC19E4AD801
execution:
process_id: 648
thread_id: 652
channel: Security
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
TargetUserName: Remote Management Users
TargetDomainName: Builtin
TargetSid: S-1-5-32-580
SubjectUserSid: S-1-5-18
SubjectUserName: MINWINPC$
SubjectDomainName: ''
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
SamAccountName: Remote Management Users
SidHistory: '-'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4731
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4731
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4732 — A member was added to a security-enabled local group.
Message
Fields
| Name | Description |
|---|---|
MemberName | [Member] Account Name. |
MemberSid | [Member] Security ID. |
TargetUserName | [Group] Group Name. |
TargetDomainName | [Group] Group Domain. |
TargetSid | [Group] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4732
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:35.063652+00:00'
event_record_id: 2788
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
MemberName: '-'
MemberSid: S-1-5-21-1992711665-1655669231-58201500-1000
TargetUserName: Administrators
TargetDomainName: Builtin
TargetSid: S-1-5-32-544
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
message: ''
Sigma Rules
- User Added to Local Administrator Group
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4733 — A member was removed from a security-enabled local group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4733
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2013-10-23T16:22:40.036000Z'
event_record_id: 117
correlation: {}
execution:
process_id: 508
thread_id: 1032
channel: Security
computer: IE8Win7
security:
user_id: ''
event_data:
MemberName: '-'
MemberSid: S-1-5-21-3463664321-2923530833-3546627382-1000
TargetUserName: Users
TargetDomainName: Builtin
TargetSid: S-1-5-32-545
SubjectUserSid: S-1-5-18
SubjectUserName: WIN-QALA5Q3KJ43$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4734 — A security-enabled local group was deleted.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
Event ID 4735 — A security-enabled local group was changed.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [Group] Group Name. |
TargetDomainName | [Group] Group Domain. |
TargetSid | [Group] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
SamAccountName | [Changed Attributes] SAM Account Name. |
SidHistory | [Changed Attributes] SID History. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4735
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:37.334332+00:00'
event_record_id: 2847
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
TargetUserName: Device Owners
TargetDomainName: Builtin
TargetSid: S-1-5-32-583
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
SamAccountName: Device Owners
SidHistory: '-'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4735
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4737 — A security-enabled global group was changed.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [Group] Group Name. |
TargetDomainName | [Group] Group Domain. |
TargetSid | [Group] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
SamAccountName | [Changed Attributes] SAM Account Name. |
SidHistory | [Changed Attributes] SID History. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4737
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:37.340456+00:00'
event_record_id: 2858
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
TargetUserName: None
TargetDomainName: WINDEV2310EVAL
TargetSid: S-1-5-21-1992711665-1655669231-58201500-513
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
SamAccountName: None
SidHistory: '-'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4737
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4737
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4738 — A user account was changed.
Message
Fields
| Name | Description |
|---|---|
Dummy | — |
TargetUserName | [Target Account] Account Name. |
TargetDomainName | [Target Account] Account Domain. |
TargetSid | [Target Account] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
SamAccountName | [Changed Attributes] SAM Account Name. |
DisplayName | [Changed Attributes] Display Name. |
UserPrincipalName | [Changed Attributes] User Principal Name. |
HomeDirectory | [Changed Attributes] Home Directory. |
HomePath | [Changed Attributes] Home Drive. |
ScriptPath | [Changed Attributes] Script Path. |
ProfilePath | [Changed Attributes] Profile Path. |
UserWorkstations | [Changed Attributes] User Workstations. |
PasswordLastSet | [Changed Attributes] Password Last Set. |
AccountExpires | [Changed Attributes] Account Expires. |
PrimaryGroupId | [Changed Attributes] Primary Group ID. |
AllowedToDelegateTo | [Changed Attributes] AllowedToDelegateTo. |
OldUacValue | [Changed Attributes] Old UAC Value. |
NewUacValue | [Changed Attributes] New UAC Value. |
UserAccountControl | [Changed Attributes] User Account Control. |
UserParameters | [Changed Attributes] User Parameters. |
SidHistory | [Changed Attributes] SID History. |
LogonHours | [Changed Attributes] Logon Hours. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4738
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:37.339747+00:00'
event_record_id: 2855
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
Dummy: '-'
TargetUserName: WDAGUtilityAccount
TargetDomainName: WINDEV2310EVAL
TargetSid: S-1-5-21-1992711665-1655669231-58201500-504
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
SamAccountName: WDAGUtilityAccount
DisplayName: '%%1793'
UserPrincipalName: '-'
HomeDirectory: '%%1793'
HomePath: '%%1793'
ScriptPath: '%%1793'
ProfilePath: '%%1793'
UserWorkstations: '%%1793'
PasswordLastSet: 10/25/2023 8:16:53 PM
AccountExpires: '%%1794'
PrimaryGroupId: '513'
AllowedToDelegateTo: '-'
OldUacValue: '0x11'
NewUacValue: '0x11'
UserAccountControl: '-'
UserParameters: '%%1793'
SidHistory: '-'
LogonHours: '%%1797'
message: ''
Community Notes
User account changed, may capture priv-esc, password changes, or UAC flag changes.Sigma Rules
- Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials. - Weak Encryption Enabled and Kerberoast
Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. - Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4738
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4738
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4739 — Domain Policy was changed.
Message
Fields
| Name | Description |
|---|---|
DomainPolicyChanged | Change Type. |
DomainName | [Domain] Domain Name. |
DomainSid | [Domain] Domain ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
MinPasswordAge | [Changed Attributes] Min. Password Age. |
MaxPasswordAge | [Changed Attributes] Max. Password Age. |
ForceLogoff | [Changed Attributes] Force Logoff. |
LockoutThreshold | [Changed Attributes] Lockout Threshold. |
LockoutObservationWindow | [Changed Attributes] Lockout Observation Window. |
LockoutDuration | [Changed Attributes] Lockout Duration. |
PasswordProperties | [Changed Attributes] Password Properties. |
MinPasswordLength | [Changed Attributes] Min. Password Length. |
PasswordHistoryLength | [Changed Attributes] Password History Length. |
MachineAccountQuota | [Changed Attributes] Machine Account Quota. |
MixedDomainMode | [Changed Attributes] Mixed Domain Mode. |
DomainBehaviorVersion | [Changed Attributes] Domain Behavior Version. |
OemInformation | [Changed Attributes] OEM Information. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4739
version: 0
level: 0
task: 13569
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:34.991613+00:00'
event_record_id: 2783
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
DomainPolicyChanged: Password Policy
DomainName: WINDEV2310EVAL
DomainSid: S-1-5-21-1992711665-1655669231-58201500
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
MinPasswordAge: ퟏ~
MaxPasswordAge: ퟏ~
ForceLogoff: '-'
LockoutThreshold: '-'
LockoutObservationWindow: '-'
LockoutDuration: '-'
PasswordProperties: '8'
MinPasswordLength: '0'
PasswordHistoryLength: '0'
MachineAccountQuota: '-'
MixedDomainMode: '-'
DomainBehaviorVersion: '-'
OemInformation: '-'
message: ''
Community Notes
Attackers with Domain Admin may weaken password/lockout requirements to speed credential attacks. May precede password spraying or Kerberos ticket forgery. Pair with 4768 and 4771. Also a prelude to DCShadow or other directory-level attacks.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4739
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4739
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4740 — A user account was locked out.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account That Was Locked Out] Account Name. |
Caller_Computer_Name | [Additional Information] Caller Computer Name. |
Security_ID | [Account That Was Locked Out] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Community Notes
Pair with 4625 and related IPs during investigation. Review Caller_Computer_Name.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740
Event ID 4741 — A computer account was created.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [New Computer Account] Account Name. |
Account_Domain | [New Computer Account] Account Domain. |
Security_ID | [New Computer Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
SAM_Account_Name | — |
Display_Name | [Attributes] SAM Account Name. |
User_Principal_Name | [Attributes] Display Name. |
Home_Directory | [Attributes] User Principal Name. |
Home_Drive | [Attributes] Home Directory. |
Script_Path | [Attributes] Home Drive. |
Profile_Path | [Attributes] Script Path. |
User_Workstations | [Attributes] Profile Path. |
Password_Last_Set | [Attributes] User Workstations. |
Account_Expires | [Attributes] Password Last Set. |
Primary_Group_ID | [Attributes] Account Expires. |
AllowedToDelegateTo | [Attributes] Primary Group ID. |
Old_UAC_Value | [Attributes] AllowedToDelegateTo. |
New_UAC_Value | [Attributes] Old UAC Value. |
User_Account_Control | [Attributes] New UAC Value. |
User_Parameters | [Attributes] User Account Control. |
SID_History | [Attributes] User Parameters. |
Logon_Hours | [Attributes] SID History. |
DNS_Host_Name | [Attributes] Logon Hours. |
Service_Principal_Names | [Attributes] DNS Host Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4741
version: 0
level: 0
task: 13825
opcode: 0
keywords: 9232379236109516800
time_created: '2021-12-12T17:57:52.313673Z'
event_record_id: 2982085
correlation: {}
execution:
process_id: 624
thread_id: 3652
channel: Security
computer: 01566s-win16-ir.threebeesco.com
security:
user_id: ''
event_data:
TargetUserName: DC012$
TargetDomainName: 3B
TargetSid: S-1-5-21-308926384-506822093-3341789130-220105
SubjectUserSid: S-1-5-21-308926384-506822093-3341789130-101606
SubjectUserName: lgrove
SubjectDomainName: 3B
SubjectLogonId: '0x738ae4'
PrivilegeList: '-'
SamAccountName: DC012$
DisplayName: '-'
UserPrincipalName: '-'
HomeDirectory: '-'
HomePath: '-'
ScriptPath: '-'
ProfilePath: '-'
UserWorkstations: '-'
PasswordLastSet: 12/12/2021 9:57:52 AM
AccountExpires: '%%1794'
PrimaryGroupId: '515'
AllowedToDelegateTo: '-'
OldUacValue: '0x0'
NewUacValue: '0x80'
UserAccountControl: "\r\n\t\t%%2087"
UserParameters: '-'
SidHistory: '-'
LogonHours: '%%1793'
DnsHostName: DC012.threebeesco.com
ServicePrincipalNames: "\r\n\t\tHOST/DC012.threebeesco.com\r\n\t\tRestrictedKrbHost/DC012.threebeesco.com\r\n\t\tHOST/DC012\r\n\t\tRestrictedKrbHost/DC012"
Community Notes
May alert on golden ticket style attacks.Sigma Rules
- Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4741
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4741
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4742 — A computer account was changed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | — |
Account_Domain | [Computer Account That Was Changed] Account Name. |
Security_ID | [Computer Account That Was Changed] Account Domain. |
Security_ID | [Computer Account That Was Changed] Security ID. |
Account_Name | [Subject] Security ID. |
Account_Domain | [Subject] Account Name. |
Logon_ID | [Subject] Account Domain. |
Privileges | [Subject] Logon ID. |
SAM_Account_Name | [Additional Information] Privileges. |
Display_Name | [Changed Attributes] SAM Account Name. |
User_Principal_Name | [Changed Attributes] Display Name. |
Home_Directory | [Changed Attributes] User Principal Name. |
Home_Drive | [Changed Attributes] Home Directory. |
Script_Path | [Changed Attributes] Home Drive. |
Profile_Path | [Changed Attributes] Script Path. |
User_Workstations | [Changed Attributes] Profile Path. |
Password_Last_Set | [Changed Attributes] User Workstations. |
Account_Expires | [Changed Attributes] Password Last Set. |
Primary_Group_ID | [Changed Attributes] Account Expires. |
AllowedToDelegateTo | [Changed Attributes] Primary Group ID. |
Old_UAC_Value | [Changed Attributes] AllowedToDelegateTo. |
New_UAC_Value | [Changed Attributes] Old UAC Value. |
User_Account_Control | [Changed Attributes] New UAC Value. |
User_Parameters | [Changed Attributes] User Account Control. |
SID_History | [Changed Attributes] User Parameters. |
Logon_Hours | [Changed Attributes] SID History. |
DNS_Host_Name | [Changed Attributes] Logon Hours. |
Service_Principal_Names | [Changed Attributes] DNS Host Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4742
version: 0
level: 0
task: 13825
opcode: 0
keywords: 9232379236109516800
time_created: '2019-03-25T13:01:41.935605Z'
event_record_id: 198239294
correlation: {}
execution:
process_id: 444
thread_id: 3948
channel: Security
computer: DC1.insecurebank.local
security:
user_id: ''
event_data:
ComputerAccountChange: '-'
TargetUserName: ALICE$
TargetDomainName: insecurebank
TargetSid: S-1-5-21-738609754-2819869699-4189121830-1120
SubjectUserSid: S-1-5-21-738609754-2819869699-4189121830-1108
SubjectUserName: bob
SubjectDomainName: insecurebank
SubjectLogonId: '0x3d8e8db'
PrivilegeList: '-'
SamAccountName: '-'
DisplayName: '-'
UserPrincipalName: '-'
HomeDirectory: '-'
HomePath: '-'
ScriptPath: '-'
ProfilePath: '-'
UserWorkstations: '-'
PasswordLastSet: '-'
AccountExpires: '-'
PrimaryGroupId: '-'
AllowedToDelegateTo: '-'
OldUacValue: '-'
NewUacValue: '-'
UserAccountControl: '-'
UserParameters: '-'
SidHistory: '-'
LogonHours: '-'
DnsHostName: '-'
ServicePrincipalNames: '-'
Sigma Rules
- Possible DC Shadow Attack
Detects DCShadow via create new SPN
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4742
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4742
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4743 — A computer account was deleted.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Target Computer] Account Name. |
Account_Domain | [Target Computer] Account Domain. |
Security_ID | [Target Computer] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4743
version: 0
level: 0
task: 13825
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-12T19:36:44.227880Z'
event_record_id: 16334944
correlation: {}
execution:
process_id: 528
thread_id: 3156
channel: Security
computer: rootdc1.offsec.lan
security:
user_id: ''
event_data:
TargetUserName: HIDDEN-PC$
TargetDomainName: OFFSEC
TargetSid: S-1-5-21-4230534742-2542757381-3142984815-1167
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1158
SubjectUserName: lambda-user
SubjectDomainName: OFFSEC
SubjectLogonId: '0x87e482b'
PrivilegeList: '-'
Sigma Rules
- Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4743
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4744 — A security-disabled local group was created.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [New Group] Group Name. |
Group_Domain | [New Group] Group Domain. |
Security_ID | [New Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Attributes] SAM Account Name. |
SID_History | [Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4744
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4744
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4744
Event ID 4745 — A security-disabled local group was changed.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Changed Attributes] SAM Account Name. |
SID_History | [Changed Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4745
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4745
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4745
Event ID 4746 — A member was added to a security-disabled local group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
MembershipExpirationTime | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4746
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4746
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4746
Event ID 4747 — A member was removed from a security-disabled local group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4747
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4747
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4747
Event ID 4748 — A security-disabled local group was deleted.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4748
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4748
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4748
Event ID 4749 — A security-disabled global group was created.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Attributes] SAM Account Name. |
SID_History | [Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4749
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4749
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4749
Event ID 4750 — A security-disabled global group was changed.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Changed Attributes] SAM Account Name. |
SID_History | [Changed Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
Event ID 4751 — A member was added to a security-disabled global group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
MembershipExpirationTime | — |
References
Event ID 4752 — A member was removed from a security-disabled global group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
Event ID 4753 — A security-disabled global group was deleted.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
Event ID 4754 — A security-enabled universal group was created.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Attributes] SAM Account Name. |
SID_History | [Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
Event ID 4755 — A security-enabled universal group was changed.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Changed Attributes] SAM Account Name. |
SID_History | [Changed Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
Event ID 4756 — A member was added to a security-enabled universal group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4756
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-12T06:01:13.765572Z'
event_record_id: 16088267
correlation: {}
execution:
process_id: 528
thread_id: 3156
channel: Security
computer: rootdc1.offsec.lan
security:
user_id: ''
event_data:
MemberName: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan
MemberSid: S-1-5-21-4230534742-2542757381-3142984815-1159
TargetUserName: Enterprise Admins
TargetDomainName: OFFSEC
TargetSid: S-1-5-21-4230534742-2542757381-3142984815-519
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1158
SubjectUserName: lambda-user
SubjectDomainName: OFFSEC
SubjectLogonId: '0x80e25b9'
PrivilegeList: '-'
Community Notes
May capture cross-domain privilege escalation in a multi-forest trust.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4756
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4756
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4757 — A member was removed from a security-enabled universal group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
Event ID 4758 — A security-enabled universal group was deleted.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
Event ID 4759 — A security-disabled universal group was created.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Attributes] SAM Account Name. |
SID_History | [Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
Event ID 4760 — A security-disabled universal group was changed.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Changed Attributes] SAM Account Name. |
SID_History | [Changed Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
Event ID 4761 — A member was added to a security-disabled universal group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
MembershipExpirationTime | — |
References
Event ID 4762 — A member was removed from a security-disabled universal group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
Event ID 4763 — A security-disabled universal group was deleted.
Message
Fields
| Name | Description |
|---|---|
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
Event ID 4764 — A group’s type was changed.
Message
Fields
| Name | Description |
|---|---|
Change_Type | [Subject] Change Type. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
GroupTypeChange | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
Event ID 4765 — SID History was added to an account.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Source Account] Account Name. |
Security_ID | [Source Account] Security ID. |
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SID_List | [Additional Information] SID List. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4765
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2017-06-12T23:39:43.512986Z'
event_record_id: 8075
correlation: {}
execution:
process_id: 496
thread_id: 1696
channel: Security
computer: 2012r2srv.maincorp.local
security:
user_id: ''
event_data:
SourceUserName: maincorp.local\Domain Admins
SourceSid: S-1-5-21-2634088540-571122920-1382659128-512
TargetUserName: Andrei
TargetDomainName: MAINCORP
TargetSid: S-1-5-21-2634088540-571122920-1382659128-1104
SubjectUserSid: S-1-5-21-2634088540-571122920-1382659128-500
SubjectUserName: Administrator
SubjectDomainName: MAINCORP
SubjectLogonId: '0x432c8'
PrivilegeList: '-'
SidList: '-'
Community Notes
May indicate DCShadow or similar lateral movement attacks.Sigma Rules
- Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4765
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4766 — An attempt to add SID History to an account failed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Account_Name | [Security ID] Account Name. |
Account_Domain | [Security ID] Account Domain. |
Logon_ID | [Security ID] Logon ID. |
Privileges | [Additional Information] Privileges. |
SourceUserName | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
Community Notes
May indicate DCShadow or similar lateral movement attacks.Sigma Rules
- Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
References
Event ID 4767 — A user account was unlocked.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
Event ID 4768 — A Kerberos authentication ticket (TGT) was requested.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Supplied_Realm_Name | [Account Information] Supplied Realm Name. |
User_ID | [Account Information] User ID. |
Service_Name | [Service Information] Service Name. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. |
Result_Code | [Additional Information] Result Code. |
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. |
PreAuthentication_Type | [Additional Information] Pre-Authentication Type. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Certificate_Issuer_Name | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint | [Certificate Information] Certificate Thumbprint. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4768
version: 0
level: 0
task: 14339
opcode: 0
keywords: 9227875636482146304
time_created: '2020-07-22T20:29:36.414827Z'
event_record_id: 887107
correlation: {}
execution:
process_id: 568
thread_id: 2476
channel: Security
computer: 01566s-win16-ir.threebeesco.com
security:
user_id: ''
event_data:
TargetUserName: HD01
TargetDomainName: THREEBEESCO.COM
TargetSid: S-1-0-0
ServiceName: krbtgt/THREEBEESCO.COM
ServiceSid: S-1-0-0
TicketOptions: '0x10'
Status: '0x6'
TicketEncryptionType: '0xffffffff'
PreAuthType: '-'
IpAddress: 172.16.66.1
IpPort: '55961'
CertIssuerName: ''
CertSerialNumber: ''
CertThumbprint: ''
Community Notes
Kerberos TGT request (consider Pass-the-Ticket, Golden TGT attacks). Requests from a non-interactive source prior to 4769 may indicate ticket replay or Pass-the-Ticket staging.Sigma Rules
- Potential AS-REP Roasting via Kerberos TGT Requests
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords. - PetitPotam Suspicious Kerberos TGT Request
Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. - Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4769 — A Kerberos service ticket was requested.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Account_Domain | [Account Information] Account Domain. |
Service_Name | [Service Information] Service Name. Indicates the resource to which access was requested. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. |
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Failure_Code | [Additional Information] Failure Code. |
Logon_GUID | [Account Information] Logon GUID. |
Transited_Services | [Additional Information] Transited Services. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4769
version: 0
level: 0
task: 14337
opcode: 0
keywords: 9232379236109516800
time_created: '2021-12-12T17:57:52.277095Z'
event_record_id: 2982083
correlation: {}
execution:
process_id: 624
thread_id: 3652
channel: Security
computer: 01566s-win16-ir.threebeesco.com
security:
user_id: ''
event_data:
TargetUserName: lgrove@THREEBEESCO.COM
TargetDomainName: THREEBEESCO.COM
ServiceName: 01566S-WIN16-IR$
ServiceSid: S-1-5-21-308926384-506822093-3341789130-35103
TicketOptions: '0x40810000'
TicketEncryptionType: '0x12'
IpAddress: ::ffff:172.16.66.19
IpPort: '50612'
Status: '0x0'
LogonGuid: 58ADC6C7-668E-A999-C52A-384B1CB8E553
TransmittedServices: '-'
Community Notes
Tickets for hosts that a user previously hasn’t accessed may indicate Pass-the-Ticket or RDP/WMI pivoting. Confirm that the target server is also the host that is contacted, and unusual/vulnerable encryption types (may indicate S4U2Proxy) like RC4. Check for movement between services or SPNs, and unusual service names.Sigma Rules
- Kerberoasting Activity - Initial Query
This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert. - Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker. - Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4770 — A Kerberos service ticket was renewed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Account_Domain | [Account Information] Account Domain. |
Service_Name | [Service Information] Service Name. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. |
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
TargetUserName | — |
TargetDomainName | — |
ServiceName | — |
ServiceSid | — |
TicketOptions | — |
TicketEncryptionType | — |
IpAddress | — |
IpPort | — |
RequestTicketHash | — |
ResponseTicketHash | — |
References
Event ID 4771 — Kerberos pre-authentication failed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Security_ID | [Account Information] Security ID. |
Service_Name | [Service Information] Service Name. |
Ticket_Options | [Additional Information] Ticket Options. Was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. |
Failure_Code | [Additional Information] Failure Code. |
PreAuthentication_Type | [Additional Information] Pre-Authentication Type. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Certificate_Issuer_Name | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint | [Certificate Information] Certificate Thumbprint. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4771
version: 0
level: 0
task: 14339
opcode: 0
keywords: 9227875636482146304
time_created: '2020-07-22T20:29:36.425365Z'
event_record_id: 887114
correlation: {}
execution:
process_id: 568
thread_id: 2356
channel: Security
computer: 01566s-win16-ir.threebeesco.com
security:
user_id: ''
event_data:
TargetUserName: Administrator
TargetSid: S-1-5-21-308926384-506822093-3341789130-500
ServiceName: krbtgt/THREEBEESCO.COM
TicketOptions: '0x10'
Status: '0x18'
PreAuthType: '2'
IpAddress: 172.16.66.1
IpPort: '55967'
CertIssuerName: ''
CertSerialNumber: ''
CertThumbprint: ''
Community Notes
May indicate password spraying. Pivot on ClientAddress.Sigma Rules
- Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4772 — A Kerberos authentication ticket request failed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Supplied_Realm_Name | [Account Information] Supplied Realm Name. |
Service_Name | [Service Information] Service Name. |
Ticket_Options | [Additional Information] Ticket Options. |
Failure_Code | [Additional Information] Failure Code. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
TargetUserName | — |
TargetDomainName | — |
ServiceName | — |
TicketOptions | — |
FailureCode | — |
IpAddress | — |
IpPort | — |
References
Event ID 4773 — A Kerberos service ticket request failed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Account_Domain | [Account Information] Account Domain. |
Service_Name | [Service Information] Service Name. |
Ticket_Options | [Additional Information] Ticket Options. |
Failure_Code | [Additional Information] Failure Code. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
TargetUserName | — |
TargetDomainName | — |
ServiceName | — |
TicketOptions | — |
FailureCode | — |
IpAddress | — |
IpPort | — |
References
Event ID 4774 — An account was mapped for logon.
Message
Fields
| Name | Description |
|---|---|
Authentication_Package | — |
Account_UPN | — |
Mapped_Name | — |
MappingBy | — |
ClientUserName | — |
MappedName | — |
References
Event ID 4775 — An account could not be mapped for logon.
Message
Fields
| Name | Description |
|---|---|
Authentication_Package | — |
Account_Name | — |
ClientUserName | — |
MappingBy | — |
References
Event ID 4776 — The domain controller attempted to validate the credentials for an account.
Message
Fields
| Name | Description |
|---|---|
PackageName | Authentication Package. |
TargetUserName | Logon Account. |
Workstation | Source Workstation. |
Status | Error Code. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4776
version: 0
level: 0
task: 14336
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-07T16:48:22.599068+00:00'
event_record_id: 388
correlation:
ActivityID: DD7B0B6A-4A9E-0000-E519-7BDD9E4AD801
execution:
process_id: 648
thread_id: 3868
channel: Security
computer: WIN-FPV0DSIC9O6
security:
user_id: ''
event_data:
PackageName: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
TargetUserName: Administrator
Workstation: WIN-FPV0DSIC9O6
Status: '0x0'
message: ''
Community Notes
This may capture fall-back NTLM use. Note Workstation (does it list the client? If not, this may be NTLM coercion).Sigma Rules
- Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost - Metasploit SMB Authentication
Alerts on Metasploit host's authentications on the domain. - Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4776
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4777 — The domain controller failed to validate the credentials for an account.
Message
Fields
| Name | Description |
|---|---|
Authentication_Package | — |
Logon_Account | — |
Source_Workstation | — |
Error_Code | — |
ClientUserName | — |
TargetUserName | — |
Workstation | — |
Status | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4777
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4777
Event ID 4778 — A session was reconnected to a Window Station.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Session_Name | [Session] Session Name. |
Client_Name | [Additional Information] Client Name. |
Client_Address | [Additional Information] Client Address. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4778
version: 0
level: 0
task: 12551
opcode: 0
keywords: 9232379236109516800
time_created: '2021-05-14T21:01:05.831748Z'
event_record_id: 1829819
correlation:
'#attributes':
ActivityID: A67BE420-4636-0001-36E4-7BA63646D701
execution:
process_id: 576
thread_id: 4904
channel: Security
computer: fs01.offsec.lan
security:
user_id: ''
event_data:
AccountName: admmarsid
AccountDomain: OFFSEC
LogonID: '0x6a423'
SessionName: RDP-Tcp#8
ClientName: JUMP01
ClientAddress: 10.23.23.9
Community Notes
Useful for tracing session re-use.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4778
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4778
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4779 — A session was disconnected from a Window Station.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Session_Name | [Session] Session Name. |
Client_Name | [Additional Information] Client Name. |
Client_Address | [Additional Information] Client Address. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4779
version: 0
level: 0
task: 12551
opcode: 0
keywords: 9232379236109516800
time_created: '2021-05-14T21:01:05.370030Z'
event_record_id: 1829816
correlation:
'#attributes':
ActivityID: A67BE420-4636-0001-36E4-7BA63646D701
execution:
process_id: 576
thread_id: 628
channel: Security
computer: fs01.offsec.lan
security:
user_id: ''
event_data:
AccountName: admmig
AccountDomain: OFFSEC
LogonID: '0x13b5e1e'
SessionName: RDP-Tcp#8
ClientName: JUMP01
ClientAddress: 10.23.23.9
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4779
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4779
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4780 — The ACL was set on accounts which are members of administrators groups.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4780
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4780
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4780
Event ID 4781 — The name of an account was changed:
Message
Fields
| Name | Description |
|---|---|
OldTargetUserName | [Target Account] Old Account Name. |
NewTargetUserName | [Target Account] New Account Name. |
TargetDomainName | [Target Account] Account Domain. |
TargetSid | [Target Account] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
PrivilegeList | [Additional Information] Privileges. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4781
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:37.340432+00:00'
event_record_id: 2857
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
OldTargetUserName: None
NewTargetUserName: None
TargetDomainName: WINDEV2310EVAL
TargetSid: S-1-5-21-1992711665-1655669231-58201500-513
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
PrivilegeList: '-'
message: ''
Community Notes
Attackers may rename an existing, highly privileged account to blend in.Sigma Rules
- New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4781
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4782 — The password hash an account was accessed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
TargetUserName | — |
TargetDomainName | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Community Notes
May indicate Pass-the-Hash. Legitimate use occurs during AD password migration operations under SYSTEM or a dedicated migration account.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4782
Event ID 4783 — A basic application group was created.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Attributes] SAM Account Name. |
SID_History | [Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4783
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4783
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4783
Event ID 4784 — A basic application group was changed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Attributes] SAM Account Name. |
SID_History | [Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4784
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4784
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4784
Event ID 4785 — A member was added to a basic application group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
MembershipExpirationTime | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4785
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4785
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4785
Event ID 4786 — A member was removed from a basic application group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4786
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4786
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4786
Event ID 4787 — A non-member was added to a basic application group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. Is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4787
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4787
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4787
Event ID 4788 — A non-member was removed from a basic application group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. Is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
MemberName | — |
MemberSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4788
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4788
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4788
Event ID 4789 — A basic application group was deleted.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4789
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4789
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4789
Event ID 4790 — An LDAP query group was created.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Attributes] SAM Account Name. |
SID_History | [Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4790
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4790
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4790
Event ID 4791 — A basic application group was changed.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
SAM_Account_Name | [Attributes] SAM Account Name. |
SID_History | [Attributes] SID History. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SamAccountName | — |
SidHistory | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4791
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4791
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4791
Event ID 4792 — An LDAP query group was deleted.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4792
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4792
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4792
Event ID 4793 — The Password Policy Checking API was called.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Caller_Workstation | [Additional Information] Caller Workstation. |
Provided_Account_Name_unauthenticated | [Additional Information] Provided Account Name (unauthenticated). |
Status_Code | [Additional Information] Status Code. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Workstation | — |
TargetUserName | — |
Status | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4793
Event ID 4794 — An attempt was made to set the Directory Services Restore Mode administrator password.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Caller_Workstation | [Additional Information] Caller Workstation. |
Status_Code | [Additional Information] Status Code. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4794
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2017-06-09T19:21:26.968669Z'
event_record_id: 3139859
correlation:
'#attributes':
ActivityID: 3B48C871-DFE6-0000-A5C8-483BE6DFD201
execution:
process_id: 792
thread_id: 1648
channel: Security
computer: 2016dc.hqcorp.local
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1913345275-1711810662-261465553-500
SubjectUserName: administrator
SubjectDomainName: HQCORP
SubjectLogonId: '0x2f336f'
Workstation: 2016DC
Status: '0x0'
Sigma Rules
- Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4794
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4794
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4797 — An attempt was made to query the existence of a blank password for an account.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
Workstation | [Additional Information] Caller Workstation. |
TargetUserName | [Additional Information] Target Account Name. |
TargetDomainName | [Additional Information] Target Account Domain. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4797
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T00:43:39.992357+00:00'
event_record_id: 184918
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 1928
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserName: User
SubjectDomainName: WINDEV2310EVAL
SubjectLogonId: '0x27844'
Workstation: WINDEV2310EVAL
TargetUserName: WDAGUtilityAccount
TargetDomainName: WINDEV2310EVAL
message: ''
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4797
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4797
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4798 — A user's local group membership was enumerated.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [User] Account Name. |
TargetDomainName | [User] Account Domain. |
TargetSid | [User] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
CallerProcessId | [Process Information] Process ID. |
CallerProcessName | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4798
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:35.014146+00:00'
event_record_id: 2785
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
TargetUserName: User
TargetDomainName: WINDEV2310EVAL
TargetSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
CallerProcessId: '0x57c'
CallerProcessName: C:\Windows\System32\rundll32.exe
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4798
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4798
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4799 — A security-enabled local group membership was enumerated.
Message
Fields
| Name | Description |
|---|---|
TargetUserName | [Group] Group Name. |
TargetDomainName | [Group] Group Domain. |
TargetSid | [Group] Security ID. |
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
CallerProcessId | [Process Information] Process ID. |
CallerProcessName | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4799
version: 0
level: 0
task: 13826
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:50.749994+00:00'
event_record_id: 2946
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
TargetUserName: Backup Operators
TargetDomainName: Builtin
TargetSid: S-1-5-32-551
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
CallerProcessId: '0x138c'
CallerProcessName: C:\Windows\System32\SearchIndexer.exe
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4799
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4799
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4800 — The workstation was locked.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Session_ID | [Subject] Session ID. |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetLogonId | — |
SessionId | — |
Sigma Rules
- Locked Workstation
Detects locked workstation session events that occur automatically after a standard period of inactivity.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4800
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4800
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
Event ID 4801 — The workstation was unlocked.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Session_ID | [Subject] Session ID. |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetLogonId | — |
SessionId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4801
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4801
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4801
Event ID 4802 — The screen saver was invoked.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Session_ID | [Subject] Session ID. |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetLogonId | — |
SessionId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4802
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4802
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4802
Event ID 4803 — The screen saver was dismissed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Session_ID | [Subject] Session ID. |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetLogonId | — |
SessionId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4803
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4803
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4803
Event ID 4816 — RPC detected an integrity violation while decrypting an incoming message.
Message
Fields
| Name | Description |
|---|---|
Peer_Name | — |
Protocol_Sequence | — |
Security_Error | — |
PeerName | — |
ProtocolSequence | — |
SecurityError | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4816
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4816
Event ID 4817 — Auditing settings on object were changed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Original_Security_Descriptor | [Auditing Settings] Original Security Descriptor. |
New_Security_Descriptor | [Auditing Settings] New Security Descriptor. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectServer | — |
ObjectType | — |
ObjectName | — |
OldSd | — |
NewSd | — |
Community Notes
Attackers that wish to suppress object-access logging can clear/replace the global SACL.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4817
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4817
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4817
Event ID 4818 — Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Handle_ID | [Object] Handle ID. |
Process_ID | [Process Information] Process ID. |
Process_Name | [Process Information] Process Name. |
Access_Reasons | [Current Central Access Policy results] Access Reasons. |
Access_Reasons | [Proposed Central Access Policy results that differ from the current Central Access Policy results] Access Reasons. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectServer | — |
ObjectType | — |
ObjectName | — |
HandleId | — |
ProcessId | — |
ProcessName | — |
AccessReason | — |
StagingReason | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4818
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4818
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4818
Event ID 4819 — Central Access Policies on the machine have been changed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
CAPs_Added | [Object] CAPs Added. |
CAPs_Deleted | [Object] CAPs Deleted. |
CAPs_Modified | [Object] CAPs Modified. |
CAPs_AsIs | [Object] CAPs As-Is. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectServer | — |
ObjectType | — |
AddedCAPs | — |
DeletedCAPs | — |
ModifiedCAPs | — |
AsIsCAPs | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4819
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4819
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4819
Event ID 4820 — A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Supplied_Realm_Name | [Account Information] Supplied Realm Name. |
User_ID | [Account Information] User ID. |
Device_Name | [Device Information] Device Name. |
Service_Name | [Service Information] Service Name. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. |
Result_Code | [Additional Information] Result Code. |
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. |
PreAuthentication_Type | [Additional Information] Pre-Authentication Type. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Certificate_Issuer_Name | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint | [Certificate Information] Certificate Thumbprint. |
Silo_Name | [Authentication Policy Information] Silo Name. |
Policy_Name | [Authentication Policy Information] Policy Name. |
TGT_Lifetime | [Authentication Policy Information] TGT Lifetime. |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
DeviceName | — |
ServiceName | — |
ServiceSid | — |
TicketOptions | — |
Status | — |
TicketEncryptionType | — |
PreAuthType | — |
IpAddress | — |
IpPort | — |
CertIssuerName | — |
CertSerialNumber | — |
CertThumbprint | — |
SiloName | — |
PolicyName | — |
TGTLifetime | — |
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4820
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4820
Event ID 4821 — A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Account_Domain | [Account Information] Account Domain. |
Device_Name | [Device Information] Device Name. |
Service_Name | [Service Information] Service Name. Indicates the resource to which access was requested. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. |
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Failure_Code | [Additional Information] Failure Code. |
Logon_GUID | [Account Information] Logon GUID. |
Transited_Services | [Additional Information] Transited Services. |
Silo_Name | [Authentication Policy Information] Silo Name. |
Policy_Name | [Authentication Policy Information] Policy Name. |
TargetUserName | — |
TargetDomainName | — |
DeviceName | — |
ServiceName | — |
ServiceSid | — |
TicketOptions | — |
TicketEncryptionType | — |
IpAddress | — |
IpPort | — |
Status | — |
LogonGuid | — |
TransitedServices | — |
SiloName | — |
PolicyName | — |
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4821
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4821
Event ID 4822 — NTLM authentication failed because the account was a member of the Protected User group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | — |
Device_Name | — |
Error_Code | — |
AccountName | — |
DeviceName | — |
Status | — |
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4822
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4822
Event ID 4823 — NTLM authentication failed because access control restrictions are required.
Message
Fields
| Name | Description |
|---|---|
Account_Name | — |
Device_Name | — |
Error_Code | — |
Silo_Name | [Authentication Policy Information] Silo Name. |
PolicyName | [Authentication Policy Information] PolicyName. |
AccountName | — |
DeviceName | — |
Status | — |
SiloName | — |
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4823
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4823
Event ID 4824 — Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.
Message
Fields
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Security_ID | [Account Information] Security ID. |
Service_Name | [Service Information] Service Name. |
Ticket_Options | [Additional Information] Ticket Options. Was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. |
Failure_Code | [Additional Information] Failure Code. |
PreAuthentication_Type | [Additional Information] Pre-Authentication Type. |
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Certificate_Issuer_Name | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint | [Certificate Information] Certificate Thumbprint. |
TargetUserName | — |
TargetSid | — |
ServiceName | — |
TicketOptions | — |
Status | — |
PreAuthType | — |
IpAddress | — |
IpPort | — |
CertIssuerName | — |
CertSerialNumber | — |
CertThumbprint | — |
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4824
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4824
Event ID 4825 — A user was denied the access to Remote Desktop.
Message
Fields
| Name | Description |
|---|---|
User_Name | [Subject] User Name. |
Domain | [Subject] Domain. |
Logon_ID | [Subject] Logon ID. |
Client_Address | [Additional Information] Client Address. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4825
version: 0
level: 0
task: 12551
opcode: 0
keywords: 9227875636482146304
time_created: '2020-07-12T05:27:05.579704Z'
event_record_id: 1231498
correlation: {}
execution:
process_id: 464
thread_id: 992
channel: Security
computer: fs02.offsec.lan
security:
user_id: ''
event_data:
AccountName: svc6test1
AccountDomain: OFFSEC
LogonID: '0x3457272'
ClientAddress: 10.23.23.9
Sigma Rules
- Denied Access To Remote Desktop
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4825
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4826 — Boot Configuration Data loaded.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
LoadOptions | [General Settings] Load Options. |
AdvancedOptions | [General Settings] Advanced Options. |
ConfigAccessPolicy | [General Settings] Configuration Access Policy. |
RemoteEventLogging | [General Settings] System Event Logging. |
KernelDebug | [General Settings] Kernel Debugging. |
VsmLaunchType | [General Settings] VSM Launch Type. |
TestSigning | [Signature Settings] Test Signing. |
FlightSigning | [Signature Settings] Flight Signing. |
DisableIntegrityChecks | [Signature Settings] Disable Integrity Checks. |
HypervisorLoadOptions | [HyperVisor Settings] HyperVisor Load Options. |
HypervisorLaunchType | [HyperVisor Settings] HyperVisor Launch Type. |
HypervisorDebug | [HyperVisor Settings] HyperVisor Debugging. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4826
version: 0
level: 0
task: 13573
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:19.637649+00:00'
event_record_id: 2743
correlation: {}
execution:
process_id: 4
thread_id: 96
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: '-'
SubjectDomainName: '-'
SubjectLogonId: '0x3e7'
LoadOptions: '-'
AdvancedOptions: '%%1843'
ConfigAccessPolicy: '%%1846'
RemoteEventLogging: '%%1843'
KernelDebug: '%%1843'
VsmLaunchType: '%%1849'
TestSigning: '%%1843'
FlightSigning: '%%1843'
DisableIntegrityChecks: '%%1843'
HypervisorLoadOptions: '-'
HypervisorLaunchType: '%%1849'
HypervisorDebug: '%%1843'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4826
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4826
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4826
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4830 — SID History was removed from an account.
Message
Fields
| Name | Description |
|---|---|
Account_Name | — |
Account_Domain | — |
Security_ID | [Target Account] Account Name. |
Security_ID | [Target Account] Account Domain. |
Account_Name | [Target Account] Security ID. |
Account_Domain | [Subject] Security ID. |
Logon_ID | [Subject] Account Name. |
Privileges | [Subject] Account Domain. |
SID_List | [Subject] Logon ID. |
SourceUserName | — |
SourceSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PrivilegeList | — |
SidList | — |
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4830
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4830
Event ID 4864 — A namespace collision was detected.
Message
Fields
| Name | Description |
|---|---|
Target_Type | — |
Target_Name | — |
Forest_Root | — |
Top_Level_Name | — |
DNS_Name | — |
NetBIOS_Name | — |
Security_ID | — |
New_Flags | — |
CollisionTargetType | — |
CollisionTargetName | — |
ForestRoot | — |
TopLevelName | — |
DnsName | — |
NetbiosName | — |
DomainSid | — |
Flags | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4864
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4864
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4864
Event ID 4865 — A trusted forest information entry was added.
Message
Fields
| Name | Description |
|---|---|
Forest_Root | [Trust Information] Forest Root. |
Forest_Root_SID | [Trust Information] Forest Root SID. |
Operation_ID | [Trust Information] Operation ID. |
Entry_Type | [Trust Information] Entry Type. |
Flags | [Trust Information] Flags. |
Top_Level_Name | [Trust Information] Top Level Name. |
DNS_Name | [Trust Information] DNS Name. |
NetBIOS_Name | [Trust Information] NetBIOS Name. |
Domain_SID | [Trust Information] Domain SID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4865
version: 0
level: 0
task: 13569
opcode: 0
keywords: 9232379236109516800
time_created: '2024-06-22T14:02:41.749935Z'
event_record_id: 3175613
correlation: {}
execution:
process_id: 596
thread_id: 3360
channel: Security
computer: CDCWTRDC01.mypartner.lan
security:
user_id: ''
event_data:
ForestRoot: rootblue.lan
ForestRootSid: S-1-5-21-392370121-190461309-2151315433
OperationId: '0xffadf358'
EntryType: 0
Flags: 0
TopLevelName: rootblue.lan
DnsName: '-'
NetbiosName: '-'
DomainSid: S-1-0-0
SubjectUserSid: S-1-5-21-1407145384-2259788832-4099636412-500
SubjectUserName: Administrator
SubjectDomainName: MYPARTNER
SubjectLogonId: '0xffad8559'
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4865
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4865
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4865
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4866 — A trusted forest information entry was removed.
Message
Fields
| Name | Description |
|---|---|
Forest_Root | [Trust Information] Forest Root. |
Forest_Root_SID | [Trust Information] Forest Root SID. |
Operation_ID | [Trust Information] Operation ID. |
Entry_Type | [Trust Information] Entry Type. |
Flags | [Trust Information] Flags. |
Top_Level_Name | [Trust Information] Top Level Name. |
DNS_Name | [Trust Information] DNS Name. |
NetBIOS_Name | [Trust Information] NetBIOS Name. |
Domain_SID | [Trust Information] Domain SID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
ForestRoot | — |
ForestRootSid | — |
OperationId | — |
EntryType | — |
TopLevelName | — |
DnsName | — |
NetbiosName | — |
DomainSid | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4866
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4866
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4866
Event ID 4867 — A trusted forest information entry was modified.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Forest_Root | [Trust Information] Forest Root. |
Forest_Root_SID | [Trust Information] Forest Root SID. |
Operation_ID | [Trust Information] Operation ID. |
Entry_Type | [Trust Information] Entry Type. |
Flags | [Trust Information] Flags. |
Top_Level_Name | [Trust Information] Top Level Name. |
DNS_Name | [Trust Information] DNS Name. |
NetBIOS_Name | [Trust Information] NetBIOS Name. |
Domain_SID | [Trust Information] Domain SID. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ForestRoot | — |
ForestRootSid | — |
OperationId | — |
EntryType | — |
TopLevelName | — |
DnsName | — |
NetbiosName | — |
DomainSid | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4867
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4867
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4867
Event ID 4868 — The certificate manager denied a pending certificate request.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
RequestId | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4868
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4868
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4868
Event ID 4869 — Certificate Services received a resubmitted certificate request.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
RequestId | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4869
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4869
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4869
Event ID 4870 — Certificate Services revoked a certificate.
Message
Fields
| Name | Description |
|---|---|
Serial_Number | — |
Reason | — |
CertificateSerialNumber | — |
RevocationReason | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4870
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4870
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4870
Event ID 4871 — Certificate Services received a request to publish the certificate revocation list (CRL).
Message
Fields
| Name | Description |
|---|---|
Next_Update | — |
Publish_Base | — |
Publish_Delta | — |
NextUpdate | — |
NextPublishForBaseCRL | — |
NextPublishForDeltaCRL | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4871
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4871
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4871
Event ID 4872 — Certificate Services published the certificate revocation list (CRL).
Message
Fields
| Name | Description |
|---|---|
Base_CRL | — |
CRL_Number | — |
Key_Container | — |
Next_Publish | — |
Publish_URLs | — |
IsBaseCRL | — |
CRLNumber | — |
KeyContainer | — |
NextPublish | — |
PublishURLs | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4872
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4872
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4872
Event ID 4873 — A certificate request extension changed.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
Name | — |
Type | — |
Flags | — |
Data | — |
RequestId | — |
ExtensionName | — |
ExtensionDataType | — |
ExtensionPolicyFlags | — |
ExtensionData | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4873
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4873
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4873
Event ID 4874 — One or more certificate request attributes changed.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
Attributes | — |
RequestId | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4874
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4874
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4874
Event ID 4875 — Certificate Services received a request to shut down.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4875
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4875
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4875
Event ID 4876 — Certificate Services backup started.
Message
Fields
| Name | Description |
|---|---|
Backup_Type | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4876
version: 0
level: 0
task: 12805
opcode: 0
keywords: 9232379236109516800
time_created: '2024-09-03T10:41:30.959534Z'
event_record_id: 376329
correlation:
'#attributes':
ActivityID: D702B00C-FB0E-0000-8CB1-02D70EFBDA01
execution:
process_id: 640
thread_id: 4156
channel: Security
computer: CDCWPKI01.rootblue.lan
security:
user_id: ''
event_data:
BackupType: '1'
SubjectUserSid: S-1-5-21-392370121-190461309-2151315433-1108
SubjectUserName: domadm
SubjectDomainName: ROOTBLUE
SubjectLogonId: '0x91861a6'
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4876
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4876
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4876
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4877 — Certificate Services backup completed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4877
version: 0
level: 0
task: 12805
opcode: 0
keywords: 9232379236109516800
time_created: '2024-09-03T10:41:31.145540Z'
event_record_id: 376330
correlation:
'#attributes':
ActivityID: D702B00C-FB0E-0000-8CB1-02D70EFBDA01
execution:
process_id: 640
thread_id: 4156
channel: Security
computer: CDCWPKI01.rootblue.lan
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-392370121-190461309-2151315433-1108
SubjectUserName: domadm
SubjectDomainName: ROOTBLUE
SubjectLogonId: '0x91861a6'
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4877
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4877
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4877
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4878 — Certificate Services restore started.
Message
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4878
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4878
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4878
Event ID 4879 — Certificate Services restore completed.
Message
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4879
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4879
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4879
Event ID 4880 — Certificate Services started.
Message
Fields
| Name | Description |
|---|---|
Certificate_Database_Hash | — |
Private_Key_Usage_Count | — |
CA_Certificate_Hash | — |
CA_Public_Key_Hash | — |
CertificateDatabaseHash | — |
PrivateKeyUsageCount | — |
CACertificateHash | — |
CAPublicKeyHash | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4880
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4880
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4880
Event ID 4881 — Certificate Services stopped.
Message
Fields
| Name | Description |
|---|---|
Certificate_Database_Hash | — |
Private_Key_Usage_Count | — |
CA_Certificate_Hash | — |
CA_Public_Key_Hash | — |
CertificateDatabaseHash | — |
PrivateKeyUsageCount | — |
CACertificateHash | — |
CAPublicKeyHash | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4881
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4881
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4881
Event ID 4882 — The security permissions for Certificate Services changed.
Message
Fields
| Name | Description |
|---|---|
SecuritySettings | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Community Notes
Records changes to a CA ACL, may indicate privilege escalation via addition of rogue accounts. Critical for detecting AD CS abuse.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4882
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4882
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4882
Event ID 4883 — Certificate Services retrieved an archived key.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
RequestId | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4883
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4883
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4883
Event ID 4884 — Certificate Services imported a certificate into its database.
Message
Fields
| Name | Description |
|---|---|
Certificate | — |
Request_ID | — |
RequestId | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4884
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4884
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4884
Event ID 4885 — The audit filter for Certificate Services changed.
Message
Fields
| Name | Description |
|---|---|
Filter | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4885
version: 0
level: 0
task: 12805
opcode: 0
keywords: 9232379236109516800
time_created: '2024-09-03T10:42:09.373562Z'
event_record_id: 376331
correlation:
'#attributes':
ActivityID: D702B00C-FB0E-0000-8CB1-02D70EFBDA01
execution:
process_id: 640
thread_id: 4156
channel: Security
computer: CDCWPKI01.rootblue.lan
security:
user_id: ''
event_data:
AuditFilter: '111'
SubjectUserSid: S-1-5-21-392370121-190461309-2151315433-1108
SubjectUserName: domadm
SubjectDomainName: ROOTBLUE
SubjectLogonId: '0x91861a6'
Community Notes
May be a prelude to AD CS abuse, ie, ESC1/ESC5.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4885
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4885
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4885
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4886 — Certificate Services received a certificate request.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
Requester | — |
Attributes | — |
RequestId | — |
Subject | — |
SubjectAlternativeName | — |
CertificateTemplate | — |
RequestOSVersion | — |
RequestCSPProvider | — |
RequestClientInfo | — |
AuthenticationService | — |
AuthenticationLevel | — |
DCOMorRPC | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4886
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4886
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4886
Event ID 4887 — Certificate Services approved a certificate request and issued a certificate.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
Requester | — |
Attributes | — |
Disposition | — |
SKI | — |
Subject | — |
RequestId | — |
SubjectKeyIdentifier | — |
SubjectAlternativeName | — |
CertificateTemplate | — |
SerialNumber | — |
AuthenticationService | — |
AuthenticationLevel | — |
DCOMorRPC | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4887
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4887
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4887
Event ID 4888 — Certificate Services denied a certificate request.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
Requester | — |
Attributes | — |
Disposition | — |
SKI | — |
Subject | — |
RequestId | — |
SubjectKeyIdentifier | — |
AuthenticationService | — |
AuthenticationLevel | — |
DCOMorRPC | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4888
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4888
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4888
Event ID 4889 — Certificate Services set the status of a certificate request to pending.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
Requester | — |
Attributes | — |
Disposition | — |
SKI | — |
Subject | — |
RequestId | — |
SubjectKeyIdentifier | — |
AuthenticationService | — |
AuthenticationLevel | — |
DCOMorRPC | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4889
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4889
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4889
Event ID 4890 — The certificate manager settings for Certificate Services changed.
Message
Fields
| Name | Description |
|---|---|
Enable | — |
EnableRestrictedPermissions | — |
RestrictedPermissions | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Community Notes
May indicate tampering with permissions to issue trusted certificates and impersonate any domain principal. Can detect AD CS abuse techniques, ie ESC1. Any Subject SID that is not NT AUTHORITY\SYSTEM or approved service identity indicates unauthorized privilege abuse.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4890
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4890
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4890
Event ID 4891 — A configuration entry changed in Certificate Services.
Message
Fields
| Name | Description |
|---|---|
Node | — |
Entry | — |
Value | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4891
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4891
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4891
Event ID 4892 — A property of Certificate Services changed.
Message
Fields
| Name | Description |
|---|---|
Property | — |
Index | — |
Type | — |
Value | — |
PropertyName | — |
PropertyIndex | — |
PropertyType | — |
PropertyValue | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4892
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4892
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4892
Event ID 4893 — Certificate Services archived a key.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
Requester | — |
KRA_Hashes | — |
RequestId | — |
KRAHashes | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4893
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4893
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4893
Event ID 4894 — Certificate Services imported and archived a key.
Message
Fields
| Name | Description |
|---|---|
Request_ID | — |
RequestId | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4894
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4894
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4894
Event ID 4895 — Certificate Services published the CA certificate to Active Directory Domain Services.
Message
Fields
| Name | Description |
|---|---|
Certificate_Hash | — |
Valid_From | — |
Valid_To | — |
CertificateHash | — |
ValidFrom | — |
ValidTo | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4895
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4895
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4895
Event ID 4896 — One or more rows have been deleted from the certificate database.
Message
Fields
| Name | Description |
|---|---|
Table_ID | — |
Filter | — |
Rows_Deleted | — |
TableId | — |
RowsDeleted | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4896
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4896
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4896
Event ID 4897 — Role separation enabled.
Message
Fields
| Name | Description |
|---|---|
Role_separation_enabled | — |
RoleSeparationEnabled | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4897
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4897
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4897
Event ID 4898 — Certificate Services loaded a template.
Message
Fields
| Name | Description |
|---|---|
Domain_Controller | — |
Template_Content | — |
Security_Descriptor | — |
TemplateInternalName | — |
TemplateVersion | — |
TemplateSchemaVersion | — |
TemplateOID | — |
TemplateDSObjectFQDN | — |
DCDNSName | — |
TemplateContent | — |
SecurityDescriptor | — |
Sigma Rules
- ADCS Certificate Template Configuration Vulnerability
Detects certificate creation with template allowing risk permission subject - ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4898
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4898
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4898
Event ID 4899 — A Certificate Services template was updated.
Message
Fields
| Name | Description |
|---|---|
Domain_Controller | — |
New_Template_Content | — |
Old_Template_Content | — |
TemplateInternalName | — |
TemplateVersion | — |
TemplateSchemaVersion | — |
TemplateOID | — |
TemplateDSObjectFQDN | — |
DCDNSName | — |
NewTemplateContent | — |
OldTemplateContent | — |
Sigma Rules
- ADCS Certificate Template Configuration Vulnerability
Detects certificate creation with template allowing risk permission subject - ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4899
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4899
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4899
Event ID 4900 — Certificate Services template security was updated.
Message
Fields
| Name | Description |
|---|---|
Domain_Controller | — |
New_Template_Content | — |
New_Security_Descriptor | — |
Old_Template_Content | — |
Old_Security_Descriptor | — |
TemplateInternalName | — |
TemplateVersion | — |
TemplateSchemaVersion | — |
TemplateOID | — |
TemplateDSObjectFQDN | — |
DCDNSName | — |
NewTemplateContent | — |
NewSecurityDescriptor | — |
OldTemplateContent | — |
OldSecurityDescriptor | — |
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4900
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4900
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4900
Event ID 4902 — The Per-user audit policy table was created.
Message
Fields
| Name | Description |
|---|---|
PuaCount | Number of Elements. |
PuaPolicyId | Policy ID. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4902
version: 0
level: 0
task: 13568
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:28.032941+00:00'
event_record_id: 2756
correlation: {}
execution:
process_id: 808
thread_id: 860
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
PuaCount: 0
PuaPolicyId: '0xa128'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4902
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4902
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4902
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4904 — An attempt was made to register a security event source.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
AuditSourceName | [Event Source] Source Name. |
EventSourceId | [Event Source] Event Source ID. |
ProcessId | [Process] Process ID. |
ProcessName | [Process] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4904
version: 0
level: 0
task: 13568
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:19.368595+00:00'
event_record_id: 25620
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 664
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WIN-TKC15D7KHUR$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
AuditSourceName: IIS-METABASE
EventSourceId: '0x21062'
ProcessId: '0x648'
ProcessName: C:\Windows\System32\inetsrv\inetinfo.exe
message: ''
Sigma Rules
- VSSAudit Security Event Source Registration
Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4904
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4904
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4904
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4905 — An attempt was made to unregister a security event source.
Message
Fields
| Name | Description |
|---|---|
Security_ID | — |
Account_Name | — |
Account_Domain | — |
Logon_ID | — |
Source_Name | [Event Source] Source Name. |
Event_Source_ID | [Event Source] Event Source ID. |
Process_ID | [Process] Process ID. |
Process_Name | [Process] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4905
version: 0
level: 0
task: 13568
opcode: 0
keywords: 9232379236109516800
time_created: '2013-10-23T16:26:16.473750Z'
event_record_id: 135
correlation: {}
execution:
process_id: 508
thread_id: 1032
channel: Security
computer: IE8Win7
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WIN-QALA5Q3KJ43$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
AuditSourceName: VSSAudit
EventSourceId: '0xe5eb0'
ProcessId: '0x9fc'
ProcessName: C:\Windows\System32\VSSVC.exe
Sigma Rules
- VSSAudit Security Event Source Registration
Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4905
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4905
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4905
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4906 — The CrashOnAuditFail value has changed.
Message
Fields
| Name | Description |
|---|---|
CrashOnAuditFailValue | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4906
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4906
Event ID 4907 — Auditing settings on object were changed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
ObjectServer | [Object] Object Server. |
ObjectType | [Object] Object Type. |
ObjectName | [Object] Object Name. |
HandleId | [Object] Handle ID. |
OldSd | [Auditing Settings] Original Security Descriptor. |
NewSd | [Auditing Settings] New Security Descriptor. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4907
version: 0
level: 0
task: 13568
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:39.659624+00:00'
event_record_id: 2879
correlation: {}
execution:
process_id: 4
thread_id: 228
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
ObjectServer: Security
ObjectType: File
ObjectName: C:\Windows\Temp\winre\ExtractedFromWim
HandleId: '0x5e0'
OldSd: ''
NewSd: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
ProcessId: '0x590'
ProcessName: C:\Windows\System32\oobe\msoobe.exe
message: ''
Community Notes
Captures SACL changes to files, registry keys, and services.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4907
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4907
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4907
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4908 — Special Groups Logon table modified.
Message
Fields
| Name | Description |
|---|---|
Special_Groups | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4908
version: 0
level: 0
task: 13568
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-12T06:01:51.798027Z'
event_record_id: 16088364
correlation: {}
execution:
process_id: 528
thread_id: 548
channel: Security
computer: rootdc1.offsec.lan
security:
user_id: ''
event_data:
SidList: '-'
Community Notes
Deleting privileged SIDs will prevent Event ID 4964 from firing. Also appears at every reboot, so IR can compare boot-time record against later changes.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4908
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4908
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4908
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4909 — The local policy settings for the TBS were changed.
Message
Fields
| Name | Description |
|---|---|
Old_Blocked_Ordinals | — |
New_Blocked_Ordinals | — |
OldBlockedOrdinals | — |
NewBlockedOrdinals | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4909
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4909
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4909
Event ID 4910 — The group policy settings for the TBS were changed.
Message
Fields
| Name | Description |
|---|---|
Old_Value | — |
New_Value | — |
Old_Value | — |
New_Value | — |
Old_Blocked_Ordinals | — |
New_Blocked_Ordinals | — |
OldIgnoreDefaultSettings | — |
NewIgnoreDefaultSettings | — |
OldIgnoreLocalSettings | — |
NewIgnoreLocalSettings | — |
OldBlockedOrdinals | — |
NewBlockedOrdinals | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4910
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4910
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4910
Event ID 4911 — Resource attributes of the object were changed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | [Subject] Security ID. |
SubjectUserName | [Subject] Account Name. |
SubjectDomainName | [Subject] Account Domain. |
SubjectLogonId | [Subject] Logon ID. |
ObjectServer | [Object] Object Server. |
ObjectType | [Object] Object Type. |
ObjectName | [Object] Object Name. |
HandleId | [Object] Handle ID. |
OldSd | [Resource Attributes] Original Security Descriptor. |
NewSd | [Resource Attributes] New Security Descriptor. |
ProcessId | [Process Information] Process ID. |
ProcessName | [Process Information] Process Name. |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4911
version: 0
level: 0
task: 13570
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:51:41.950925+00:00'
event_record_id: 300251
correlation: {}
execution:
process_id: 4
thread_id: 5816
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserName: User
SubjectDomainName: WINDEV2310EVAL
SubjectLogonId: '0x27844'
ObjectServer: Security
ObjectType: File
ObjectName: C:\Users\User\AppData\Local\Temp\763cba47-20ad-4480-91e6-3dc02233f103.tmp
HandleId: '0x1d6c'
OldSd: ''
NewSd: S:ARAI(RA;;;;;WD;("IMAGELOAD",TU,0x0,1))
ProcessId: '0x33f0'
ProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4911
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4911
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4911
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4912 — Per User Audit Policy was changed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Security_ID | [Policy For Account] Security ID. |
Category | [Policy Change Details] Category. |
Subcategory | [Policy Change Details] Subcategory. |
Subcategory_GUID | [Policy Change Details] Subcategory GUID. |
Changes | [Policy Change Details] Changes. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TargetUserSid | — |
CategoryId | — |
SubcategoryId | — |
SubcategoryGuid | — |
AuditPolicyChanges | — |
Community Notes
If Changes is set to None or Failure include removed, this may be an attempt to hide activity. Pair with 4719, 4902, and 4624 to reconstruct a timeline.References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4912
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4912
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4912
Event ID 4913 — Central Access Policy on the object was changed.
Message
Fields
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Handle_ID | [Object] Handle ID. |
Original_Security_Descriptor | [Central Policy ID] Original Security Descriptor. |
New_Security_Descriptor | [Central Policy ID] New Security Descriptor. |
Process_ID | [Process Information] Process ID. |
Process_Name | [Process Information] Process Name. |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectServer | — |
ObjectType | — |
ObjectName | — |
HandleId | — |
OldSd | — |
NewSd | — |
ProcessId | — |
ProcessName | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4913
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4913
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4913
Event ID 4928 — An Active Directory replica source naming context was established.
Message
Fields
| Name | Description |
|---|---|
Destination_DRA | — |
Source_DRA | — |
Source_Address | — |
Naming_Context | — |
Options | — |
Status_Code | — |
DestinationDRA | — |
SourceDRA | — |
SourceAddr | — |
NamingContext | — |
StatusCode | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4928
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4928
Event ID 4929 — An Active Directory replica source naming context was removed.
Message
Fields
| Name | Description |
|---|---|
Destination_DRA | — |
Source_DRA | — |
Source_Address | — |
Naming_Context | — |
Options | — |
Status_Code | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4929
version: 1
level: 0
task: 14083
opcode: 0
keywords: 9227875636482146304
time_created: '2021-04-27T11:04:45.557748Z'
event_record_id: 138520244
correlation:
'#attributes':
ActivityID: 9816F041-2BBE-0000-53F0-1698BE2BD701
execution:
process_id: 548
thread_id: 5276
channel: Security
computer: rootdc1.offsec.lan
security:
user_id: ''
event_data:
DestinationDRA: CN=NTDS Settings,CN=ROOTDC1,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan
SourceDRA: '-'
SourceAddr: jump01.offsec.lan
NamingContext: DC=offsec,DC=lan
Options: 16
StatusCode: 8452
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4929
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4929
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4929
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4930 — An Active Directory replica source naming context was modified.
Message
Fields
| Name | Description |
|---|---|
Destination_DRA | — |
Source_DRA | — |
Source_Address | — |
Naming_Context | — |
Options | — |
Status_Code | — |
DestinationDRA | — |
SourceDRA | — |
SourceAddr | — |
NamingContext | — |
StatusCode | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4930
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4930
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4930
Event ID 4931 — An Active Directory replica destination naming context was modified.
Message
Fields
| Name | Description |
|---|---|
Destination_DRA | — |
Source_DRA | — |
Destination_Address | — |
Naming_Context | — |
Options | — |
Status_Code | — |
DestinationDRA | — |
SourceDRA | — |
SourceAddr | — |
NamingContext | — |
StatusCode | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4931
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4931
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4931
Event ID 4932 — Synchronization of a replica of an Active Directory naming context has begun.
Message
Fields
| Name | Description |
|---|---|
Destination_DRA | — |
Source_DRA | — |
Naming_Context | — |
Options | — |
Session_ID | — |
Start_USN | — |
DestinationDRA | — |
SourceDRA | — |
NamingContext | — |
SessionID | — |
StartUSN | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4932
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4932
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4932
Event ID 4933 — Synchronization of a replica of an Active Directory naming context has ended.
Message
Fields
| Name | Description |
|---|---|
Destination_DRA | — |
Source_DRA | — |
Naming_Context | — |
Options | — |
Session_ID | — |
End_USN | — |
Status_Code | — |
DestinationDRA | — |
SourceDRA | — |
NamingContext | — |
SessionID | — |
EndUSN | — |
StatusCode | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4933
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4933
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4933
Event ID 4934 — Attributes of an Active Directory object were replicated.
Message
Fields
| Name | Description |
|---|---|
SessionID | — |
Object | — |
Attribute | — |
TypeOfChange | — |
NewValue | — |
USN | — |
StatusCode | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4934
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4934
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4934
Event ID 4935 — Replication failure begins.
Message
Fields
| Name | Description |
|---|---|
Replication_Event | — |
Audit_Status_Code | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4935
version: 0
level: 0
task: 14083
opcode: 0
keywords: 9227875636482146304
time_created: '2021-04-27T11:04:03.510255Z'
event_record_id: 138520219
correlation:
'#attributes':
ActivityID: 9816F041-2BBE-0000-53F0-1698BE2BD701
execution:
process_id: 548
thread_id: 5276
channel: Security
computer: rootdc1.offsec.lan
security:
user_id: ''
event_data:
ReplicationEvent: 1
AuditStatusCode: 8419
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4935
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4935
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4935
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4936 — Replication failure ends.
Message
Fields
| Name | Description |
|---|---|
Replication_Event | — |
Audit_Status_Code | — |
Replication_Status_Code | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4936
version: 0
level: 0
task: 14083
opcode: 0
keywords: 9227875636482146304
time_created: '2021-04-27T11:04:45.556800Z'
event_record_id: 138520242
correlation:
'#attributes':
ActivityID: 9816F041-2BBE-0000-53F0-1698BE2BD701
execution:
process_id: 548
thread_id: 5276
channel: Security
computer: rootdc1.offsec.lan
security:
user_id: ''
event_data:
ReplicationEvent: 1
AuditStatusCode: 8419
ReplicationStatusCode: 1722
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4936
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4936
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4936
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4937 — A lingering object was removed from a replica.
Message
Fields
| Name | Description |
|---|---|
Destination_DRA | — |
Source_DRA | — |
Object | — |
Options | — |
Status_Code | — |
DestinationDRA | — |
SourceDRA | — |
StatusCode | — |
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4937
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4937
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4937
Event ID 4944 — The following policy was active when the Windows Firewall started.
Message
Fields
| Name | Description |
|---|---|
GroupPolicyApplied | — |
Profile | — |
OperationMode | — |
RemoteAdminEnabled | — |
MulticastFlowsEnabled | — |
LogDroppedPacketsEnabled | — |
LogSuccessfulConnectionsEnabled | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4944
version: 0
level: 0
task: 13571
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:21.036853+00:00'
event_record_id: 26014
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 664
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
GroupPolicyApplied: 'No'
Profile: (null)
OperationMode: 'On'
RemoteAdminEnabled: Disabled
MulticastFlowsEnabled: Enabled
LogDroppedPacketsEnabled: Disabled
LogSuccessfulConnectionsEnabled: Disabled
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4944
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4944
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4944
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4945 — A rule was listed when the Windows Firewall started.
Message
Fields
| Name | Description |
|---|---|
ProfileUsed | — |
RuleId | — |
RuleName | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4945
version: 0
level: 0
task: 13571
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:21.045018+00:00'
event_record_id: 26315
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 664
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
ProfileUsed: (null)
RuleId: IIS-WebServerRole-FTP-Passive-In-TCP
RuleName: FTP Server Passive (FTP Passive Traffic-In)
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4945
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4945
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4945
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4946 — A change has been made to Windows Firewall exception list. A rule was added.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
RuleId | — |
RuleName | — |
Community Notes
Logs rules that open ports or disable filtering. Attackers may add rules to enable implants to communicate with external servers.References
Event ID 4947 — A change has been made to Windows Firewall exception list. A rule was modified.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
RuleId | — |
RuleName | — |
Event ID 4948 — A change has been made to Windows Firewall exception list. A rule was deleted.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
RuleId | — |
RuleName | — |
Event ID 4949 — Windows Firewall settings were restored to the default values.
Message
Event ID 4950 — A Windows Firewall setting has changed.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
SettingType | — |
SettingValue | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: '{54849625-5478-4994-A5BA-3E3B0328C30D}'
event_source_name: ''
event_id: 4950
version: '0'
level: '0'
task: '13571'
opcode: '0'
keywords: 9232379236109516800
time_created: '2021-06-03T19:39:52.893115500Z'
event_record_id: '1974770'
correlation:
'#attributes':
ActivityID: '{38068009-512D-0000-1D80-06382D51D701}'
execution:
process_id: '556'
thread_id: '2532'
channel: Security
computer: fs01.offsec.lan
security:
user_id: ''
event_data:
ProfileChanged: Domain
SettingType: Enable Windows Firewall
SettingValue: 'Yes'
Community Notes
Tracks changes to core settings such as disabling a profile (domain, private, public), or default block/allow behavior.References
Event ID 4951 — A rule has been ignored because its major version number was not recognized by Windows Firewall.
Message
Fields
| Name | Description |
|---|---|
Profile | — |
RuleId | — |
RuleName | — |
References
Event ID 4952 — Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
Message
Fields
| Name | Description |
|---|---|
Profile | — |
RuleId | — |
RuleName | — |
Event ID 4953 — A rule has been ignored by Windows Firewall because it could not parse the rule.
Message
Fields
| Name | Description |
|---|---|
Profile | — |
ReasonForRejection | — |
RuleId | — |
RuleName | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4953
version: 0
level: 0
task: 13571
opcode: 0
keywords: 9227875636482146304
time_created: '2022-04-04T13:11:19.737706+00:00'
event_record_id: 25625
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 668
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
Profile: All
ReasonForRejection: An error occurred.
RuleId: MDEServer-1
RuleName: '-'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4953
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4953
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4953
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4954 — Windows Firewall Group Policy settings has changed.
Message
Event ID 4956 — Windows Firewall has changed the active profile.
Message
Fields
| Name | Description |
|---|---|
ActiveProfile | — |
References
Event ID 4957 — Windows Firewall did not apply the following rule:
Message
Fields
| Name | Description |
|---|---|
RuleId | — |
RuleName | — |
RuleAttr | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4957
version: 0
level: 0
task: 13571
opcode: 0
keywords: 9227875636482146304
time_created: '2022-04-04T13:13:38.719617+00:00'
event_record_id: 29324
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 664
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
RuleId: CoreNet-IPHTTPS-In
RuleName: Core Networking - IPHTTPS (TCP-In)
RuleAttr: Local Port
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4957
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4957
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4957
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4958 — Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
Message
Fields
| Name | Description |
|---|---|
RuleId | — |
RuleName | — |
Error | — |
Reason | — |
References
Event ID 4960 — IPsec dropped an inbound packet that failed an integrity check.
Message
Fields
| Name | Description |
|---|---|
RemoteAddress | — |
SPI | — |
References
Event ID 4961 — IPsec dropped an inbound packet that failed a replay check.
Message
Fields
| Name | Description |
|---|---|
RemoteAddress | — |
SPI | — |
Event ID 4962 — IPsec dropped an inbound packet that failed a replay check.
Message
Fields
| Name | Description |
|---|---|
RemoteAddress | — |
SPI | — |
Event ID 4963 — IPsec dropped an inbound clear text packet that should have been secured.
Message
Fields
| Name | Description |
|---|---|
RemoteAddress | — |
SPI | — |
Event ID 4964 — Special groups have been assigned to a new logon.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
LogonGuid | — |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetLogonId | — |
TargetLogonGuid | — |
SidList | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4964
version: 0
level: 0
task: 12548
opcode: 0
keywords: 9232379236109516800
time_created: '2021-04-22T08:51:04.686763Z'
event_record_id: 435111
correlation: {}
execution:
process_id: 480
thread_id: 2416
channel: Security
computer: fs03vuln.offsec.lan
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: FS03VULN$
SubjectDomainName: OFFSEC
SubjectLogonId: '0x3e7'
LogonGuid: 00000000-0000-0000-0000-000000000000
TargetUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
TargetUserName: admmig
TargetDomainName: OFFSEC
TargetLogonId: '0x74872'
TargetLogonGuid: 00000000-0000-0000-0000-000000000000
SidList: "\r\n\t\t%{S-1-5-21-4230534742-2542757381-3142984815-1613}"
Community Notes
Detects Domain Admins or other high-value SIDs logging onto non-DC hosts.References
Event ID 4965 — IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).
Message
Fields
| Name | Description |
|---|---|
RemoteAddress | — |
SPI | — |
Event ID 4976 — During Main Mode negotiation, IPsec received an invalid negotiation packet.
Message
Fields
| Name | Description |
|---|---|
LocalAddress | — |
RemoteAddress | — |
KeyModName | — |
References
Event ID 4977 — During Quick Mode negotiation, IPsec received an invalid negotiation packet.
Message
Fields
| Name | Description |
|---|---|
LocalAddress | — |
RemoteAddress | — |
KeyModName | — |
Event ID 4978 — During Extended Mode negotiation, IPsec received an invalid negotiation packet.
Message
Fields
| Name | Description |
|---|---|
LocalAddress | — |
RemoteAddress | — |
KeyModName | — |
Event ID 4979 — IPsec Main Mode and Extended Mode security associations were established.
Message
Fields
| Name | Description |
|---|---|
LocalMMPrincipalName | — |
RemoteMMPrincipalName | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
MMAuthMethod | — |
MMCipherAlg | — |
MMIntegrityAlg | — |
DHGroup | — |
MMLifetime | — |
QMLimit | — |
Role | — |
MMImpersonationState | — |
MMFilterID | — |
MMSAID | — |
LocalEMPrincipalName | — |
RemoteEMPrincipalName | — |
EMAuthMethod | — |
EMImpersonationState | — |
QMFilterID | — |
References
Event ID 4980 — IPsec Main Mode and Extended Mode security associations were established.
Message
Fields
| Name | Description |
|---|---|
LocalMMPrincipalName | — |
RemoteMMPrincipalName | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
MMAuthMethod | — |
MMCipherAlg | — |
MMIntegrityAlg | — |
DHGroup | — |
MMLifetime | — |
QMLimit | — |
Role | — |
MMImpersonationState | — |
MMFilterID | — |
MMSAID | — |
LocalEMPrincipalName | — |
LocalEMCertHash | — |
LocalEMIssuingCA | — |
LocalEMRootCA | — |
RemoteEMPrincipalName | — |
RemoteEMCertHash | — |
RemoteEMIssuingCA | — |
RemoteEMRootCA | — |
EMImpersonationState | — |
QMFilterID | — |
References
Event ID 4981 — IPsec Main Mode and Extended Mode security associations were established.
Message
Fields
| Name | Description |
|---|---|
LocalMMPrincipalName | — |
LocalMMCertHash | — |
LocalMMIssuingCA | — |
LocalMMRootCA | — |
RemoteMMPrincipalName | — |
RemoteMMCertHash | — |
RemoteMMIssuingCA | — |
RemoteMMRootCA | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
MMCipherAlg | — |
MMIntegrityAlg | — |
DHGroup | — |
MMLifetime | — |
QMLimit | — |
Role | — |
MMImpersonationState | — |
MMFilterID | — |
MMSAID | — |
LocalEMPrincipalName | — |
RemoteEMPrincipalName | — |
EMAuthMethod | — |
EMImpersonationState | — |
QMFilterID | — |
References
Event ID 4982 — IPsec Main Mode and Extended Mode security associations were established.
Message
Fields
| Name | Description |
|---|---|
LocalMMPrincipalName | — |
LocalMMCertHash | — |
LocalMMIssuingCA | — |
LocalMMRootCA | — |
RemoteMMPrincipalName | — |
RemoteMMCertHash | — |
RemoteMMIssuingCA | — |
RemoteMMRootCA | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
MMCipherAlg | — |
MMIntegrityAlg | — |
DHGroup | — |
MMLifetime | — |
QMLimit | — |
Role | — |
MMImpersonationState | — |
MMFilterID | — |
MMSAID | — |
LocalEMPrincipalName | — |
LocalEMCertHash | — |
LocalEMIssuingCA | — |
LocalEMRootCA | — |
RemoteEMPrincipalName | — |
RemoteEMCertHash | — |
RemoteEMIssuingCA | — |
RemoteEMRootCA | — |
EMImpersonationState | — |
QMFilterID | — |
References
Event ID 4983 — An IPsec Extended Mode negotiation failed.
Message
Fields
| Name | Description |
|---|---|
LocalEMPrincipalName | — |
LocalEMCertHash | — |
LocalEMIssuingCA | — |
LocalEMRootCA | — |
RemoteEMPrincipalName | — |
RemoteEMCertHash | — |
RemoteEMIssuingCA | — |
RemoteEMRootCA | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
FailurePoint | — |
FailureReason | — |
State | — |
Role | — |
EMImpersonationState | — |
QMFilterID | — |
References
Event ID 4984 — An IPsec Extended Mode negotiation failed.
Message
Fields
| Name | Description |
|---|---|
LocalEMPrincipalName | — |
RemoteEMPrincipalName | — |
LocalAddress | — |
LocalKeyModPort | — |
RemoteAddress | — |
RemoteKeyModPort | — |
FailurePoint | — |
FailureReason | — |
EMAuthMethod | — |
State | — |
Role | — |
EMImpersonationState | — |
QMFilterID | — |
References
Event ID 4985 — The state of a transaction has changed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TransactionId | — |
NewState | — |
ResourceManager | — |
ProcessId | — |
ProcessName | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 4985
version: 0
level: 0
task: 12800
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T14:08:17.810656+00:00'
event_record_id: 34392
correlation: {}
execution:
process_id: 4
thread_id: 3104
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1958040314-2592322477-2606035944-500
SubjectUserName: Administrator
SubjectDomainName: WIN-TKC15D7KHUR
SubjectLogonId: '0x33bf51'
TransactionId: B1B0A54B-B418-11EC-8F27-080027EAB5C7
NewState: 52
ResourceManager: 64ED659C-9BDD-11EC-AFD4-9083472C0AE8
ProcessId: '0x12c8'
ProcessName: C:\Windows\System32\inetsrv\InetMgr.exe
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4985
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4985
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5024 — The Windows Firewall Service has started successfully.
Message
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5024
version: 0
level: 0
task: 12292
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:51.345615+00:00'
event_record_id: 2947
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data: {}
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5024
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5024
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5024
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5025 — The Windows Firewall Service has been stopped.
Message
Event ID 5027 — The Windows Firewall Service was unable to retrieve the security policy from the local storage.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
References
Event ID 5028 — The Windows Firewall Service was unable to parse the new security policy.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
Event ID 5029 — The Windows Firewall Service failed to initialize the driver.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
Event ID 5030 — The Windows Firewall Service failed to start.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
Event ID 5031 — The Windows Firewall Service blocked an application from accepting incoming connections on the network.
Message
Fields
| Name | Description |
|---|---|
Profiles | — |
Application | — |
References
Event ID 5032 — Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
Event ID 5033 — The Windows Firewall Driver has started successfully.
Message
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5033
version: 0
level: 0
task: 12292
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:42.319074+00:00'
event_record_id: 2907
correlation: {}
execution:
process_id: 4
thread_id: 224
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data: {}
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5033
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5033
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5033
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5034 — The Windows Firewall Driver has been stopped.
Message
Event ID 5035 — The Windows Firewall Driver failed to start.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
Event ID 5037 — The Windows Firewall Driver detected critical runtime error.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
Event ID 5038 — Code integrity determined that the image hash of a file is not valid.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
Community Notes
May indicate that malware attempted to load an unsigned or tampered driver/system file.Sigma Rules
- Failed Code Integrity Checks
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
Event ID 5039 — A registry key was virtualized.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectPath | — |
ObjectVirtualPath | — |
ProcessId | — |
ProcessName | — |
References
Event ID 5040 — A change has been made to IPsec settings. An Authentication Set was added.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
AuthenticationSetId | — |
AuthenticationSetName | — |
References
Event ID 5041 — A change has been made to IPsec settings. An Authentication Set was modified.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
AuthenticationSetId | — |
AuthenticationSetName | — |
Event ID 5042 — A change has been made to IPsec settings. An Authentication Set was deleted.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
AuthenticationSetId | — |
AuthenticationSetName | — |
Event ID 5043 — A change has been made to IPsec settings. A Connection Security Rule was added.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
ConnectionSecurityRuleId | — |
ConnectionSecurityRuleName | — |
References
Event ID 5044 — A change has been made to IPsec settings. A Connection Security Rule was modified.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
ConnectionSecurityRuleId | — |
ConnectionSecurityRuleName | — |
Event ID 5045 — A change has been made to IPsec settings. A Connection Security Rule was deleted.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
ConnectionSecurityRuleId | — |
ConnectionSecurityRuleName | — |
Event ID 5046 — A change has been made to IPsec settings. A Crypto Set was added.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
CryptographicSetId | — |
CryptographicSetName | — |
References
Event ID 5047 — A change has been made to IPsec settings. A Crypto Set was modified.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
CryptographicSetId | — |
CryptographicSetName | — |
Event ID 5048 — A change has been made to IPsec settings. A Crypto Set was deleted.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
CryptographicSetId | — |
CryptographicSetName | — |
Event ID 5049 — An IPsec Security Association was deleted.
Message
Fields
| Name | Description |
|---|---|
ProfileChanged | — |
IpSecSecurityAssociationId | — |
IpSecSecurityAssociationName | — |
References
Event ID 5050 — An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected.
Message
Fields
| Name | Description |
|---|---|
CallerProcessName | — |
ProcessId | — |
Publisher | — |
References
Event ID 5051 — A file was virtualized.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
FileName | — |
VirtualFileName | — |
ProcessId | — |
ProcessName | — |
References
Event ID 5056 — A cryptographic self test was performed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Module | — |
ReturnCode | — |
References
Event ID 5057 — A cryptographic primitive operation failed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ProviderName | — |
AlgorithmName | — |
Reason | — |
ReturnCode | — |
References
Event ID 5058 — Key file operation.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ClientProcessId | — |
ClientCreationTime | — |
ProviderName | — |
AlgorithmName | — |
KeyName | — |
KeyType | — |
KeyFilePath | — |
Operation | — |
ReturnCode | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5058
version: 1
level: 0
task: 12292
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:39.883187+00:00'
event_record_id: 2882
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
ClientProcessId: 1612
ClientCreationTime: '2023-11-06T06:25:38.635483Z'
ProviderName: Microsoft Software Key Storage Provider
AlgorithmName: UNKNOWN
KeyName: b87f845a-3278-6909-ee85-d3025f077fea
KeyType: '%%2500'
KeyFilePath: C:\ProgramData\Microsoft\Crypto\SystemKeys\fb28f36d176f9b9a964a506f1b386c99_31383106-803d-411b-9763-a28cdc0f0c3f
Operation: '%%2458'
ReturnCode: '0x0'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5058
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5058
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5058
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5059 — Key migration operation.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ClientProcessId | — |
ClientCreationTime | — |
ProviderName | — |
AlgorithmName | — |
KeyName | — |
KeyType | — |
Operation | — |
ReturnCode | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5059
version: 1
level: 0
task: 12292
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:39.884224+00:00'
event_record_id: 2884
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
ClientProcessId: 1612
ClientCreationTime: '2023-11-06T06:25:38.635483Z'
ProviderName: Microsoft Software Key Storage Provider
AlgorithmName: RSA
KeyName: b87f845a-3278-6909-ee85-d3025f077fea
KeyType: '%%2500'
Operation: '%%2464'
ReturnCode: '0x0'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5059
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5059
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5059
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5060 — Verification operation failed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ProviderName | — |
AlgorithmName | — |
KeyName | — |
KeyType | — |
Reason | — |
ReturnCode | — |
References
Event ID 5061 — Cryptographic operation.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ProviderName | — |
AlgorithmName | — |
KeyName | — |
KeyType | — |
Operation | — |
ReturnCode | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5061
version: 0
level: 0
task: 12290
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:39.884031+00:00'
event_record_id: 2883
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 856
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
ProviderName: Microsoft Software Key Storage Provider
AlgorithmName: RSA
KeyName: b87f845a-3278-6909-ee85-d3025f077fea
KeyType: '%%2500'
Operation: '%%2480'
ReturnCode: '0x0'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5061
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5061
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5062 — A kernel-mode cryptographic self test was performed.
Message
Fields
| Name | Description |
|---|---|
Module | — |
ReturnCode | — |
References
Event ID 5063 — A cryptographic provider operation was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ProviderName | — |
ModuleName | — |
Operation | — |
ReturnCode | — |
References
Event ID 5064 — A cryptographic context operation was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Scope | — |
ContextName | — |
Operation | — |
ReturnCode | — |
References
Event ID 5065 — A cryptographic context modification was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Scope | — |
ContextName | — |
OldValue | — |
NewValue | — |
ReturnCode | — |
References
Event ID 5066 — A cryptographic function operation was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Scope | — |
ContextName | — |
InterfaceId | — |
FunctionName | — |
Position | — |
Operation | — |
ReturnCode | — |
References
Event ID 5067 — A cryptographic function modification was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Scope | — |
ContextName | — |
InterfaceId | — |
FunctionName | — |
OldValue | — |
NewValue | — |
ReturnCode | — |
References
Event ID 5068 — A cryptographic function provider operation was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Scope | — |
ContextName | — |
InterfaceId | — |
FunctionName | — |
ProviderName | — |
Position | — |
Operation | — |
ReturnCode | — |
References
Event ID 5069 — A cryptographic function property operation was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Scope | — |
ContextName | — |
InterfaceId | — |
FunctionName | — |
PropertyName | — |
Operation | — |
Value | — |
ReturnCode | — |
References
Event ID 5070 — A cryptographic function property modification was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Scope | — |
ContextName | — |
InterfaceId | — |
FunctionName | — |
PropertyName | — |
OldValue | — |
NewValue | — |
ReturnCode | — |
References
Event ID 5071 — Key access denied by Microsoft key distribution service.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
SecurityDescriptor | — |
Event ID 5120 — OCSP Responder Service Started.
Message
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5120
version: 0
level: 0
task: 12805
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-11T09:20:46.158376Z'
event_record_id: 1207920
correlation:
'#attributes':
ActivityID: 2FEE2C3A-4F79-0001-502C-EE2F794FD601
execution:
process_id: 576
thread_id: 3212
channel: Security
computer: pki01.offsec.lan
security:
user_id: ''
event_data: {}
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5121 — OCSP Responder Service Stopped.
Message
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5121
version: 0
level: 0
task: 12805
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-11T09:20:43.401378Z'
event_record_id: 1207901
correlation:
'#attributes':
ActivityID: 2FEE2C3A-4F79-0001-502C-EE2F794FD601
execution:
process_id: 576
thread_id: 3212
channel: Security
computer: pki01.offsec.lan
security:
user_id: ''
event_data: {}
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5122 — A Configuration entry changed in the OCSP Responder Service.
Message
Fields
| Name | Description |
|---|---|
CAConfigurationId | — |
NewValue | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
References
Event ID 5123 — A configuration entry changed in the OCSP Responder Service.
Message
Fields
| Name | Description |
|---|---|
PropertyName | — |
NewValue | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5123
version: 0
level: 0
task: 12805
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-11T09:21:24.702958Z'
event_record_id: 1207931
correlation:
'#attributes':
ActivityID: 2FEE2C3A-4F79-0001-502C-EE2F794FD601
execution:
process_id: 576
thread_id: 3544
channel: Security
computer: pki01.offsec.lan
security:
user_id: ''
event_data:
PropertyName: MaxNumOfCacheEntries
NewValue: '5000'
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x477ac56'
References
Event ID 5124 — A security setting was updated on OCSP Responder Service.
Message
Fields
| Name | Description |
|---|---|
NewSecuritySettings | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5124
version: 0
level: 0
task: 12805
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-11T09:21:50.109681Z'
event_record_id: 1207947
correlation:
'#attributes':
ActivityID: 2FEE2C3A-4F79-0001-502C-EE2F794FD601
execution:
process_id: 576
thread_id: 3544
channel: Security
computer: pki01.offsec.lan
security:
user_id: ''
event_data:
NewSecuritySettings: "\nAllow(0x00000101)\tBUILTIN\\Administrators\n\tOCSP Administrator\n\tRead\nAllow(0x00000300)\tIIS
APPPOOL\\OCSPISAPIAppPool\n\tRead\n\tOCSP Requestor\n"
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x477ac56'
References
Event ID 5125 — A request was submitted to OCSP Responder Service.
Message
Fields
| Name | Description |
|---|---|
SerialNumber | — |
CAName | — |
Status | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Event ID 5126 — Signing Certificate was automatically updated by the OCSP Responder Service.
Message
Fields
| Name | Description |
|---|---|
CAConfigurationId | — |
NewSigningCertificateHash | — |
References
Event ID 5127 — The OCSP Revocation Provider successfully updated the revocation information.
Message
Fields
| Name | Description |
|---|---|
CAConfigurationId | — |
BaseCRLNumber | — |
BaseCRLThisUpdate | — |
BaseCRLHash | — |
DeltaCRLNumber | — |
DeltaCRLIndicator | — |
DeltaCRLThisUpdate | — |
DeltaCRLHash | — |
References
Event ID 5136 — A directory service object was modified.
Message
Fields
| Name | Description |
|---|---|
OpCorrelationID | — |
AppCorrelationID | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DSName | — |
DSType | — |
ObjectDN | — |
ObjectGUID | — |
ObjectClass | — |
AttributeLDAPDisplayName | — |
AttributeSyntaxOID | — |
AttributeValue | — |
OperationType | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5136
version: 0
level: 0
task: 14081
opcode: 0
keywords: 9232379236109516800
time_created: '2019-03-25T10:33:56.457629Z'
event_record_id: 198238043
correlation: {}
execution:
process_id: 444
thread_id: 3488
channel: Security
computer: DC1.insecurebank.local
security:
user_id: ''
event_data:
OpCorrelationID: 780EA6E1-6307-48D6-8B0D-8C45CC7534AE
AppCorrelationID: '-'
SubjectUserSid: S-1-5-21-738609754-2819869699-4189121830-1108
SubjectUserName: bob
SubjectDomainName: insecurebank
SubjectLogonId: '0x8d7099'
DSName: insecurebank.local
DSType: '%%14676'
ObjectDN: CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=INSECUREBANK,DC=LOCAL
ObjectGUID: 6CDECDB5-7515-4511-8141-C34A7C3D4A0A
ObjectClass: groupPolicyContainer
AttributeLDAPDisplayName: versionNumber
AttributeSyntaxOID: 2.5.5.9
AttributeValue: '5'
OperationType: '%%14675'
Community Notes
May indicate high-impact changes in AD, like adding SID history or malicious GPOs. Attribute change to msDS-AllowedToActOnBehalfOfOtherIdentity is usually suspicious and indicates a Kerberos relay attack.Sigma Rules
- Powerview Add-DomainObjectAcl DCSync AD Extend Right
Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer - Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials. - Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain. - Persistence and Execution at Scale via GPO Scheduled Task
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale - Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
Showing 5 of 10 matching Sigma rules.
References
Event ID 5137 — A directory service object was created.
Message
Fields
| Name | Description |
|---|---|
OpCorrelationID | — |
AppCorrelationID | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DSName | — |
DSType | — |
ObjectDN | — |
ObjectGUID | — |
ObjectClass | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5137
version: 0
level: 0
task: 14081
opcode: 0
keywords: 9232379236109516800
time_created: '2021-04-27T11:04:13.291038Z'
event_record_id: 138520223
correlation:
'#attributes':
ActivityID: 9816F041-2BBE-0000-53F0-1698BE2BD701
execution:
process_id: 548
thread_id: 4324
channel: Security
computer: rootdc1.offsec.lan
security:
user_id: ''
event_data:
OpCorrelationID: B960A203-A3DF-4586-A2ED-740024D6C42A
AppCorrelationID: '-'
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x31a24611'
DSName: offsec.lan
DSType: '%%14676'
ObjectDN: CN=JUMP01,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan
ObjectGUID: 590B1EF4-6143-4C18-B554-1EE0A59BB7F8
ObjectClass: server
Community Notes
May indicate high-impact changes in AD.Sigma Rules
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
References
Event ID 5138 — A directory service object was undeleted.
Message
Fields
| Name | Description |
|---|---|
OpCorrelationID | — |
AppCorrelationID | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DSName | — |
DSType | — |
OldObjectDN | — |
NewObjectDN | — |
ObjectGUID | — |
ObjectClass | — |
References
Event ID 5139 — A directory service object was moved.
Message
Fields
| Name | Description |
|---|---|
OpCorrelationID | — |
AppCorrelationID | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DSName | — |
DSType | — |
OldObjectDN | — |
NewObjectDN | — |
ObjectGUID | — |
ObjectClass | — |
Community Notes
May indicate high-impact changes in AD.Event ID 5140 — A network share object was accessed.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectType | — |
IpAddress | — |
IpPort | — |
ShareName | — |
ShareLocalPath | — |
AccessMask | — |
AccessList | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5140
version: 1
level: 0
task: 12808
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:51:58.721534+00:00'
event_record_id: 300935
correlation: {}
execution:
process_id: 4
thread_id: 17692
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserName: User
SubjectDomainName: WINDEV2310EVAL
SubjectLogonId: '0x27844'
ObjectType: File
IpAddress: ::1
IpPort: '62726'
ShareName: \\*\C$
ShareLocalPath: \??\C:\
AccessMask: '0x1'
AccessList: "%%4416\r\n\t\t\t\t"
message: ''
Community Notes
Tracks who is accessing shared folders on the network. Very noisy.Sigma Rules
- Access To ADMIN$ Network Share
Detects access to ADMIN$ network share
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5140
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5140
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5141 — A directory service object was deleted.
Message
Fields
| Name | Description |
|---|---|
OpCorrelationID | — |
AppCorrelationID | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DSName | — |
DSType | — |
ObjectDN | — |
ObjectGUID | — |
ObjectClass | — |
TreeDelete | — |
References
Event ID 5142 — A network share object was added.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ShareName | — |
ShareLocalPath | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5142
version: 0
level: 0
task: 12808
opcode: 0
keywords: 9232379236109516800
time_created: '2019-03-17T19:30:30.324836Z'
event_record_id: 6273
correlation: {}
execution:
process_id: 4
thread_id: 64
channel: Security
computer: PC04.example.corp
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-3583694148-1414552638-2922671848-1000
SubjectUserName: IEUser
SubjectDomainName: PC04
SubjectLogonId: '0x128a9'
ShareName: \\*\PRINT
ShareLocalPath: c:\windows\system32
Community Notes
May be a prelude to data exfiltration. Includes named pipes and IPC$ (confirm if the client address is external/unexpected). May indicate share enumeration and directory walking prior to exfiltration. The RelativeTargetName field may show the original file name and path on the attacker’s machine.References
Event ID 5143 — A network share object was modified.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectType | — |
ShareName | — |
ShareLocalPath | — |
OldRemark | — |
NewRemark | — |
OldMaxUsers | — |
NewMaxUsers | — |
OldShareFlags | — |
NewShareFlags | — |
OldSD | — |
NewSD | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5143
version: 0
level: 0
task: 12808
opcode: 0
keywords: 9232379236109516800
time_created: '2020-07-11T17:17:32.128132Z'
event_record_id: 1228290
correlation: {}
execution:
process_id: 464
thread_id: 472
channel: Security
computer: fs02.offsec.lan
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName: admmig
SubjectDomainName: OFFSEC
SubjectLogonId: '0x202dac8'
ObjectType: Directory
ShareName: \\*\hidden-share$
ShareLocalPath: C:\TOOLS\hidden-share$
OldRemark: N/A
NewRemark: N/A
OldMaxUsers: '0xffffffff'
NewMaxUsers: '0xffffffff'
OldShareFlags: '0x0'
NewShareFlags: '0x0'
OldSD: O:BAG:DUD:(A;;0x1200a9;;;WD)
NewSD: O:BAG:DUD:(A;;FA;;;S-1-5-21-4230534742-2542757381-3142984815-1107)(A;;0x1301bf;;;WD)
References
Event ID 5144 — A network share object was deleted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ShareName | — |
ShareLocalPath | — |
Event ID 5145 — A network share object was checked to see whether client can be granted desired access.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ObjectType | — |
IpAddress | — |
IpPort | — |
ShareName | — |
ShareLocalPath | — |
RelativeTargetName | — |
AccessMask | — |
AccessList | — |
AccessReason | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5145
version: 0
level: 0
task: 12811
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:51:58.765174+00:00'
event_record_id: 300953
correlation: {}
execution:
process_id: 4
thread_id: 20724
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
SubjectUserName: User
SubjectDomainName: WINDEV2310EVAL
SubjectLogonId: '0x27844'
ObjectType: File
IpAddress: ::1
IpPort: '62726'
ShareName: \\*\C$
ShareLocalPath: \??\C:\
RelativeTargetName: Users\User\Downloads
AccessMask: '0x100081'
AccessList: "%%1541\r\n\t\t\t\t%%4416\r\n\t\t\t\t%%4423\r\n\t\t\t\t"
AccessReason: '-'
message: ''
Sigma Rules
- Remote Task Creation via ATSVC Named Pipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe - DCERPC SMB Spoolss Named Pipe
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. - DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario. - Persistence and Execution at Scale via GPO Scheduled Task
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale - Impacket PsExec Execution
Detects execution of Impacket's psexec.py.
Showing 5 of 17 matching Sigma rules.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5145
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5146 — The Windows Filtering Platform has blocked a packet.
Message
Fields
| Name | Description |
|---|---|
Direction | — |
SourceAddress | — |
DestAddress | — |
EtherType | — |
VlanTag | — |
vSwitch ID | — |
SourcevSwitchPort | — |
DestinationvSwitchPort | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
vSwitchID | — |
Event ID 5147 — A more restrictive Windows Filtering Platform filter has blocked a packet.
Message
Fields
| Name | Description |
|---|---|
Direction | — |
SourceAddress | — |
DestAddress | — |
EtherType | — |
VlanTag | — |
vSwitch ID | — |
SourcevSwitchPort | — |
DestinationvSwitchPort | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
vSwitchID | — |
Event ID 5148 — The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.
Message
Fields
| Name | Description |
|---|---|
Type | — |
References
Event ID 5149 — The DoS attack has subsided and normal processing is being resumed.
Message
Fields
| Name | Description |
|---|---|
Type | — |
PacketsDiscarded | — |
References
Event ID 5150 — The Windows Filtering Platform has blocked a packet.
Message
Fields
| Name | Description |
|---|---|
Direction | — |
SourceAddress | — |
DestAddress | — |
EtherType | — |
MediaType | — |
InterfaceType | — |
VlanTag | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
References
Event ID 5151 — A more restrictive Windows Filtering Platform filter has blocked a packet.
Message
Fields
| Name | Description |
|---|---|
Direction | — |
SourceAddress | — |
DestAddress | — |
EtherType | — |
MediaType | — |
InterfaceType | — |
VlanTag | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
Event ID 5152 — The Windows Filtering Platform blocked a packet.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
Application | — |
Direction | — |
SourceAddress | — |
SourcePort | — |
DestAddress | — |
DestPort | — |
Protocol | — |
FilterOrigin | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
Community Notes
Prefer 5157 when both are available as it is per-connection.References
Event ID 5153 — A more restrictive Windows Filtering Platform filter has blocked a packet.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
Application | — |
Direction | — |
SourceAddress | — |
SourcePort | — |
DestAddress | — |
DestPort | — |
Protocol | — |
FilterOrigin | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
Event ID 5154 — The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
Application | — |
SourceAddress | — |
SourcePort | — |
Protocol | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
Community Notes
Detects unexpected services binding, often precedes C2 beaconing.References
Event ID 5155 — The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
Application | — |
SourceAddress | — |
SourcePort | — |
Protocol | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
Event ID 5156 — The Windows Filtering Platform has permitted a connection.
Message
Fields
| Name | Description |
|---|---|
ProcessID | — |
Application | — |
Direction | — |
SourceAddress | — |
SourcePort | — |
DestAddress | — |
DestPort | — |
Protocol | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
RemoteUserID | — |
RemoteMachineID | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5156
version: 1
level: 0
task: 12810
opcode: 0
keywords: 9232379236109516800
time_created: '2019-02-13T18:01:47.512340Z'
event_record_id: 227694
correlation: {}
execution:
process_id: 4
thread_id: 56
channel: Security
computer: PC01.example.corp
security:
user_id: ''
event_data:
ProcessID: 820
Application: \device\harddiskvolume1\windows\system32\svchost.exe
Direction: '%%14593'
SourceAddress: fe80::80ac:4126:fa58:1b81
SourcePort: '546'
DestAddress: ff02::1:2
DestPort: '547'
Protocol: 17
FilterRTID: 65865
LayerName: '%%14611'
LayerRTID: 50
RemoteUserID: S-1-0-0
RemoteMachineID: S-1-0-0
Community Notes
Indicates what process (application path) on the local machine made an outbound connection to a specific destination IP and port. Helpful for reviewing connections made by a suspect process.Sigma Rules
- RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address - Remote PowerShell Sessions Network Connections (WinRM)
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 - Uncommon Outbound Kerberos Connection - Security
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
References
Event ID 5157 — The Windows Filtering Platform has blocked a connection.
Message
Fields
| Name | Description |
|---|---|
ProcessID | — |
Application | — |
Direction | — |
SourceAddress | — |
SourcePort | — |
DestAddress | — |
DestPort | — |
Protocol | — |
InterfaceIndex | — |
FilterOrigin | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
RemoteUserID | — |
RemoteMachineID | — |
OriginalProfile | — |
CurrentProfile | — |
IsLoopback | — |
HasRemoteDynamicKeywordAddress | — |
Sigma Rules
- Windows Filtering Platform Blocked Connection From EDR Agent Binary
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
Event ID 5158 — The Windows Filtering Platform has permitted a bind to a local port.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
Application | — |
SourceAddress | — |
SourcePort | — |
Protocol | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5158
version: 0
level: 0
task: 12810
opcode: 0
keywords: 9232379236109516800
time_created: '2019-02-13T18:04:01.722250Z'
event_record_id: 227731
correlation: {}
execution:
process_id: 4
thread_id: 56
channel: Security
computer: PC01.example.corp
security:
user_id: ''
event_data:
ProcessId: 1280
Application: \device\harddiskvolume1\windows\system32\svchost.exe
SourceAddress: 0.0.0.0
SourcePort: '55355'
Protocol: 17
FilterRTID: 0
LayerName: '%%14608'
LayerRTID: 36
Community Notes
Unexpected binds on high ports may be a prelude to data exfiltration.References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5159 — The Windows Filtering Platform has blocked a bind to a local port.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
Application | — |
SourceAddress | — |
SourcePort | — |
Protocol | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
Event ID 5160 — The Windows Filtering Platform Audit Mode has allowed a connection or packet that would have been blocked.
Message
Fields
| Name | Description |
|---|---|
ProcessID | — |
Application | — |
Direction | — |
SourceAddress | — |
SourcePort | — |
DestAddress | — |
DestPort | — |
Protocol | — |
InterfaceIndex | — |
FilterOrigin | — |
FilterRTID | — |
LayerName | — |
LayerRTID | — |
RemoteUserID | — |
RemoteMachineID | — |
OriginalProfile | — |
CurrentProfile | — |
IsLoopback | — |
HasRemoteDynamicKeywordAddress | — |
FirewallPolicyStore | — |
Modifiable | — |
CalloutInvolved | — |
CalloutID | — |
Event ID 5168 — SPN check for SMB/SMB2 fails.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
SpnName | — |
ErrorCode | — |
ServerNames | — |
ConfiguredNames | — |
IpAddresses | — |
References
Event ID 5169 — A directory service object was modified.
Message
Fields
| Name | Description |
|---|---|
OpCorrelationID | — |
AppCorrelationID | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DSName | — |
DSType | — |
ObjectDN | — |
ObjectGUID | — |
ObjectClass | — |
AttributeLDAPDisplayName | — |
AttributeSyntaxOID | — |
AttributeValue | — |
ExpirationTime | — |
OperationType | — |
Event ID 5170 — A directory service object was modified during a background cleanup task.
Message
Fields
| Name | Description |
|---|---|
OpCorrelationID | — |
AppCorrelationID | — |
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DSName | — |
DSType | — |
ObjectDN | — |
ObjectGUID | — |
ObjectClass | — |
AttributeLDAPDisplayName | — |
AttributeSyntaxOID | — |
AttributeValue | — |
ExpirationTime | — |
OperationType | — |
Event ID 5376 — Credential Manager credentials were backed up.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
BackupFileName | — |
ProcessCreationTime | — |
ClientProcessId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5376
version: 1
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2022-09-24T19:57:32.266266+00:00'
event_record_id: 150002
correlation:
ActivityID: B2946CF1-CF76-0001-5C6D-94B276CFD801
execution:
process_id: 804
thread_id: 5832
channel: Security
computer: GUAPOS-PC
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-3960598978-2723104146-531989891-1001
SubjectUserName: FOXTWO
SubjectDomainName: GUAPOS-PC
SubjectLogonId: 894283
BackupFileName: C:\Windows\TEMP\CRD46C3.tmp
ProcessCreationTime: 1664049447.1706607
ClientProcessId: 5400
message: "Credential Manager credentials were backed up.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3960598978-2723104146-531989891-1001\n\tAccount
Name:\t\tFOXTWO\n\tAccount Domain:\t\tGUAPOS-PC\n\tLogon ID:\t\t894283\n\tBackupFileName:\t\tC:\\Windows\\TEMP\\CRD46C3.tmp\n\nThis
event occurs when a user backs up their own Credential Manager credentials. A user
(even an Administrator) cannot back up the credentials of an account other than
his own."
Community Notes
Backup of Credential Manager vault, shows a user exporting stored passwords and keys. Often precedes lateral movement or exfiltration.References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5377 — Credential Manager credentials were restored from a backup.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
BackupFileName | — |
ProcessCreationTime | — |
ClientProcessId | — |
Community Notes
Credential Manager credentials were restored from a backup, may indicate import of stolen vaults from another host.Event ID 5378 — The requested credentials delegation was disallowed by policy.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Package | — |
UserUPN | — |
TargetServer | — |
CredType | — |
References
Event ID 5379 — Credential Manager credentials were read.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TargetName | — |
Type | — |
CountOfCredentialsReturned | — |
ReadOperation | — |
ReturnCode | — |
ProcessCreationTime | — |
ClientProcessId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5379
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T06:25:40.049147+00:00'
event_record_id: 2888
correlation:
ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
TargetName: WindowsLive:target=virtualapp/didlogical
Type: 0
CountOfCredentialsReturned: 0
ReadOperation: '%%8100'
ReturnCode: 3221226021
ProcessCreationTime: '2023-11-06T06:25:38.635483Z'
ClientProcessId: 1612
message: ''
Community Notes
Credential Manager credentials were read. Large numbers of reads may indicate automated credential theft.Sigma Rules
- Password Protected ZIP File Opened
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. - Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. - Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5379
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5380 — Vault Find Credential.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
SearchString | — |
SchemaFriendlyName | — |
Schema | — |
CountOfCredentialsReturned | — |
ProcessCreationTime | — |
ClientProcessId | — |
Event ID 5381 — Vault credentials were read.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
Flags | — |
CountOfCredentialsReturned | — |
ProcessCreationTime | — |
ClientProcessId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5381
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2022-09-24T20:05:50.571779+00:00'
event_record_id: 150026
correlation: {}
execution:
process_id: 804
thread_id: 5636
channel: Security
computer: GUAPOS-PC
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-21-3960598978-2723104146-531989891-1001
SubjectUserName: FOXTWO
SubjectDomainName: GUAPOS-PC
SubjectLogonId: 894283
Flags: 0
CountOfCredentialsReturned: 1
ProcessCreationTime: 1664049942.3177185
ClientProcessId: 10620
message: "Vault credentials were read.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3960598978-2723104146-531989891-1001\n\tAccount
Name:\t\tFOXTWO\n\tAccount Domain:\t\tGUAPOS-PC\n\tLogon ID:\t\t894283\n\nThis event
occurs when a user enumerates stored vault credentials."
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5382 — Vault credentials were read.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
SchemaFriendlyName | — |
Schema | — |
Resource | — |
Identity | — |
PackageSid | — |
Flags | — |
ReturnCode | — |
ProcessCreationTime | — |
ClientProcessId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5382
version: 0
level: 0
task: 13824
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-05T22:28:52.690626+00:00'
event_record_id: 3184
correlation: {}
execution:
process_id: 808
thread_id: 888
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WINDEV2310EVAL$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
SchemaFriendlyName: NGC Local Accoount Logon Vault Resource Schema
Schema: 1D4350A3-330D-4AF9-B3FF-A927A45998AC
Resource: NGC Local Accoount Logon Vault Resource
Identity: 010500000000000515000000F15DC676EF81AF629C157803E8030000
PackageSid: ''
Flags: 0
ReturnCode: 1168
ProcessCreationTime: '2023-11-05T22:28:52.050339Z'
ClientProcessId: 4612
message: ''
References
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5382
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5440 — The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
Message
Fields
| Name | Description |
|---|---|
ProviderKey | — |
ProviderName | — |
CalloutKey | — |
CalloutName | — |
CalloutType | — |
CalloutId | — |
LayerKey | — |
LayerName | — |
LayerId | — |
References
Event ID 5441 — The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
Message
Fields
| Name | Description |
|---|---|
ProviderKey | — |
ProviderName | — |
FilterKey | — |
FilterName | — |
FilterType | — |
FilterId | — |
LayerKey | — |
LayerName | — |
LayerId | — |
Weight | — |
Conditions | — |
Action | — |
CalloutKey | — |
CalloutName | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5441
version: 0
level: 0
task: 13572
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:16.631722+00:00'
event_record_id: 25499
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 668
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
ProviderKey: DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62
ProviderName: Microsoft Corporation
FilterKey: B98B75DC-17C0-4E84-BD4E-2080527CA6A6
FilterName: AppContainerBoottimeFilter
FilterType: '%%16387'
FilterId: 67430
LayerKey: A3B42C97-9F04-4672-B87E-CEE9C483257F
LayerName: ALE Receive/Accept v6 Layer
LayerId: 46
Weight: 18446744073709551615
Conditions: "\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch
value:\tAll flags set\n\tCondition value:\t0x00400000\n"
Action: '%%16390'
CalloutKey: 00000000-0000-0000-0000-000000000000
CalloutName: '-'
message: ''
Sigma Rules
- HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5441
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5441
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5441
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5442 — The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
Message
Fields
| Name | Description |
|---|---|
ProviderKey | — |
ProviderName | — |
ProviderType | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5442
version: 0
level: 0
task: 13572
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:16.631829+00:00'
event_record_id: 25503
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 668
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
ProviderKey: 1BEBC969-61A5-4732-A177-847A0817862A
ProviderName: Microsoft Corporation
ProviderType: '%%16387'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5442
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5442
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5442
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5443 — The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
Message
Fields
| Name | Description |
|---|---|
ProviderKey | — |
ProviderName | — |
ProviderContextKey | — |
ProviderContextName | — |
ProviderContextType | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5443
version: 0
level: 0
task: 13572
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:16.631811+00:00'
event_record_id: 25502
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 668
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
ProviderKey: DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62
ProviderName: Microsoft Corporation
ProviderContextKey: 93132C36-6E06-4E6F-A10B-218787CD49CF
ProviderContextName: MPSSVC
ProviderContextType: '%%16387'
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5443
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5443
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5443
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5444 — The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
Message
Fields
| Name | Description |
|---|---|
ProviderKey | — |
ProviderName | — |
SubLayerKey | — |
SubLayerName | — |
SubLayerType | — |
Weight | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5444
version: 0
level: 0
task: 13572
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:16.631773+00:00'
event_record_id: 25500
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 668
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
ProviderKey: 1BEBC969-61A5-4732-A177-847A0817862A
ProviderName: Microsoft Corporation
SubLayerKey: 9BA30013-C84E-47E5-AC6E-1E1AED72FA69
SubLayerName: Microsoft Corporation
SubLayerType: '%%16387'
Weight: 40961
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5444
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5444
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5444
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5446 — A Windows Filtering Platform callout has been changed.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
UserSid | — |
UserName | — |
ProviderKey | — |
ProviderName | — |
ChangeType | — |
CalloutKey | — |
CalloutName | — |
CalloutType | — |
CalloutId | — |
LayerKey | — |
LayerName | — |
LayerId | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5446
version: 0
level: 0
task: 13572
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:12:54.760281+00:00'
event_record_id: 29300
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 664
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
ProcessId: 2088
UserSid: S-1-5-19
UserName: NT AUTHORITY\LOCAL SERVICE
ProviderKey: 00000000-0000-0000-0000-000000000000
ProviderName: '-'
ChangeType: '%%16384'
CalloutKey: 31114833-2891-4EDD-A8EC-2FF8549AA491
CalloutName: windefend_flow_established_v6
CalloutType: '%%16388'
CalloutId: 289
LayerKey: 7021D2B3-DFA4-406E-AFEB-6AFAF7E70EFD
LayerName: ALE Flow Established v6 Layer
LayerId: 54
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5446
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5446
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5446
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5447 — A Windows Filtering Platform filter has been changed.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
UserSid | — |
UserName | — |
ProviderKey | — |
ProviderName | — |
ChangeType | — |
FilterKey | — |
FilterName | — |
FilterType | — |
FilterId | — |
LayerKey | — |
LayerName | — |
LayerId | — |
Weight | — |
Conditions | — |
Action | — |
CalloutKey | — |
CalloutName | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5447
version: 0
level: 0
task: 13573
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-06T01:44:15.910142+00:00'
event_record_id: 289924
correlation:
ActivityID: E4DB489E-1037-0001-0C49-DBE43710DA01
execution:
process_id: 808
thread_id: 12032
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
ProcessId: 2896
UserSid: S-1-5-19
UserName: NT AUTHORITY\LOCAL SERVICE
ProviderKey: DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62
ProviderName: Microsoft Corporation
ChangeType: '%%16384'
FilterKey: E170DBAA-294E-40F7-A2BE-E0DEE7DF9E43
FilterName: Microsoft Teams
FilterType: '%%16388'
FilterId: 78819
LayerKey: A3B42C97-9F04-4672-B87E-CEE9C483257F
LayerName: ALE Receive/Accept v6 Layer
LayerId: 46
Weight: 10376504785133109248
Conditions: "\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch
value:\tEqual to\n\tCondition value:\t\n 00000000 5c 00 64 00 65 00 76 00-69
00 63 00 65 00 5c 00 \\.d.e.v.i.c.e.\\.\n 00000010 68 00 61 00 72 00 64 00-64
00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k.\n 00000020 76 00 6f 00 6c 00 75 00-6d
00 65 00 34 00 5c 00 v.o.l.u.m.e.4.\\.\n 00000030 70 00 72 00 6f 00 67 00-72
00 61 00 6d 00 20 00 p.r.o.g.r.a.m. .\n 00000040 66 00 69 00 6c 00 65 00-73
00 5c 00 77 00 69 00 f.i.l.e.s.\\.w.i.\n 00000050 6e 00 64 00 6f 00 77 00-73
00 61 00 70 00 70 00 n.d.o.w.s.a.p.p.\n 00000060 73 00 5c 00 6d 00 69 00-63
00 72 00 6f 00 73 00 s.\\.m.i.c.r.o.s.\n 00000070 6f 00 66 00 74 00 74 00-65
00 61 00 6d 00 73 00 o.f.t.t.e.a.m.s.\n 00000080 5f 00 32 00 33 00 32 00-37
00 35 00 2e 00 37 00 _.2.3.2.7.5...7.\n 00000090 30 00 32 00 2e 00 32 00-34
00 32 00 31 00 2e 00 0.2...2.4.2.1...\n 000000a0 32 00 34 00 30 00 36 00-5f
00 78 00 36 00 34 00 2.4.0.6._.x.6.4.\n 000000b0 5f 00 5f 00 38 00 77 00-65
00 6b 00 79 00 62 00 _._.8.w.e.k.y.b.\n 000000c0 33 00 64 00 38 00 62 00-62
00 77 00 65 00 5c 00 3.d.8.b.b.w.e.\\.\n 000000d0 6d 00 73 00 74 00 65 00-61
00 6d 00 73 00 2e 00 m.s.t.e.a.m.s...\n 000000e0 65 00 78 00 65 00 00 00
\ e.x.e...\n\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch
value:\tEqual to\n\tCondition value:\t0x11\n"
Action: '%%16390'
CalloutKey: 00000000-0000-0000-0000-000000000000
CalloutName: '-'
message: ''
Sigma Rules
- HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names. - HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5447
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5447
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5447
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5448 — A Windows Filtering Platform provider has been changed.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
UserSid | — |
UserName | — |
ChangeType | — |
ProviderKey | — |
ProviderName | — |
ProviderType | — |
References
Event ID 5449 — A Windows Filtering Platform provider context has been changed.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
UserSid | — |
UserName | — |
ProviderKey | — |
ProviderName | — |
ChangeType | — |
ProviderContextKey | — |
ProviderContextName | — |
ProviderContextType | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5449
version: 0
level: 0
task: 13572
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:13:39.336916+00:00'
event_record_id: 29353
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 664
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
ProcessId: 1192
UserSid: S-1-5-19
UserName: NT AUTHORITY\LOCAL SERVICE
ProviderKey: DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62
ProviderName: Microsoft Corporation
ChangeType: '%%16385'
ProviderContextKey: E5AF5758-67DC-469F-9F77-8EAB0F229359
ProviderContextName: MPSSVC
ProviderContextType: '%%16388'
message: ''
Sigma Rules
- HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5449
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5449
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5449
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5450 — A Windows Filtering Platform sub-layer has been changed.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
UserSid | — |
UserName | — |
ProviderKey | — |
ProviderName | — |
ChangeType | — |
SubLayerKey | — |
SubLayerName | — |
SubLayerType | — |
Weight | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5450
version: 0
level: 0
task: 13572
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:12:54.760352+00:00'
event_record_id: 29301
correlation:
ActivityID: 7377737E-4825-0000-C974-77732548D801
execution:
process_id: 612
thread_id: 664
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
ProcessId: 2088
UserSid: S-1-5-19
UserName: NT AUTHORITY\LOCAL SERVICE
ProviderKey: 00000000-0000-0000-0000-000000000000
ProviderName: '-'
ChangeType: '%%16384'
SubLayerKey: 3C1CD879-1B8C-4AB4-8F83-5ED129176EF3
SubLayerName: windefend
SubLayerType: '%%16388'
Weight: 4096
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5450
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5450
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5450
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5451 — An IPsec quick mode security association was established.
Message
Fields
| Name | Description |
|---|---|
LocalAddress | — |
LocalAddressMask | — |
LocalPort | — |
LocalTunnelEndpoint | — |
RemoteAddress | — |
RemoteAddressMask | — |
RemotePort | — |
PeerPrivateAddress | — |
RemoteTunnelEndpoint | — |
IpProtocol | — |
KeyingModuleName | — |
AhAuthType | — |
EspAuthType | — |
CipherType | — |
LifetimeSeconds | — |
LifetimeKilobytes | — |
LifetimePackets | — |
Mode | — |
Role | — |
TransportFilterId | — |
MainModeSaId | — |
QuickModeSaId | — |
InboundSpi | — |
OutboundSpi | — |
TunnelId | — |
TrafficSelectorId | — |
References
Event ID 5452 — An IPsec quick mode security association ended.
Message
Fields
| Name | Description |
|---|---|
LocalAddress | — |
LocalAddressMask | — |
LocalPort | — |
LocalTunnelEndpoint | — |
RemoteAddress | — |
RemoteAddressMask | — |
RemotePort | — |
RemoteTunnelEndpoint | — |
IpProtocol | — |
QuickModeSaId | — |
TunnelId | — |
TrafficSelectorId | — |
References
Event ID 5453 — An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
Message
Event ID 5456 — PAStore Engine applied Active Directory storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
References
Event ID 5457 — PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Error | — |
References
Event ID 5458 — PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Event ID 5459 — PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Error | — |
Event ID 5460 — PAStore Engine applied local registry storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Event ID 5461 — PAStore Engine failed to apply local registry storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Error | — |
Event ID 5462 — PAStore Engine failed to apply some rules of the active IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Error | — |
Event ID 5463 — PAStore Engine polled for changes to the active IPsec policy and detected no changes.
Message
Event ID 5464 — PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
Message
Event ID 5465 — PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
Message
Event ID 5466 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead.
Message
Event ID 5467 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy.
Message
Event ID 5468 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes.
Message
Event ID 5471 — PAStore Engine loaded local storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Event ID 5472 — PAStore Engine failed to load local storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Error | — |
Event ID 5473 — PAStore Engine loaded directory storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Event ID 5474 — PAStore Engine failed to load directory storage IPsec policy on the computer.
Message
Fields
| Name | Description |
|---|---|
Policy | — |
Error | — |
Event ID 5477 — PAStore Engine failed to add quick mode filter.
Message
Fields
| Name | Description |
|---|---|
QuickModeFilter | — |
Error | — |
References
Event ID 5478 — IPsec Services has started successfully.
Message
Event ID 5479 — IPsec Services has been shut down successfully.
Message
Event ID 5480 — IPsec Services failed to get the complete list of network interfaces on the computer.
Message
Event ID 5483 — IPsec Services failed to initialize RPC server.
Message
Fields
| Name | Description |
|---|---|
Error | — |
References
Event ID 5484 — IPsec Services has experienced a critical failure and has been shut down.
Message
Fields
| Name | Description |
|---|---|
Error | — |
Event ID 5485 — IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces.
Message
Event ID 5632 — A request was made to authenticate to a wireless network.
Message
Fields
| Name | Description |
|---|---|
SSID | — |
Identity | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
PeerMac | — |
LocalMac | — |
IntfGuid | — |
ReasonCode | — |
ReasonText | — |
ErrorCode | — |
EAPReasonCode | — |
EapRootCauseString | — |
EAPErrorCode | — |
References
Event ID 5633 — A request was made to authenticate to a wired network.
Message
Fields
| Name | Description |
|---|---|
InterfaceName | — |
Identity | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ReasonCode | — |
ReasonText | — |
ErrorCode | — |
References
Event ID 5712 — A Remote Procedure Call (RPC) was attempted.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
ProcessId | — |
ProcessName | — |
RemoteIpAddress | — |
RemotePort | — |
InterfaceUuid | — |
ProtocolSequence | — |
AuthenticationService | — |
AuthenticationLevel | — |
OpNum | — |
Endpoint | — |
RemoteHost | — |
References
Event ID 5888 — An object in the COM+ Catalog was modified.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectUserDomainName | — |
SubjectLogonId | — |
ObjectCollectionName | — |
ObjectIdentifyingProperties | — |
ModifiedObjectProperties | — |
References
Event ID 5889 — An object was deleted from the COM+ Catalog.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectUserDomainName | — |
SubjectLogonId | — |
ObjectCollectionName | — |
ObjectIdentifyingProperties | — |
ObjectProperties | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5889
version: 0
level: 0
task: 12290
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-05T22:30:46.980255+00:00'
event_record_id: 3332
correlation:
ActivityID: 59A0D65F-1037-0001-A7D6-A0593710DA01
execution:
process_id: 808
thread_id: 888
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: SYSTEM
SubjectUserDomainName: NT AUTHORITY
SubjectLogonId: 999
ObjectCollectionName: Applications
ObjectIdentifyingProperties: "\r\n\t\tID = {A14C837E-C9BC-4E79-B228-2A6CB72524A5}\r\n\t\tAppPartitionID
= {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}"
ObjectProperties: "\r\n\t\tName = VMware Snapshot Provider\r\n\t\tApplicationProxyServerName
= \r\n\t\tProcessType = 2\r\n\t\tCommandLine = \r\n\t\tServiceName = vmvss\r\n\t\tRunAsUserType
= 1\r\n\t\tIdentity = LocalSystem\r\n\t\tDescription = VMware Snapshot Provider\r\n\t\tIsSystem
= N\r\n\t\tAuthentication = 6\r\n\t\tShutdownAfter = 3\r\n\t\tRunForever = N\r\n\t\tPassword
= ********\r\n\t\tActivation = Local\r\n\t\tChangeable = Y\r\n\t\tDeleteable =
Y\r\n\t\tCreatedBy = \r\n\t\tAccessChecksLevel = 1\r\n\t\tApplicationAccessChecksEnabled
= 0\r\n\t\tcCOL_SecurityDescriptor = <Opaque>\r\n\t\tImpersonationLevel = 2\r\n\t\tAuthenticationCapability
= 2\r\n\t\tCRMEnabled = 0\r\n\t\t3GigSupportEnabled = 0\r\n\t\tQueuingEnabled
= 0\r\n\t\tQueueListenerEnabled = N\r\n\t\tEventsEnabled = 1\r\n\t\tProcessFlags
= 0\r\n\t\tThreadMax = 0\r\n\t\tApplicationProxy = 0\r\n\t\tCRMLogFile = \r\n\t\tDumpEnabled
= 0\r\n\t\tDumpOnException = 0\r\n\t\tDumpOnFailfast = 0\r\n\t\tMaxDumpCount =
5\r\n\t\tDumpPath = %systemroot%\\system32\\com\\dmp\r\n\t\tIsEnabled = 1\r\n\t\tAppPartitionID
= {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}\r\n\t\tConcurrentApps = 1\r\n\t\tRecycleLifetimeLimit
= 0\r\n\t\tRecycleCallLimit = 0\r\n\t\tRecycleActivationLimit = 0\r\n\t\tRecycleMemoryLimit
= 0\r\n\t\tRecycleExpirationTimeout = 15\r\n\t\tQCListenerMaxThreads = 0\r\n\t\tQCAuthenticateMsgs
= 0\r\n\t\tApplicationDirectory = \r\n\t\tSRPTrustLevel = 262144\r\n\t\tSRPEnabled
= 0\r\n\t\tSoapActivated = 0\r\n\t\tSoapVRoot = \r\n\t\tSoapMailTo = \r\n\t\tSoapBaseUrl
= \r\n\t\tReplicable = 1"
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5889
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5889
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5889
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5890 — An object was added to the COM+ Catalog.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectUserDomainName | — |
SubjectLogonId | — |
ObjectCollectionName | — |
ObjectIdentifyingProperties | — |
ObjectProperties | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 5890
version: 0
level: 0
task: 12290
opcode: 0
keywords: 9232379236109516800
time_created: '2023-11-05T22:30:50.680307+00:00'
event_record_id: 3348
correlation:
ActivityID: 59A0D65F-1037-0001-A7D6-A0593710DA01
execution:
process_id: 808
thread_id: 896
channel: Security
computer: WinDev2310Eval
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: SYSTEM
SubjectUserDomainName: NT AUTHORITY
SubjectLogonId: 999
ObjectCollectionName: UsersInRole
ObjectIdentifyingProperties: "\r\n\t\tApplId = {B0C2D0B3-B19E-4769-B00B-A0D5996BAD73}\r\n\t\tName
= Administrators\r\n\t\tUser = SYSTEM"
ObjectProperties: "\r\n\t\t<null>"
message: ''
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5890
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5890
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5890
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6144 — Security policy in the group policy objects has been applied successfully.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
GPOList | — |
References
Event ID 6145 — One or more errors occured while processing security policy in the group policy objects.
Message
Fields
| Name | Description |
|---|---|
ErrorCode | — |
GPOList | — |
Event ID 6272 — Network Policy Server granted access to a user.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
SubjectMachineSID | — |
SubjectMachineName | — |
FullyQualifiedSubjectMachineName | — |
CalledStationID | — |
CallingStationID | — |
NASIPv4Address | — |
NASIPv6Address | — |
NASIdentifier | — |
NASPortType | — |
NASPort | — |
ClientName | — |
ClientIPAddress | — |
ProxyPolicyName | — |
NetworkPolicyName | — |
AuthenticationProvider | — |
AuthenticationServer | — |
AuthenticationType | — |
EAPType | — |
AccountSessionIdentifier | — |
LoggingResult | — |
References
Event ID 6273 — Network Policy Server denied access to a user.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
SubjectMachineSID | — |
SubjectMachineName | — |
FullyQualifiedSubjectMachineName | — |
CalledStationID | — |
CallingStationID | — |
NASIPv4Address | — |
NASIPv6Address | — |
NASIdentifier | — |
NASPortType | — |
NASPort | — |
ClientName | — |
ClientIPAddress | — |
ProxyPolicyName | — |
NetworkPolicyName | — |
AuthenticationProvider | — |
AuthenticationServer | — |
AuthenticationType | — |
EAPType | — |
AccountSessionIdentifier | — |
ReasonCode | — |
Reason | — |
LoggingResult | — |
Community Notes
Large numbers of Reason 16 or 23 from the same IP or MAC indicates bruting of WiFi, VPN, 802.1x portals. Repeat denials for privileged accounts should be investigated.References
Event ID 6274 — Network Policy Server discarded the request for a user.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
SubjectMachineSID | — |
SubjectMachineName | — |
FullyQualifiedSubjectMachineName | — |
CalledStationID | — |
CallingStationID | — |
NASIPv4Address | — |
NASIPv6Address | — |
NASIdentifier | — |
NASPortType | — |
NASPort | — |
ClientName | — |
ClientIPAddress | — |
ProxyPolicyName | — |
NetworkPolicyName | — |
AuthenticationProvider | — |
AuthenticationServer | — |
AuthenticationType | — |
EAPType | — |
AccountSessionIdentifier | — |
ReasonCode | — |
Reason | — |
Event ID 6275 — Network Policy Server discarded the accounting request for a user.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
SubjectMachineSID | — |
SubjectMachineName | — |
FullyQualifiedSubjectMachineName | — |
CalledStationID | — |
CallingStationID | — |
NASIPv4Address | — |
NASIPv6Address | — |
NASIdentifier | — |
NASPortType | — |
NASPort | — |
ClientName | — |
ClientIPAddress | — |
ProxyPolicyName | — |
NetworkPolicyName | — |
AuthenticationProvider | — |
AuthenticationServer | — |
AuthenticationType | — |
EAPType | — |
AccountSessionIdentifier | — |
ReasonCode | — |
Reason | — |
Event ID 6276 — Network Policy Server quarantined a user.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
SubjectMachineSID | — |
SubjectMachineName | — |
FullyQualifiedSubjectMachineName | — |
MachineInventory | — |
CalledStationID | — |
CallingStationID | — |
NASIPv4Address | — |
NASIPv6Address | — |
NASIdentifier | — |
NASPortType | — |
NASPort | — |
ClientName | — |
ClientIPAddress | — |
ProxyPolicyName | — |
NetworkPolicyName | — |
AuthenticationProvider | — |
AuthenticationServer | — |
AuthenticationType | — |
EAPType | — |
AccountSessionIdentifier | — |
QuarantineState | — |
ExtendedQuarantineState | — |
QuarantineSessionID | — |
QuarantineHelpURL | — |
QuarantineSystemHealthResult | — |
References
Event ID 6277 — Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
SubjectMachineSID | — |
SubjectMachineName | — |
FullyQualifiedSubjectMachineName | — |
MachineInventory | — |
CalledStationID | — |
CallingStationID | — |
NASIPv4Address | — |
NASIPv6Address | — |
NASIdentifier | — |
NASPortType | — |
NASPort | — |
ClientName | — |
ClientIPAddress | — |
ProxyPolicyName | — |
NetworkPolicyName | — |
AuthenticationProvider | — |
AuthenticationServer | — |
AuthenticationType | — |
EAPType | — |
AccountSessionIdentifier | — |
QuarantineState | — |
ExtendedQuarantineState | — |
QuarantineSessionID | — |
QuarantineHelpURL | — |
QuarantineSystemHealthResult | — |
QuarantineGraceTime | — |
References
Event ID 6278 — Network Policy Server granted full access to a user because the host met the defined health policy.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
SubjectMachineSID | — |
SubjectMachineName | — |
FullyQualifiedSubjectMachineName | — |
MachineInventory | — |
CalledStationID | — |
CallingStationID | — |
NASIPv4Address | — |
NASIPv6Address | — |
NASIdentifier | — |
NASPortType | — |
NASPort | — |
ClientName | — |
ClientIPAddress | — |
ProxyPolicyName | — |
NetworkPolicyName | — |
AuthenticationProvider | — |
AuthenticationServer | — |
AuthenticationType | — |
EAPType | — |
AccountSessionIdentifier | — |
QuarantineState | — |
ExtendedQuarantineState | — |
QuarantineSessionID | — |
QuarantineHelpURL | — |
QuarantineSystemHealthResult | — |
Event ID 6279 — Network Policy Server locked the user account due to repeated failed authentication attempts.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
References
Event ID 6280 — Network Policy Server unlocked the user account.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
FullyQualifiedSubjectUserName | — |
Event ID 6281 — Code Integrity determined that the page hashes of an image file are not valid.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
Sigma Rules
- Failed Code Integrity Checks
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
Event ID 6400 — BranchCache: Received an incorrectly formatted response while discovering availability of content.
Message
Fields
| Name | Description |
|---|---|
ClientIPAddress | — |
References
Event ID 6401 — BranchCache: Received invalid data from a peer.
Message
Fields
| Name | Description |
|---|---|
ClientIPAddress | — |
Event ID 6402 — BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Message
Fields
| Name | Description |
|---|---|
ClientIPAddress | — |
Event ID 6403 — BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
Message
Fields
| Name | Description |
|---|---|
HostedCacheName | — |
References
Event ID 6404 — BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
Message
Fields
| Name | Description |
|---|---|
HostedCacheName | — |
ErrorCode | — |
References
Event ID 6405 — BranchCache: %2 instance(s) of event id %1 occurred.
Message
Fields
| Name | Description |
|---|---|
EventId | — |
Count | — |
References
Event ID 6406 — %1 registered to Windows Firewall to control filtering for the following: %2.
Message
Fields
| Name | Description |
|---|---|
ProductName | — |
Categories | — |
References
Event ID 6407 — Firewall category unregistered: %1
Message
Fields
| Name | Description |
|---|---|
Message | — |
References
Event ID 6408 — Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
Message
Fields
| Name | Description |
|---|---|
ProductName | — |
Categories | — |
Event ID 6409 — BranchCache: A service connection point object could not be parsed.
Message
Fields
| Name | Description |
|---|---|
GUID | — |
Event ID 6410 — Code integrity determined that a file does not meet the security requirements to load into a process.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
Event ID 6416 — A new external device was recognized by the system.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DeviceId | — |
DeviceDescription | — |
ClassId | — |
ClassName | — |
VendorIds | — |
CompatibleIds | — |
LocationInformation | — |
Example Event
system:
provider: Microsoft-Windows-Security-Auditing
guid: 54849625-5478-4994-A5BA-3E3B0328C30D
event_source_name: ''
event_id: 6416
version: 1
level: 0
task: 13316
opcode: 0
keywords: 9232379236109516800
time_created: '2022-04-04T13:11:35.388890+00:00'
event_record_id: 28470
correlation: {}
execution:
process_id: 4
thread_id: 340
channel: Security
computer: WIN-TKC15D7KHUR
security:
user_id: ''
event_data:
SubjectUserSid: S-1-5-18
SubjectUserName: WIN-TKC15D7KHUR$
SubjectDomainName: WORKGROUP
SubjectLogonId: '0x3e7'
DeviceId: SWD\PRINTENUM\{3AEC7D2D-F29E-48EB-A851-2E9DF0B72EDC}
DeviceDescription: Microsoft Print to PDF
ClassId: 1ED2BBF9-11F0-4084-B21F-AD83A8E6DCDC
ClassName: PrintQueue
VendorIds: "\r\n\t\tPRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}\r\n\t\tPRINTENUM\\LocalPrintQueue\r\n\t\t{084f01fa-e634-4d77-83ee-074817c03581}\r\n\t\t\r\n\t\t"
CompatibleIds: "\r\n\t\tGenPrintQueue\r\n\t\tSWD\\GenericRaw\r\n\t\tSWD\\Generic\r\n\t\t\r\n\t\t"
LocationInformation: '-'
message: ''
Sigma Rules
- External Disk Drive Or USB Storage Device Was Recognized By The System
Detects external disk drives or plugged-in USB devices.
References
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6416
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=6416
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6417 — The FIPS mode crypto selftests succeeded.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
ProcessName | — |
Event ID 6418 — The FIPS mode crypto selftests failed.
Message
Fields
| Name | Description |
|---|---|
ProcessId | — |
ProcessName | — |
FatalCode | — |
Event ID 6419 — A request was made to disable a device.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DeviceId | — |
DeviceDescription | — |
ClassId | — |
ClassName | — |
HardwareIds | — |
CompatibleIds | — |
LocationInformation | — |
Event ID 6420 — A device was disabled.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DeviceId | — |
DeviceDescription | — |
ClassId | — |
ClassName | — |
HardwareIds | — |
CompatibleIds | — |
LocationInformation | — |
Event ID 6421 — A request was made to enable a device.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DeviceId | — |
DeviceDescription | — |
ClassId | — |
ClassName | — |
HardwareIds | — |
CompatibleIds | — |
LocationInformation | — |
Event ID 6422 — A device was enabled.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DeviceId | — |
DeviceDescription | — |
ClassId | — |
ClassName | — |
HardwareIds | — |
CompatibleIds | — |
LocationInformation | — |
Community Notes
May indicate removable storage or network adapters to stage tools or exfiltrate data.Event ID 6423 — The installation of this device is forbidden by system policy.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DeviceId | — |
DeviceDescription | — |
ClassId | — |
ClassName | — |
HardwareIds | — |
CompatibleIds | — |
LocationInformation | — |
Sigma Rules
- Device Installation Blocked
Detects an installation of a device that is forbidden by the system policy
Event ID 6424 — The installation of this device was allowed, after having previously been forbidden by policy.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
DeviceId | — |
DeviceDescription | — |
ClassId | — |
ClassName | — |
HardwareIds | — |
CompatibleIds | — |
LocationInformation | — |
Event ID 6425 — A network client used a legacy RPC method to modify authentication information on a trusted domain object.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TrustedDomainName | — |
TrustedDomainId | — |
ClientNetworkAddress | — |
LegacyRPCMethodName | — |
Event ID 6426 — The volatile system access rights assigned to an account were modified.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TargetSid | — |
OriginalAccessRightsMask | — |
OriginalAccessRights | — |
GrantedAccessRightsMask | — |
GrantedAccessRights | — |
RemovedAccessRightsMask | — |
RemovedAccessRights | — |
FinalAccessRightsMask | — |
FinalAccessRights | — |
Event ID 6427 — System access right details for a successful logon.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
TargetLogonId | — |
LogonType | — |
SystemAccessRightRequiredForLogon | — |
SystemAccessRightRequiredForLogonUlong | — |
EventIndex | — |
EventCountTotal | — |
SystemAccessRightSidList | — |
LocalSystemAccessRightSidList | — |
Event ID 6428 — System access right details for a failed logon that was explicitly denied.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
LogonType | — |
DenySystemAccessRight | — |
DenySystemAccessRightUlong | — |
EventIndex | — |
EventCountTotal | — |
DenySystemAccessRightsSidList | — |
DenyLocalSystemAccessRightsSidList | — |
Event ID 6429 — System access right details for a failed logon that was implicitly denied.
Message
Fields
| Name | Description |
|---|---|
SubjectUserSid | — |
SubjectUserName | — |
SubjectDomainName | — |
SubjectLogonId | — |
TargetUserSid | — |
TargetUserName | — |
TargetDomainName | — |
LogonType | — |
AllowSystemAccessRight | — |
AllowSystemAccessRightUlong | — |
Event ID 6430 — A Windows Firewall policy was imported.
Message
Fields
| Name | Description |
|---|---|
UserSid | — |
UserName | — |
DomainName | — |
ImportFileName | — |
PolicyDetails | — |