Microsoft-Windows-Security-Auditing
426 events across 1 channel
Event ID 412: AD FS authentication failure.
#Description
AD FS auditing event emitted on the federation server when an authentication attempt fails. Logged under the Security provider via AD FS audit policy; referenced by Sentinel ADFS rules.
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
DestinationPort | eq | 80 | 1 rule | kusto, sigma |
Image | eq | system | 1 rule | kusto, sigma |
Computer | eq | ADFS_Servers | 1 rule | kusto |
Event ID 501: AD FS proxy authentication request.
#Description
AD FS auditing event emitted when the federation proxy forwards an authentication request. Logged under the Security provider via AD FS audit policy; referenced by Sentinel ADFS rules.
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
DestinationPort | eq | 80 | 1 rule | kusto, sigma |
Image | eq | system | 1 rule | kusto, sigma |
Event ID 675: Pre-authentication failed (legacy Windows 2003 Kerberos event; superseded by 4771).
#Description
Legacy Kerberos pre-authentication failure event from Windows 2003. Superseded by EventID 4771 in Vista+.
Detection Patterns #
Credential Access: Exploitation for Credential Access
1 rule
Event ID 4608: Windows is starting up.
#Description
Windows is starting up.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4608,
"version": 0,
"level": 0,
"task": 12288,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:50.4026945+00:00",
"event_record_id": 1715910,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "Windows is starting up.\r\n\r\nThis event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4608
Event ID 4609: Windows is shutting down.
#Description
Windows is shutting down.
Message #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4609
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4609
Event ID 4610: An authentication package has been loaded by the Local Security Authority.
#Description
This event generates every time Authentication Package has been loaded by the Local Security Authority (LSA). Each time the system starts, the LSA loads the Authentication Package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages registry value and performs the initialization sequence for every package located in these DLLs.
Message #
Fields #
| Name | Description |
|---|---|
AuthenticationPackageName UnicodeString | The name of loaded Authentication Package. The format is: DLL_PATH_AND_NAME: AUTHENTICATION_PACKAGE_NAME. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4610,
"version": 0,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:50.7528048+00:00",
"event_record_id": 1715923,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"AuthenticationPackageName": "C:\\Windows\\system32\\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
},
"message": "An authentication package has been loaded by the Local Security Authority.\r\nThis authentication package will be used to authenticate logon attempts.\r\n\r\nAuthentication Package Name:\tC:\\Windows\\system32\\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4610
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4610
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4610.yml
Event ID 4611: A trusted logon process has been registered with the Local Security Authority.
#Description
This event indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source. At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.). You typically see these events during operating system startup or user logon and authentication actions
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that registered the trusted logon process. | |
SubjectUserName UnicodeString | The name of the account that registered the trusted logon process. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
LogonProcessName UnicodeString | The name of registered logon process. | 1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4611,
"version": 0,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:33:48.1527291+00:00",
"event_record_id": 1724051,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 3340
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"LogonProcessName": "UserManager"
},
"message": "A trusted logon process has been registered with the Local Security Authority.\r\nThis logon process will be trusted to submit logon requests.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Process Name:\t\tUserManager"
}
Community Notes #
May be seen when a process injects into LSASS.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Register new Logon Process by Rubeus source high: Detects potential use of Rubeus via registered new trusted logon process
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4611
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4611.yml
Event ID 4612: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
#Description
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Message #
Fields #
| Name | Description |
|---|---|
AuditsDiscarded UInt32 | Number of audit messages discarded |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4612
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4612
Event ID 4614: A notification package has been loaded by the Security Account Manager.
#Description
This event generates every time a Notification Package has been loaded by the Security Account Manager. In reality, starting with Windows Vista, a notification package should be interpreted as afs Password Filter. Password Filters are DLLs that are loaded or called when passwords are set or changed. Each time a system starts, it loads the notification package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages registry value and performs the initialization sequence for every package.
Message #
Fields #
| Name | Description |
|---|---|
NotificationPackageName UnicodeString | The name of loaded Notification Package. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4614,
"version": 0,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:52.4233877+00:00",
"event_record_id": 1715954,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"NotificationPackageName": "scecli"
},
"message": "A notification package has been loaded by the Security Account Manager.\r\nThis package will be notified of any account or password changes.\r\n\r\nNotification Package Name:\tscecli"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4614
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4614
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4614.yml
Event ID 4615: Invalid use of LPC port.
#Description
Invalid use of LPC port.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
InvalidCallName UnicodeString | Invalid Use |
ServerPortName UnicodeString | LPC Server Port Name |
ProcessId Pointer | [Process Information] PID |
ProcessName UnicodeString | [Process Information] Name |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4615
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4615
Event ID 4616: The system time was changed.
#Description
This event generates every time system time was changed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested the "change system time" operation. | 1 |
SubjectUserName UnicodeString | The name of the account that requested the "change system time" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on". | |
PreviousTime FILETIME | Previous time in UTC time zone. | |
NewTime FILETIME | New time that was set in UTC time zone. | |
ProcessId Pointer | Hexadecimal Process ID of the process that changed the system time. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | |
ProcessName UnicodeString | Full path and the name of the executable for the process. | 7 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4616,
"version": 1,
"level": 0,
"task": 12288,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:39:30.8456189+00:00",
"event_record_id": 1842818,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4312
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-19",
"SubjectUserName": "LOCAL SERVICE",
"SubjectDomainName": "NT AUTHORITY",
"SubjectLogonId": "0x3e5",
"PreviousTime": "2026-06-13T05:39:30.8442156Z",
"NewTime": "2026-06-13T05:39:30.8452453Z",
"ProcessId": "0x1434",
"ProcessName": "C:\\Windows\\System32\\svchost.exe"
},
"message": "The system time was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1434\r\n\tName:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nPrevious Time:\t\t2026-06-13T05:39:30.844215600Z\r\nNew Time:\t\t2026-06-13T05:39:30.845245300Z\r\n\r\nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
process_name | eq | c:\windows\system32\svchost.exe | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Unauthorized System Time Modification source low: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
- System time changed source medium: Detects scenarios where an attacker attempts to change the system time to evade defense. Check also if NewTime is different from PreviousTime to reduce false positives.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4616
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4616_v1.yml
Event ID 4618: A monitored security event pattern has occurred.
#Description
This event is generated when Windows is configured to generate alerts in accordance with the Common Criteria Security Audit Analysis requirements (FAU_SAA) and an auditable event pattern occurs.
Message #
Fields #
| Name | Description |
|---|---|
EventId UInt32 | [Alert Information] Event ID. |
ComputerName UnicodeString | [Alert Information] Computer. |
TargetUserSid SID | [Subject] Security ID. |
TargetUserName UnicodeString | [Subject] Account Name. |
TargetUserDomain UnicodeString | Subject's domain or computer name. |
TargetLogonId HexInt64 | [Subject] Logon ID. |
EventCount UInt32 | [Alert Information] Number of Events. |
Duration UnicodeString | [Alert Information] Duration. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4618
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4618
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4618.yml
Event ID 4621: Administrator recovered system from CrashOnAuditFail.
#Description
Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
Message #
Fields #
| Name | Description |
|---|---|
CrashOnAuditFailValue UnicodeString | Value of CrashOnAuditFail |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4621
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4621
Event ID 4622: A security package has been loaded by the Local Security Authority.
#Description
This event generates every time Security Package has been loaded by the Local Security Authority (LSA). Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs. Each time the system starts, the LSA loads the Security Package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages registry value and performs the initialization sequence for every package located in these DLLs. It is also possible to add security package dynamically using AddSecurityPackage function, not only during system startup process.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SecurityPackageName UnicodeString | The name of loaded Security Package. The format is: DLL_PATH_AND_NAME: SECURITY_PACKAGE_NAME. | 9 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4622,
"version": 0,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:50.7526189+00:00",
"event_record_id": 1715922,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SecurityPackageName": "C:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider"
},
"message": "A security package has been loaded by the Local Security Authority.\r\n\r\nSecurity Package Name:\tC:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider"
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Security package (SSP) loaded into LSA (native) source high: Detects scenarios where an attacker loads a malicious SSP (Security Support Provider) into the LSA process. Note that this rule will not work with "in memory" SSP injection (Mimikatz) as no event will be triggered.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4622
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4622
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4622.yml
Event ID 4624: An account was successfully logged on.
#Description
This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of the account on the local system that requested the logon. | 12 |
SubjectUserName UnicodeString | Name of the account on the local system that requested the logon. | 5 |
SubjectDomainName UnicodeString | Domain of the account that requested the logon. | 4 |
SubjectLogonId HexInt64 | Hex logon session ID of the account that requested the logon. | |
TargetUserSid SID | SID of the account that was logged on. | 9 |
TargetUserName UnicodeString | Name of the account that was logged on. | 20 |
TargetDomainName UnicodeString | Domain of the account that was logged on. | 3 |
TargetLogonId HexInt64 | Hex logon session ID for the new session. Correlates with Event ID 4634 (logoff). | 1 |
LogonType UInt32 | Type of logon session created. Logon type reference | 33 |
LogonProcessName UnicodeString | Logon process that authenticated the request (e.g., User32, Advapi, NtLmSsp). | 8 |
AuthenticationPackageName UnicodeString | Authentication package used (e.g., Kerberos, NTLM, Negotiate). | 13 |
WorkstationName UnicodeString | Hostname of the machine that initiated the logon. "-" for local logons. | 6 |
LogonGuid GUID | GUID correlating this logon with a Kerberos TGS request (Event ID 4769) on the domain controller, and with Event ID 4648. | |
TransmittedServices UnicodeString | Kerberos services transmitted during S4U (Service For User) delegation. Empty for non-delegated logons. | |
LmPackageName UnicodeString | NTLM sub-protocol used (NTLM V1, NTLM V2, or LM). "-" for Kerberos logons. | |
KeyLength UInt32 | NTLM session security key length in bits. 0 for Kerberos or when no session key was requested. Known values
| 1 |
ProcessId Pointer | Process ID of the process that initiated the logon. | |
ProcessName UnicodeString | Full path of the process that initiated the logon. | 6 |
IpAddress UnicodeString | Source IP address of the remote logon. "-" for local logons. | 24 |
IpPort UnicodeString | Source port of the remote logon. "-" for local logons. | 1 |
ImpersonationLevel UnicodeString | Level of token impersonation permitted for this logon session. Known values
| 1 |
RestrictedAdminMode UnicodeString | For RemoteInteractive (RDP) logons, indicates credentials were passed in Restricted Admin mode (Win8.1+). "-" for other logon types. Known values
| |
TargetOutboundUserName UnicodeString | Outbound network account name for pass-through authentication. Typically empty. | 1 |
TargetOutboundDomainName UnicodeString | Domain of the outbound network account. Typically empty. | |
VirtualAccount UnicodeString | Indicates the logged-on account is a Managed Service Account or Group Managed Service Account. Known values
| |
TargetLinkedLogonId HexInt64 | Logon ID of the linked token session. When UAC splits a logon into limited and elevated tokens, this links the two sessions. "0x0" if not linked. | |
ElevatedToken UnicodeString | Indicates this logon session carries an elevated (administrator) token. Known values
| |
RemoteCredentialGuard UnicodeString | For RemoteInteractive logons, indicates Remote Credential Guard was used to redirect Kerberos requests to the originating device. Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4624,
"version": 2,
"level": 0,
"task": 12544,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:49.2402547+00:00",
"event_record_id": 3213578,
"correlation": {},
"execution": {
"process_id": 896,
"thread_id": 4272
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-0-0",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetUserName": "domainadmin",
"TargetDomainName": "cell-c",
"TargetLogonId": "0x296120d",
"LogonType": "3",
"LogonProcessName": "NtLmSsp ",
"AuthenticationPackageName": "NTLM",
"WorkstationName": "LUDUS",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"TransmittedServices": "-",
"LmPackageName": "NTLM V2",
"KeyLength": "128",
"ProcessId": "0x0",
"ProcessName": "-",
"IpAddress": "-",
"IpPort": "-",
"ImpersonationLevel": "%%1833",
"RestrictedAdminMode": "-",
"TargetOutboundUserName": "-",
"TargetOutboundDomainName": "-",
"VirtualAccount": "%%1843",
"TargetLinkedLogonId": "0x0",
"ElevatedToken": "%%1842"
},
"message": "An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Information:\r\n\tLogon Type:\t\t3\r\n\tRestricted Admin Mode:\t-\r\n\tVirtual Account:\t\tNo\r\n\tElevated Token:\t\tYes\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\tLinked Logon ID:\t\t0x0\r\n\tNetwork Account Name:\t-\r\n\tNetwork Account Domain:\t-\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tLUDUS\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V2\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
}
Detection Patterns #
11 rules
Splunk
10 rules
Elastic
Splunk
9 rules
Splunk
Credential Access: Password Guessing
8 rules
Splunk
Credential Access: Brute Force
8 rules
Splunk
Computer Account
Event Log
Uses Authentication Normalization
AD Replication Request Initiated
Lateral Movement: Remote Services
Persistence: Account Manipulation
Credential Access: Security Account Manager
2 rules
Sigma
Initial Access: Exploit Public-Facing Application
Stealth: Create Process with Token
1 rule
Stealth: Token Impersonation/Theft
1 rule
Stealth: Create Process with Token
1 rule
Stealth: Disable or Modify Tools
Defense Impairment: Rogue Domain Controller
1 rule
Lateral Movement: Exploitation of Remote Services
Lateral Movement: Exploitation of Remote Services
Credential Access: Private Keys
0 rules
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
LogonType | eq | Network | 32 rules | elastic, kusto, sigma, splunk |
AuthenticationPackageName | eq | NTLM | 9 rules | elastic, kusto, sigma, splunk |
src_ip | eq | ::1 | 8 rules | elastic, sigma |
LogonType | eq | RemoteInteractive | 8 rules | kusto, sigma, splunk |
EventType | eq | logged-in | 8 rules | elastic |
src_ip | ne | 127.0.0.1 | 7 rules | elastic |
src_ip | eq | 127.0.0.1 | 7 rules | sigma |
event.outcome | eq | success | 7 rules | elastic |
LogonType | eq | NewCredentials | 7 rules | elastic, sigma |
src_ip | ne | ::1 | 6 rules | elastic, splunk |
AuthenticationPackageName | eq | Kerberos | 6 rules | elastic, kusto, sigma, splunk |
LogonProcessName | eq | seclogo | 5 rules | elastic, sigma |
user | ends_with | $ | 4 rules | elastic, kusto |
AuthenticationPackageName | eq | Negotiate | 4 rules | sigma |
src_ip | cidr_match | 127.0.0.0/8 | 3 rules | elastic, kusto, sigma |
Community Notes #
See the Logon Type Reference for a full breakdown of LogonType values and detection guidance.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Access Token Abuse source medium: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
- Admin User Remote Logon source low: Detect remote login by Administrator user (depending on internal pattern).
- DiagTrackEoP Default Login Username source critical: Detects the default "UserName" used by the DiagTrackEoP POC
Show 17 more (21 total)
- Successful Overpass the Hash Attempt source high: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
- Pass the Hash Activity 2 source medium: Detects the attack technique pass the hash which is used to move laterally inside the network
- RDP Login from Localhost source high: RDP login with localhost source address may be a tunnelled login
- External Remote RDP Logon from Public IP source medium: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
- External Remote SMB Logon from Public IP source high: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
- Outgoing Logon with New Credentials source low: Detects logon events that specify new credentials
- Potential Privilege Escalation via Local Kerberos Relay over LDAP source high: Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
- RottenPotato Like Attack Pattern source high: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
- Successful Account Login Via WMI source low: Detects successful logon attempts performed with WMI
- Administrator login impersonation with forged Golden ticket source high: Detects scenarios where an attacker used a forged Golden ticket to login on a remote host. Per default or if specified, the ticket will be forged using the builtin administrator account (SID *-500). However, and it frequent cases, a non suspicious user name will be specificied during the forge in order to evade security monitoring. The rule works based on this trick.
- Azure Windows virtual machine login via serial console source high: Detects if an attacker logs on using the serial console.
- Exchange server impersonation via PrivExchange relay attack source high: Detects scenarios where an attacker relays Exchange server authentication to abuse Exchange servers permissions and escalate privileges.
- Success login attempt on a Windows OpenSSH server source medium: Detects scenarios where an attacker attempts to connect to a Windows host using the SSH protocol.
- Mimikatz Pass-the-hash login source high: Detects scenarios where an attacker uses the Mimikatz Pass-the-hash feature to move laterally. Correlation with others event IDs can be done in the following way:| ID 4624 TargetLogonId + ID 4672 SubjectLogonId + ID 4688 TargetLogonId. Having those 3 elements together allows to bring in light what was exactly done.
- Suspicious anonymous login (domain specified) source high: Detects scenarios where a suspicious anonymous login is performed during discovery phases.
- Network login performed to multiple targets source high: Detects scenarios where an attacker would attempt to enumerate hosts resources and execute a payload with a compromised account. Vulnerability scanners, enumeration software or tool like SharepHound/CrackMapexec may generate such behavior.
- Anonymous access performed to multiple targets source high: Detects scenarios where an attacker would attempt to enumerate hosts and collect relevant information using anonymous access. Vulnerability scanners, enumeration software or tool like CrackMapexec may generate such behavior.
Elastic # view in coverage
- Potential Pass-the-Hash (PtH) Attempt source medium: Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.
- Potential Account Takeover - Mixed Logon Types source medium: Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected).
- Potential Account Takeover - Logon from New Source IP source medium: Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location.
Splunk # view in coverage
- Unusual Number of Remote Endpoint Authentication Events source: The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma…
- Windows Kerberos Local Successful Logon source: The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local…
- Windows Rapid Authentication On Multiple Hosts source: The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting…
Show 4 more (7 total)
- Windows RDP Login Session Was Established source: The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only…
- Multiple Host logons (Windows Event Log) source: Use case looks for users who have logged into multiple hosts
- Pass-the-Hash (Windows Event Log) source: Detect when pass-the-hash techniques are utilized with computer or user accounts as in the most notable ZeroLogon exploit scenario after a computer account password has been reset.
- Potential Exposed SMB_RDP Port - Windows (Windows Event Log) source: Threat actors may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. This use case detects…
Kusto # view in coverage
- Multiple RDP connections from Single System source low: Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day. RDP connections are indicated by the EventID 4624 with LogonType = 10
- RDP Nesting source medium: Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from that system to another, using the same account within a 60-minute window. To reduce false positives, it excludes scenarios where the same account has made 5 or more connections to the same set of computers in the previous 7 days. This approach focuses on highlighting unusual RDP behaviour that suggests lateral movement, which is often associated with attacker tactics during a network breach.
- Rare RDP Connections source medium: Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonType = 10
Show 7 more (10 total)
- Service Accounts Performing Remote PS source high: Service Accounts Performing Remote PowerShell. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases to the detection: Identify service accounts, Find remote PS cmdlets being ran by these accounts. To accomplish this, we utilize DeviceLogonEvents and DeviceEvents to find cmdlets ran that meet the criteria. One of the main advantages of this method is that only requires server telemetry, and not the attacking client. The first phase relies on the DeviceLogonEvents to determine whether an account is a service account or not, consider the following accounts with logons:. Random_user has DeviceLogonEvents with type 2, 3, 7, 10, 11 & 13. Random_service_account 'should' only have DeviceLogonEvents with type 3,4 or 5.
- NTLM Relay Attack source: This query searches for successful NTLM network logins where the device name contained in the NTLM authentication message contains a device that is known to MDE, but the source IP address is different from the known source IP address for that specific device. This could indicate an attacker is relaying the NTLM authentication information. To remove false positives, this query also searches for an outgoing network connection from the initiator to the attacker.↳ also matchesEvent ID 5156: The Windows Filtering Platform has permitted a connection.
- Password Spray source: Below queries detect password spray attacks using sliding window count plugin. Because of implementation of the sliding window, queries work better than the bin() usage, but may create duplicate alerts. Grouping can be used in such cases. Sentinel Query:↳ also matchesEvent ID 4625: An account failed to log on.
- Potential NTLM Relay Attack to Domain Controller source: Below query detects NTLM authentication coming from Domain Controller machine accounts. This is not an expected behavior and it's an indication of NTLM relay attack.
If NTLM Relaying is done towards a Linux machine, this query won't detect that. The attacker must have access to a Linux device in that case though.↳ also matchesEvent ID 4625: An account failed to log on. - Potentially Relayed NTLM Authentication - Microsoft Sentinel source: The below query detects Kerberos logons of computer accounts where there isn't any ticket request in the last 12h (10h is the default ticket expiration) coming from the same IpAddress with the same TargetUserName. The query can be enriched further if needed.↳ also matchesEvent ID 4769: A Kerberos service ticket was requested.
- Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint source: The below query detects NTLM logons where Network Address in the logon event doesn't match the Workstation Name's IP. This indicates potentially relayed NTLM authentication. It analyzes only the logons with domain accounts having admin privileges.
- Potentially Relayed NTLM Authentication - Microsoft Sentinel source: The below query detects NTLM logons where Network Address in the logon event doesn't match the Workstation Name's IP. This indicates potentially relayed NTLM authentication. It analyzes only the logons with domain accounts having admin privileges.↳ also matchesEvent ID 4672: Special privileges assigned to new logon.
YARA-L # view in coverage
- ADFS DKM Key Access source: Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value↳ also matchesEvent ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4662: An operation was performed on an object.
- MITRE ATT&CK T1110.003 RW Windows Password Spray source: Detect repeated authentication failure with multiple users indicative of a password spray attack.↳ also matchesEvent ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matchesEvent ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
Show 2 more (5 total)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matchesEvent ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
- Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matchesEvent ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4720: A user account was created., Event ID 4726: A user account was deleted.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4624-successful-logon.md
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4624_v2.yml
Event ID 4625: An account failed to log on.
#Description
This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid | SID of account that reported information about logon failure. | 1 |
SubjectUserName | The name of the account that reported information about logon failure. | |
SubjectDomainName | Subject's domain or computer name. | |
SubjectLogonId | Logon session ID of the account that reported the failure. | |
TargetUserSid | SID of the account that was specified in the logon attempt. | |
TargetUserName | The name of the account that was specified in the logon attempt. | 1 |
TargetDomainName | Domain of the account that was specified in the logon attempt. | |
Status HexInt32 | NTSTATUS failure code. See SubStatus for additional detail. NTSTATUS reference | 6 |
FailureReason | Human-readable translation of the Status code. | |
SubStatus | Secondary NTSTATUS code with additional failure detail (e.g., the specific account restriction that blocked logon). NTSTATUS reference | 26 |
LogonType | Type of logon that was attempted. Known values
| 8 |
LogonProcessName | Logon process that handled the authentication attempt (e.g., NtLmSsp, Kerberos, User32). | |
AuthenticationPackageName | Authentication package used for the logon attempt (e.g., NTLM, Kerberos). | |
WorkstationName | Name of the workstation the logon attempt originated from. | 1 |
TransmittedServices | Kerberos services transmitted during S4U delegation. Empty for non-delegated logon attempts. | |
LmPackageName | NTLM sub-protocol used (NTLM V1, NTLM V2, or LM). Populated only when AuthenticationPackageName = NTLM. | |
KeyLength | NTLM session security key length in bits. 0 for Kerberos or when no session key was requested. Known values
| |
ProcessId | Process ID of the process that attempted the logon. | |
ProcessName | Full path of the process that attempted the logon. | 4 |
IpAddress | Source IP address of the logon attempt. "-" for local attempts. | 5 |
IpPort | Source port of the remote logon attempt. 0 for interactive logons. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4625,
"version": 0,
"level": 0,
"task": 12544,
"opcode": 0,
"keywords": -9218868437227405312,
"time_created": "2026-06-13T05:23:33.3577893+00:00",
"event_record_id": 2937535,
"correlation": {},
"execution": {
"process_id": 896,
"thread_id": 5864
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-0-0",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "domainadmin",
"TargetDomainName": "",
"Status": "0xc000006d",
"FailureReason": "%%2313",
"SubStatus": "0xc0000064",
"LogonType": "3",
"LogonProcessName": "NtLmSsp ",
"AuthenticationPackageName": "NTLM",
"WorkstationName": "LUDUS",
"TransmittedServices": "-",
"LmPackageName": "-",
"KeyLength": "0",
"ProcessId": "0x0",
"ProcessName": "-",
"IpAddress": "-",
"IpPort": "-"
},
"message": "An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC0000064\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tLUDUS\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
}
Detection Patterns #
11 rules
Splunk
10 rules
Elastic
Splunk
9 rules
Splunk
Credential Access: Password Guessing
8 rules
Splunk
Credential Access: Brute Force
8 rules
Splunk
Relay Attack Against
Uses Authentication Normalization
Lateral Movement: Remote Services
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
LogonType | eq | Network | 13 rules | elastic, kusto, sigma, splunk |
src_ip | ne | ::1 | 4 rules | elastic, splunk |
src_ip | ne | 127.0.0.1 | 4 rules | elastic |
isOutlier | eq | 1 | 4 rules | splunk |
AuthenticationPackageName | eq | NTLM | 4 rules | elastic, kusto, sigma, splunk |
user | ends_with | $ | 4 rules | elastic, kusto |
AccountType | eq | User | 3 rules | kusto |
EventType | eq | logon-failed | 3 rules | elastic |
security_result.action | eq | BLOCK | 3 rules | chronicle |
unique_accounts | gt | 30 | 2 rules | splunk |
TargetDomainName | ne | NT AUTHORITY | 2 rules | elastic |
event.category | eq | authentication | 2 rules | elastic |
LogonType | eq | Interactive | 2 rules | sigma, splunk |
src_ip | is_not_null | | 2 rules | elastic |
ElevatedToken | eq | Logon | 2 rules | kusto |
Community Notes #
The Status field indicates the top-level failure reason; SubStatus provides additional detail. When Status is 0xC000006D (generic logon failure), check SubStatus for the specific cause.
Kerberos result codes (Status, when authentication uses Kerberos):
| Code | Description |
|---|---|
| 0x6 | KDC_ERR_C_PRINCIPAL_UNKNOWN — invalid/non-existent user account |
| 0x7 | KDC_ERR_S_PRINCIPAL_UNKNOWN — requested server not found |
| 0xC | KDC_ERR_POLICY — policy restriction prohibited logon |
| 0x12 | KDC_ERR_CLIENT_REVOKED — account locked, disabled, or expired |
| 0x17 | KDC_ERR_KEY_EXPIRED — expired password |
| 0x18 | KDC_ERR_PREAUTH_FAILED — invalid password |
| 0x25 | KRB_AP_ERR_SKEW — clock skew too great between client and server |
NTSTATUS codes (Status and SubStatus):
| Code | Name | Description |
|---|---|---|
| 0xC000006D | STATUS_LOGON_FAILURE | Generic logon failure — check SubStatus for detail |
| 0xC0000064 | STATUS_NO_SUCH_USER | Non-existent account username |
| 0xC000006A | STATUS_WRONG_PASSWORD | Incorrect password (username correct) |
| 0xC000006E | STATUS_ACCOUNT_RESTRICTION | Account restriction prevented logon |
| 0xC000006C | STATUS_PASSWORD_RESTRICTION | Password does not meet policy requirements |
| 0xC000006F | STATUS_INVALID_LOGON_HOURS | Account not allowed to log on at this time |
| 0xC0000070 | STATUS_INVALID_WORKSTATION | Account not allowed to log on from this computer |
| 0xC0000071 | STATUS_PASSWORD_EXPIRED | Expired password |
| 0xC0000072 | STATUS_ACCOUNT_DISABLED | Disabled account |
| 0xC000005E | STATUS_NO_LOGON_SERVERS | No logon servers available |
| 0xC0000133 | STATUS_TIME_DIFFERENCE_AT_DC | Clock skew between client and DC too great |
| 0xC000015B | STATUS_LOGON_TYPE_NOT_GRANTED | Logon type not granted to this account |
| 0xC000018D | STATUS_TRUSTED_RELATIONSHIP_FAILURE | Trust relationship between domain and trusted domain failed |
| 0xC0000192 | STATUS_NETLOGON_NOT_STARTED | Netlogon service not started |
| 0xC0000193 | STATUS_ACCOUNT_EXPIRED | Expired account |
| 0xC0000224 | STATUS_PASSWORD_MUST_CHANGE | Password must change at next logon |
| 0xC0000234 | STATUS_ACCOUNT_LOCKED_OUT | Account locked out |
| 0xC0000388 | STATUS_DOWNGRADE_DETECTED | Kerberos/NTLM downgrade detected |
| 0xC0000413 | STATUS_AUTHENTICATION_FIREWALL_FAILED | Blocked by authentication policy/silo |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Failed Logon From Public IP source medium: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
- Scanner PoC for CVE-2019-0708 RDP RCE Vuln source high: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
Elastic # view in coverage
- Privileged Accounts Brute Force source medium: Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.
- Multiple Logon Failure from the same Source Address source medium: Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.
Splunk # view in coverage
- Detect Password Spray Attempts source: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across…
- Windows Multiple Users Failed To Authenticate From Process source: The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member…
- Windows Multiple Users Remotely Failed To Authenticate From Host source: The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant…
Show 5 more (8 total)
- Windows Unusual Count Of Users Failed To Authenticate From Process source: The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis…
- Windows Unusual Count Of Users Remotely Failed To Auth From Host source: The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3…
- Multiple Failed Network Logon Attempts from Host (Windows Event Log) source: This use case detects a single source host with failed network (remote) authentication attempts from multiple user accounts in a short time period (default 2 minutes). This can be an indication of a password spraying attack from a…
- Password Spraying Windows (Windows Event Log) source: Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials↳ also matchesEvent ID 4688: A new process has been created.
- Suspicious Login Failures (Windows Event Log) source: Adversaries may use a single or small list of commonly used passwords against the same account in order to acquire valid account credentials. This use case looks for multiple logon failures by user and host, which may indicate a brute…
Kusto # view in coverage
- Failed logon attempts by valid accounts within 10 mins source low: Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.
- Excessive Windows Logon Failures source low: This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.
- Password Spray source: Below queries detect password spray attacks using sliding window count plugin. Because of implementation of the sliding window, queries work better than the bin() usage, but may create duplicate alerts. Grouping can be used in such cases. Sentinel Query:↳ also matchesEvent ID 4624: An account was successfully logged on.
Show 1 more (4 total)
- Potential NTLM Relay Attack to Domain Controller source: Below query detects NTLM authentication coming from Domain Controller machine accounts. This is not an expected behavior and it's an indication of NTLM relay attack.
If NTLM Relaying is done towards a Linux machine, this query won't detect that. The attacker must have access to a Linux device in that case though.↳ also matchesEvent ID 4624: An account was successfully logged on.
YARA-L # view in coverage
- ADFS DKM Key Access source: Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4662: An operation was performed on an object.
- MITRE ATT&CK T1110.003 RW Windows Password Spray source: Detect repeated authentication failure with multiple users indicative of a password spray attack.↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
Show 2 more (5 total)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
- Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4720: A user account was created., Event ID 4726: A user account was deleted.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4625-failed-logon.md
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4625.yml
Event ID 4626: User / Device claims information.
#Description
This event generates for new account logons and contains user/device claims which were associated with a new logon session.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that reported information about claims. |
SubjectUserName UnicodeString | The name of the account that reported information about claims. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
TargetUserSid SID | SID of account for which logon was performed. |
TargetUserName UnicodeString | The name of the account for which logon was performed. |
TargetDomainName UnicodeString | [New Logon] Account Domain. |
TargetLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
LogonType UInt32 | The type of logon which was performed. Logon type reference |
EventIdx UInt32 | If is there is not enough space in one event to put all claims, you will see "1 of N" in this field and additional events will be generated. Typically this field has "1 of 1" value. |
EventCountTotal UInt32 | The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" registry key. |
UserClaims UnicodeString | List of user claims for new logon session. This field contains user claims if user account was logged in and device claims if computer account was logged in. |
DeviceClaims UnicodeString | List of device claims for new logon session. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4626
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-device-claims
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4626
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4626.yml
Event ID 4627: Group membership information.
#Description
This event generates with "4624(S): An account was successfully logged on" and shows the list of groups that the logged-on account belongs to.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | [Subject] Security ID. Indicates the account on the local system which requested the logon. | |
SubjectUserName UnicodeString | [Subject] Account Name. Indicates the account on the local system which requested the logon. | |
SubjectDomainName UnicodeString | [Subject] Account Domain. Indicates the account on the local system which requested the logon. | |
SubjectLogonId HexInt64 | [Subject] Logon ID. Indicates the account on the local system which requested the logon. | |
TargetUserSid SID | [New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. | |
TargetUserName UnicodeString | [New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on. | 7 |
TargetDomainName UnicodeString | [New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on. | |
TargetLogonId HexInt64 | [New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. | |
LogonType UInt32 | [Subject] Logon Type. Indicates the account on the local system which requested the logon. Logon type reference | 2 |
EventIdx UInt32 | [New Logon] Event in sequence. Indicates the account for whom the new logon was created, i.e. the account that was logged on. | |
EventCountTotal UInt32 | Total number of events in the sequence. | |
GroupMembership UnicodeString | The list of group SIDs which logged account belongs to (member of). | 1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4627,
"version": 0,
"level": 0,
"task": 12554,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:49.2402736+00:00",
"event_record_id": 3213579,
"correlation": {},
"execution": {
"process_id": 896,
"thread_id": 4272
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-0-0",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetUserName": "domainadmin",
"TargetDomainName": "cell-c",
"TargetLogonId": "0x296120d",
"LogonType": "3",
"EventIdx": "1",
"EventCountTotal": "1",
"GroupMembership": "\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-513}\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-555}\n\t\t%{S-1-5-32-545}\n\t\t%{S-1-5-32-554}\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-2}\n\t\t%{S-1-5-11}\n\t\t%{S-1-5-15}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-520}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-512}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-519}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-518}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-572}\n\t\t%{S-1-5-64-10}\n\t\t%{S-1-16-12288}"
},
"message": "Group membership information.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nEvent in sequence:\t\t1 of 1\r\n\r\nGroup Membership:\t\t\t\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-555}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-554}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-520}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-512}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-519}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-518}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-572}\r\n\t\t%{S-1-5-64-10}\r\n\t\t%{S-1-16-12288}\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThis event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session."
}
Community Notes #
Shows the full AD group list for every successful logon (useful to detect changes in privileges).
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Domain Admin Impersonation Indicator source: The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-group-membership
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4627
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4627.yml
Event ID 4634: An account was logged off.
#Description
This event shows that logon session was terminated and no longer exists.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | SID of account that was logged off. |
TargetUserName UnicodeString | The name of the account that was logged off. |
TargetDomainName UnicodeString | Domain of the account that was logged off. |
TargetLogonId HexInt64 | Logon session ID of the session that ended. Correlates with Event ID 4624. |
LogonType UInt32 | Type of logon session that ended. Logon type reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4634,
"version": 0,
"level": 0,
"task": 12545,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:49.2412951+00:00",
"event_record_id": 3213581,
"correlation": {},
"execution": {
"process_id": 896,
"thread_id": 4272
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetUserName": "domainadmin",
"TargetDomainName": "cell-c",
"TargetLogonId": "0x2651556",
"LogonType": "3"
},
"message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x2651556\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
}
Detection Patterns #
Uses Authentication Normalization
Uses Authentication Normalization
Impact: Account Access Removal
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ElevatedToken | eq | Logon | 2 rules | kusto |
EventResult | eq | Failure | 2 rules | kusto |
EventResult | eq | Success | 2 rules | kusto |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4634.yml
Event ID 4646: notification
#Description
notification
Message #
Fields #
| Name | Description |
|---|---|
notification UnicodeString |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4646
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4646
Event ID 4647: User initiated logoff.
#Description
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | SID of account that requested the "logoff" operation. |
TargetUserName UnicodeString | The name of the account that requested the "logoff" operation. |
TargetDomainName UnicodeString | Subject's domain or computer name. |
TargetLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4647,
"version": 0,
"level": 0,
"task": 12545,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:22:33.5864288+00:00",
"event_record_id": 2929085,
"correlation": {
"ActivityID": "{55D4FF8A-EF8A-0001-0800-D5558AEFDC01}"
},
"execution": {
"process_id": 852,
"thread_id": 4760
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetUserName": "domainadmin",
"TargetDomainName": "cell-c",
"TargetLogonId": "0x9bd40"
},
"message": "User initiated logoff:\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x9BD40\r\n\r\nThis event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event."
}
Detection Patterns #
Stealth: Valid Accounts
1 rule
Impact: Account Access Removal
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4647
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4647.yml
Event ID 4648: A logon was attempted using explicit credentials.
#Description
This event is generated when a process attempts an account logon by explicitly specifying that account's credentials.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested the new logon session with explicit credentials. | |
SubjectUserName UnicodeString | The name of the account that requested the new logon session with explicit credentials. | 3 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the calling account. Correlates with Event ID 4624. | |
LogonGuid GUID | GUID correlating this event with a Kerberos TGS request (Event ID 4769) on the domain controller. All zeros for non-Kerberos logons. | |
TargetUserName UnicodeString | The name of the account whose credentials were used. | 2 |
TargetDomainName UnicodeString | Domain of the account whose credentials were used. | |
TargetLogonGuid GUID | GUID correlating the target account's Kerberos TGS request (Event ID 4769) on the domain controller. | |
TargetServerName UnicodeString | Server for which the explicit credentials were used. "localhost" for local processes. | 2 |
TargetInfo UnicodeString | Additional SPN or resource identifier for the target server. | 1 |
ProcessId Pointer | Process ID of the process that used the explicit credentials. | |
ProcessName UnicodeString | Full path of the process that used the explicit credentials. | 8 |
IpAddress UnicodeString | Source IP of the remote logon attempt. "-" for local requests. | |
IpPort UnicodeString | Source port of the remote logon attempt. "-" for local requests. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4648,
"version": 0,
"level": 0,
"task": 12544,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T08:33:05.1721046+00:00",
"event_record_id": 1988356,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 5768
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"TargetUserName": "TELEMETRY-DC-A$",
"TargetDomainName": "CELL-A.LUDUS.DOMAIN",
"TargetLogonGuid": "{d12ef9bd-613b-db6d-be77-75b97d030155}",
"TargetServerName": "telemetry-dc-a$",
"TargetInfo": "telemetry-dc-a$",
"ProcessId": "0xcc",
"ProcessName": "C:\\Windows\\System32\\taskhostw.exe",
"IpAddress": "-",
"IpPort": "-"
},
"message": "A logon was attempted using explicit credentials.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nAccount Whose Credentials Were Used:\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tCELL-A.LUDUS.DOMAIN\r\n\tLogon GUID:\t\t{d12ef9bd-613b-db6d-be77-75b97d030155}\r\n\r\nTarget Server:\r\n\tTarget Server Name:\ttelemetry-dc-a$\r\n\tAdditional Information:\ttelemetry-dc-a$\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xcc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\taskhostw.exe\r\n\r\nNetwork Information:\r\n\tNetwork Address:\t-\r\n\tPort:\t\t\t-\r\n\r\nThis event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
}
Detection Patterns #
Event Log
1 rule
Stealth: Valid Accounts
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
security_result.action | eq | BLOCK | 3 rules | chronicle |
user | ne | *$ | 2 rules | splunk |
TargetServerName | eq | localhost | 2 rules | sigma |
Target_User_Name | ne | *$ | 2 rules | splunk |
security_result.action | eq | ALLOW | 2 rules | chronicle |
Image | ends_with | \net.exe | 1 rule | sigma |
Image | ends_with | \net1.exe | 1 rule | sigma |
src_ip | eq | ::1 | 1 rule | elastic, sigma |
TargetUserName | ends_with | $ | 1 rule | kusto, sigma |
unique_accounts | gt | 30 | 1 rule | splunk |
CommandLine | contains | /user: | 1 rule | sigma, splunk |
LogonProcessName | eq | seclogo | 1 rule | elastic, sigma |
LogonType | eq | Interactive | 1 rule | sigma, splunk |
graph.metadata.source_type | eq | ENTITY_CONTEXT | 1 rule | chronicle |
process_name | regex_match | (?i)adexplorer(64)?|adexp\.exe | 1 rule | splunk |
Community Notes #
Logon with explicit credentials (RunAs, SchTasks, Pass-the-Hash, WinRM, SMB). May appear when an NTLM relayed session is used to create a service/task. Useful with 4624 (successful logon)/4634 (logoff completed) for reconstructing interactive or service logons.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Suspicious Remote Logon with Explicit Credentials source medium: Detects suspicious processes logging on with explicit credentials
Splunk # view in coverage
- Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials source: The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly…
- Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials source: The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma…
YARA-L # view in coverage
- ADFS DKM Key Access source: Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4662: An operation was performed on an object.
- MITRE ATT&CK T1110.003 RW Windows Password Spray source: Detect repeated authentication failure with multiple users indicative of a password spray attack.↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
Show 2 more (5 total)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
- Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4720: A user account was created., Event ID 4726: A user account was deleted.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4648-explicit-credentials.md
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4648.yml
Event ID 4649: A replay attack was detected.
#Description
A replay attack was detected.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
TargetUserName UnicodeString | [Credentials Which Were Replayed] Account Name |
TargetDomainName UnicodeString | [Credentials Which Were Replayed] Account Domain |
RequestType UnicodeString | [Detailed Authentication Information] Request Type |
LogonProcessName UnicodeString | [Detailed Authentication Information] Logon Process |
AuthenticationPackage UnicodeString | [Detailed Authentication Information] Authentication Package |
WorkstationName UnicodeString | [Network Information] Workstation Name |
TransmittedServices UnicodeString | [Detailed Authentication Information] Transited Services |
ProcessId Pointer | [Process Information] Process ID |
ProcessName UnicodeString | [Process Information] Process Name |
Community Notes #
Alerts when a copied ticket is reused.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Replay Attack Detected source high: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4649
Event ID 4650: An IPsec main mode security association was established.
#Description
An IPsec main mode security association was established. Extended mode was not enabled. Certificate authentication was not used.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
MMAuthMethod UnicodeString | [Additional Information] Authentication Method |
MMCipherAlg UnicodeString | [Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Security Association Information] Lifetime (minutes) |
QMLimit UInt32 | [Security Association Information] Quick Mode Limit |
Role UnicodeString | [Additional Information] Role. |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Security Association Information] Main Mode SA ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4650
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4650
Event ID 4651: An IPsec main mode security association was established.
#Description
An IPsec main mode security association was established. Extended mode was not enabled. A certificate was used for authentication.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalMMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalMMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalMMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteMMCertHash UnicodeString | [Remote Certificate] SHA thumbprint |
RemoteMMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteMMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
MMAuthMethod UnicodeString | [Additional Information] Authentication Method |
MMCipherAlg UnicodeString | [Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Security Association Information] Lifetime (minutes) |
QMLimit UInt32 | [Security Association Information] Quick Mode Limit |
Role UnicodeString | [Additional Information] Role. |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Security Association Information] Main Mode SA ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4651
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4651
Event ID 4652: An IPsec main mode negotiation failed.
#Description
An IPsec main mode negotiation failed.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalMMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalMMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalMMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteMMCertHash UnicodeString | [Remote Certificate] SHA thumbprint |
RemoteMMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteMMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
MMAuthMethod UnicodeString | [Additional Information] Authentication Method |
State UnicodeString | [Failure Information] State. |
Role UnicodeString | [Additional Information] Role. |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
InitiatorCookie UnicodeString | [Failure Information] Initiator Cookie |
ResponderCookie UnicodeString | [Failure Information] Responder Cookie |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4652
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4652
Event ID 4653: An IPsec main mode negotiation failed.
#Description
An IPsec main mode negotiation failed.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Local Principal Name |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
MMAuthMethod UnicodeString | [Additional Information] Authentication Method |
State UnicodeString | [Failure Information] State. |
Role UnicodeString | [Additional Information] Role. |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
InitiatorCookie UnicodeString | [Failure Information] Initiator Cookie |
ResponderCookie UnicodeString | [Failure Information] Responder Cookie |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4653,
"version": 0,
"level": 0,
"task": 12547,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T23:09:45.572614+00:00",
"event_record_id": 16633999,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 13940
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"LocalMMPrincipalName": "-",
"RemoteMMPrincipalName": "-",
"LocalAddress": "10.2.10.11",
"LocalKeyModPort": 500,
"RemoteAddress": "10.2.20.41",
"RemoteKeyModPort": 500,
"KeyModName": "%%8223",
"FailurePoint": "%%8199",
"FailureReason": "New policy invalidated SAs formed with old policy\r\n",
"MMAuthMethod": "%%8194",
"State": "%%8202",
"Role": "%%8205",
"MMImpersonationState": "%%8217",
"MMFilterID": 72917,
"InitiatorCookie": "abd97649c27753ac",
"ResponderCookie": "0000000000000000"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4653
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4653
Event ID 4654: An IPsec quick mode negotiation failed.
#Description
An IPsec quick mode negotiation failed.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalAddressMask UnicodeString | [Local Endpoint] Network Address mask |
LocalPort UInt32 | [Local Endpoint] Port |
LocalTunnelEndpoint UnicodeString | [Local Endpoint] Tunnel Endpoint |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteAddressMask UnicodeString | [Remote Endpoint] Address Mask |
RemotePort UInt32 | [Remote Endpoint] Port |
RemoteTunnelEndpoint UnicodeString | [Remote Endpoint] Tunnel Endpoint |
Protocol UInt32 | [Additional Information] Protocol. Known values
|
RemotePrivateAddress UnicodeString | [Remote Endpoint] Private Address |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
Mode UnicodeString | [Additional Information] Mode. |
State UnicodeString | [Failure Information] State. |
Role UnicodeString | [Additional Information] Role. |
MessageID UInt32 | [Failure Information] Message ID |
QMFilterID UInt64 | [Additional Information] Quick Mode Filter ID |
MMSAID UInt64 | [Additional Information] Main Mode SA ID |
TunnelId UInt64 | [Additional Information] Virtual Interface Tunnel ID |
TrafficSelectorId UInt64 | [Additional Information] Traffic Selector ID |
References #
Event ID 4655: An IPsec main mode security association ended.
#Description
An IPsec main mode security association ended.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | Local Network Address |
RemoteAddress UnicodeString | Remote Network Address |
KeyModName UnicodeString | Keying Module Name |
MMSAID UInt64 | Main Mode SA ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4655
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4655
Event ID 4656: A handle to an object was requested.
#Description
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid | SID of account that requested a handle to an object. | |
SubjectUserName | Name of the account that requested a handle to an object. | 4 |
SubjectDomainName | Subject's domain or computer name. | |
SubjectLogonId | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | 1 |
ObjectServer | Has "Security" value for this event. | 4 |
ObjectType | Type of the object for which the handle was requested. | 22 |
ObjectName | Name and identifying information for the object. For files, includes the full path. | 26 |
HandleId | Hexadecimal handle to the object. Correlates with Event ID 4663. | |
TransactionId | GUID of the transaction. Correlates with Event ID 4660. | |
AccessList | Access rights requested. | 13 |
AccessReason | Access check results. Not applicable to kernel objects. | 1 |
AccessMask | Hexadecimal access mask for the requested operation. The upper 16 bits hold the standard generic access rights that every securable object shares; the low 16 bits are object-type-specific and have to be decoded against the sibling ObjectType field. The object-type column under each low-bit entry below lists the canonical interpretation per object family (File / Directory rights from winnt.h, Registry KEY_* rights from winreg.h, AD DS ACTRL_DS_* rights from iads.h). For events whose ObjectType varies (4656 / 4663) check the event's ObjectType value before reading the low bits. Bitmask flags
| 32 |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". | |
RestrictedSidCount | Number of restricted SIDs in the token. Applicable only to specific object types. | |
ProcessId | Hexadecimal Process ID of the process through which the access was requested. | |
ProcessName | Full path and the name of the executable for the process. | 68 |
ResourceAttributes | Attributes associated with the object. "-" when not applicable. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4656,
"version": 1,
"level": 0,
"task": 12802,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:53.1096028+00:00",
"event_record_id": 3213665,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "Process",
"ObjectName": "\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe",
"HandleId": "0x1150",
"TransactionId": "{00000000-0000-0000-0000-000000000000}",
"AccessList": "%%4484\n\t\t\t\t%%4490\n\t\t\t\t%%4492\n\t\t\t\t",
"AccessReason": "-",
"AccessMask": "0x1410",
"PrivilegeList": "-",
"RestrictedSidCount": "0",
"ProcessId": "0x1584",
"ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"ResourceAttributes": "-"
},
"message": "A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x1150\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1584\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\tQuery process information\r\n\t\t\t\tUndefined Access (no effect) Bit 12\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t\t0x1410\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0"
}
Detection Patterns #
18 rules
Sigma
Splunk
Credential Access: LSASS Memory
9 rules
Sigma
Event Log
Credential Access: DCSync
1 rule
1 rule
Stealth: Disable or Modify Tools
Credential Access: LSASS Memory
Collection: Audio Capture
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ObjectType | eq | Key | 6 rules | kusto, sigma |
SubjectUserName | ends_with | $ | 4 rules | sigma |
ObjectType | eq | Process | 4 rules | elastic, sigma |
ObjectServer | eq | Security | 3 rules | sigma |
ObjectName | ends_with | \lsass.exe | 3 rules | sigma |
signature_id | contains | 4656 | 3 rules | splunk |
AccessList | contains | %%4417 | 2 rules | elastic, sigma, splunk |
AccessList | contains | %%4418 | 2 rules | kusto, sigma, splunk |
process_name | contains | :\program files (x86)\ | 2 rules | sigma |
process_name | contains | :\program files\ | 2 rules | sigma |
process_name | contains | microsoft.identity.health.adfs.diagnosticsagent.exe | 2 rules | sigma |
process_name | contains | microsoft.identity.health.adfs.insightsservice.exe | 2 rules | sigma |
process_name | contains | microsoft.identity.health.adfs.monitoringagent.startup.exe | 2 rules | sigma |
process_name | contains | microsoft.identity.health.adfs.pshsurrogate.exe | 2 rules | sigma |
process_name | contains | microsoft.identity.health.common.clients.resourcemonitor.exe | 2 rules | sigma |
Community Notes #
Combined with 4663, may reveal bulk reads of sensitive shares before data exfil.
The AccessMask shown assumes File access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType GUID at runtime. Common alternatives:
| Bit | File | Registry | Process | Service |
|---|---|---|---|---|
| 0x01 | ReadData / ListDirectory | KEY_QUERY_VALUE | PROCESS_TERMINATE | SERVICE_QUERY_CONFIG |
| 0x02 | WriteData / AddFile | KEY_SET_VALUE | PROCESS_CREATE_THREAD | SERVICE_CHANGE_CONFIG |
| 0x04 | AppendData / AddSubDir | KEY_CREATE_SUB_KEY | PROCESS_SET_SESSIONID | SERVICE_QUERY_STATUS |
| 0x08 | ReadEA | KEY_ENUMERATE_SUB_KEYS | PROCESS_VM_OPERATION | SERVICE_ENUMERATE_DEPENDENTS |
| 0x10 | WriteEA | KEY_NOTIFY | PROCESS_VM_READ | SERVICE_START |
| 0x20 | Execute / Traverse | KEY_CREATE_LINK | PROCESS_VM_WRITE | SERVICE_STOP |
Standard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- SAM Registry Hive Handle Request source high: Detects handles requested to SAM registry hive
- SCM Database Handle Failure source medium: Detects non-system users failing to get a handle of the SCM database.
- Password Dumper Activity on LSASS source high: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Show 3 more (6 total)
- Sticky key sethc file failed replacement source high: Detects scenarios where an attacker failed to replace the original sethc.exe file by cmd.exe.
- WinRM listening service reconnaissance (WS-Management) source medium: Detects scenarios where an attacker enumerates different remote WinRM listeners for lateral movement purposes.
- CVE-2023-23397 Exploitation Attempt source critical: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.↳ also matchesEvent ID 4663: An attempt was made to access an object.
Elastic # view in coverage
- LSASS Memory Dump Handle Access source medium: Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.
Splunk # view in coverage
- Executable File Written to Disk (Windows Event Log) source: Detects when a potentially malicious file is written to the disk
- File Written to Startup Folder - Windows (Windows Event Log) source: Adversaries may achieve persistence by adding a program to a startup folder. Adding an entry to the startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of…
- Impacket atexec.py Temp File Creation (Windows Event Log) source: Impacket's atexec.py is a tool designed for executing commands on a target system via the Windows Task Scheduler to run arbitrary commands with the privileges of the account under which the scheduler is running, often providing a method…
Show 2 more (5 total)
- LSASS Handle request (Windows Event Log) source: Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). This use case looks for lsass handle calls, without requiring process execution events as an…
- Suspicious File written to Disk (Windows Event Log) source: Adversaries may transfer tools or other files from an external system into a compromised environment. As seen with Solorigate when backdoor activates, the executing process (usually SolarWinds.BusinessLayerHost.exe) creates two files on…
YARA-L # view in coverage
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report source: Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4↳ also matchesEvent ID 4657: A registry value was modified., Event ID 4688: A new process has been created.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4656
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4656_v1.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
- MS Learn KEY_* registry rights (winreg.h) https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights
- MS Learn PROCESS_* access rights https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
Event ID 4657: A registry value was modified.
#Description
This event generates when a registry key value was modified. It doesn't generate when a registry key was modified. This event generates only if "Set Value" auditing is set in registry key's SACL.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested the "modify registry value" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "modify registry value" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ObjectName UnicodeString | Full path and name of the registry key which value was modified. | 10 |
ObjectValueName UnicodeString | The name of modified registry key value. | 8 |
HandleId Pointer | Hexadecimal value of a handle to Object Name. | |
OperationType UnicodeString | The type of performed operation with registry key value. Known values
| 1 |
OldValueType UnicodeString | Old type of changed registry key value. Known values
| |
OldValue UnicodeString | Old value for changed registry key value. | |
NewValueType UnicodeString | New type of changed registry key value. Known values
| |
NewValue UnicodeString | New value for changed registry key value. | 3 |
ProcessId Pointer | Hexadecimal Process ID of the process through which the registry key value was modified. | |
ProcessName UnicodeString | Full path and the name of the executable for the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4657,
"version": 0,
"level": 0,
"task": 12801,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:18:10.0945751+00:00",
"event_record_id": 2171847,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 7324
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x333bffe",
"ObjectName": "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-System\\{d1bc9aff-2abf-4d71-9146-ecb2a986eb85}",
"ObjectValueName": "MatchAnyKeyword",
"HandleId": "0xb90",
"OperationType": "%%1905",
"OldValueType": "%%1883",
"OldValue": "0x5200000000000000",
"NewValueType": "%%1883",
"NewValue": "0x5A00000000000000",
"ProcessId": "0x66c",
"ProcessName": "C:\\Windows\\System32\\svchost.exe"
},
"message": "A registry value was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x333BFFE\r\n\r\nObject:\r\n\tObject Name:\t\t\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-System\\{d1bc9aff-2abf-4d71-9146-ecb2a986eb85}\r\n\tObject Value Name:\tMatchAnyKeyword\r\n\tHandle ID:\t\t0xb90\r\n\tOperation Type:\t\tExisting registry value modified\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x66c\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nChange Information:\r\n\tOld Value Type:\t\tREG_QWORD\r\n\tOld Value:\t\t0x5200000000000000\r\n\tNew Value Type:\t\tREG_QWORD\r\n\tNew Value:\t\t0x5A00000000000000"
}
Detection Patterns #
Event Log
Defense Impairment: Modify Registry
Privilege Escalation: Bypass User Account Control
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | RegistryKeyCreated | 5 rules | kusto |
EventType | in | RegistryValueSet | 5 rules | kusto |
Details | eq | DWORD (0x00000001) | 4 rules | chronicle, sigma |
EventType | eq | RegistryValueSet | 4 rules | kusto |
Details | eq | DWORD (0x00000000) | 2 rules | chronicle, sigma |
Details | eq | 0 | 2 rules | elastic, sigma, splunk |
ParentImage | ends_with | cmd.exe | 2 rules | kusto |
ParentImage | ends_with | powershell.exe | 2 rules | kusto |
ParentImage | ends_with | powershell_ise.exe | 2 rules | kusto |
TargetObject | contains | \\software\\microsoft\\windows\\currentversion\\policies\\explorer\\run | 2 rules | chronicle |
TargetObject | contains | \\software\\microsoft\\windows\\currentversion\\run | 2 rules | chronicle |
TargetObject | contains | \\software\\wow6432node\\microsoft\\windows\\currentversion\\run | 2 rules | chronicle |
signature_id | contains | 4657 | 2 rules | splunk |
Details | eq | DWORD (0x00000002) | 1 rule | chronicle, kusto, sigma |
Details | contains | powershell | 1 rule | chronicle, sigma |
Community Notes #
Requires AuditRegistry/SetValue SACL.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- ETW Logging Disabled In .NET Processes - Registry source high: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
- NetNTLM Downgrade Attack source high: Detects NetNTLM downgrade attack
- Windows Defender Exclusion List Modified source medium: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
Splunk # view in coverage
- Executable Running as NT AUTHORITY_SYSTEM Registered in BAM (Windows Event Log) source: Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating…
- Modify Registry Key (Windows Event Log) source: Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution
- Suspicious Registry Key Created (Windows Event Log) source: Adversaries may achieve persistence by adding a program or referencing it with a Registry run key or by utilizing content triggered by Image File Execution Options (IFEO) debugger keys. Run keys may exist under multiple hives and IFEOs can…
Kusto # view in coverage
- COM Registry Key Modified to Point to File in Color Profile Folder source medium: This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color. This can be used to enable COM hijacking for persistence. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
- Scheduled Task Hide source high: This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler. The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive as well as audit policy for registry auditing to be turned on. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:↳ also matchesEvent ID 4663: An attempt was made to access an object.
YARA-L # view in coverage
- Blackbyte Ransomware Registry source: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
- CurrentControlSet Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
- CurrentVersion Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
Show 12 more (15 total)
- Default RDP Port Changed to Non Standard Port source: Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
- Disable Internal Tools or Feature in Registry source: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
- Modify User Shell Folders Startup Value source: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
- New RUN Key Pointing to Suspicious Folder source: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report source: Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4↳ also matchesEvent ID 4656: A handle to an object was requested., Event ID 4688: A new process has been created.
- Potential Credential Dumping Via LSASS SilentProcessExit Technique source: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
- RDP Sensitive Settings Changed source: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
- RDP Sensitive Settings Changed to Zero source: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
- RestrictedAdminMode Registry Value Tampering source: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
- Session Manager Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
- Suspicious Powershell In Registry Run Keys source: Detects potential PowerShell commands or code within registry run keys
- Wdigest Enable UseLogonCredential source: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4657.yml
Event ID 4658: The handle to an object was closed.
#Description
This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid | SID of the account that closed the object handle. |
SubjectUserName | Name of the account that closed the object handle. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
ObjectServer | Has "Security" value for this event. |
HandleId | Hexadecimal handle to the object. Correlates with Event ID 4663. |
ProcessId | Hexadecimal Process ID of the process that closed the handle. |
ProcessName | Full path and the name of the executable for the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4658,
"version": 0,
"level": 0,
"task": 12802,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:53.1097418+00:00",
"event_record_id": 3213667,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"HandleId": "0x1150",
"ProcessId": "0x1584",
"ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
},
"message": "The handle to an object was closed.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tHandle ID:\t\t0x1150\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1584\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4658
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4658.yml
Event ID 4659: A handle to an object was requested with intent to delete.
#Description
A handle to an object was requested with intent to delete.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account to which special privileges were assigned. |
SubjectUserName UnicodeString | The name of the account to which special privileges were assigned. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
ObjectServer UnicodeString | Contains the name of the Windows subsystem calling the routine. |
ObjectType UnicodeString | The type of an object that was accessed during the operation. |
ObjectName UnicodeString | The name of the object that was accessed during the operation. |
HandleId Pointer | Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID. |
TransactionId GUID | Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID. |
AccessList UnicodeString | [Access Request Information] Accesses. |
AccessMask HexInt32 | The desired access mask. This mask depends on Object Server and Object Type parameters values. The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If Desired Access is not presented, then this parameter will have “0” value. Access mask reference |
PrivilegeList UnicodeString | [Access Request Information] Privileges Used for Access Check. Privilege constants reference |
ProcessId Pointer | [Process Information] Process ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4659,
"version": 0,
"level": 0,
"task": 12800,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:41:33.7880533+00:00",
"event_record_id": 1217672,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 452
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-20",
"SubjectUserName": "TELEMETRY-DC-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x3e4",
"ObjectServer": "Security",
"ObjectType": "File",
"ObjectName": "C:\\Windows\\System32\\dhcp\\tmp.edb",
"HandleId": "0x0",
"TransactionId": "{00000000-0000-0000-0000-000000000000}",
"AccessList": "-",
"AccessMask": "0x0",
"PrivilegeList": "-",
"ProcessId": "0xd80"
},
"message": "A handle to an object was requested with intent to delete.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-20\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E4\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tFile\r\n\tObject Name:\tC:\\Windows\\System32\\dhcp\\tmp.edb\r\n\tHandle ID:\t0x0\r\n\r\nProcess Information:\r\n\tProcess ID:\t0xd80\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t-\r\n\tAccess Mask:\t0x0\r\n\tPrivileges Used for Access Check:\t-"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4659
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4659
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4659.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
- MS Learn KEY_* registry rights (winreg.h) https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights
Event ID 4660: An object was deleted.
#Description
This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid | SID of the account that requested object deletion. |
SubjectUserName | Name of the account that requested object deletion. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
ObjectServer | Has "Security" value for this event. |
HandleId | Hexadecimal handle to the object. Correlates with Event ID 4663. |
ProcessId | Hexadecimal Process ID of the process that deleted the object. |
ProcessName | Full path and the name of the executable for the process. |
TransactionId | GUID of the transaction. Correlates with Event ID 4656. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4660,
"version": 0,
"level": 0,
"task": 12801,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:51:26.7923275+00:00",
"event_record_id": 1904870,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 2564
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"HandleId": "0x1e8",
"ProcessId": "0x1f9c",
"ProcessName": "C:\\Windows\\System32\\wevtutil.exe",
"TransactionId": "{00000000-0000-0000-0000-000000000000}"
},
"message": "An object was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tHandle ID:\t0x1e8\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1f9c\r\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | RegistryKeyCreated | 5 rules | kusto |
EventType | in | RegistryValueSet | 5 rules | kusto |
ParentImage | ends_with | cmd.exe | 1 rule | kusto |
ParentImage | ends_with | powershell.exe | 1 rule | kusto |
ParentImage | ends_with | powershell_ise.exe | 1 rule | kusto |
Community Notes #
Could be a filesystem, kernel, or registry object. Does not track names, but is generated only during real deletes (pair with 4663).
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matchesEvent ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.
- Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matchesEvent ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.
- Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matchesEvent ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.
Show 2 more (5 total)
- Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matchesEvent ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.
- Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matchesEvent ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4660
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4660.yml
Event ID 4661: A handle to an object was requested.
#Description
This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object. If access was declined, then Failure event is generated. This event generates only if Success auditing is enabled for the Audit Handle Manipulation subcategory.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid | SID of account that requested a handle to an object. | 1 |
SubjectUserName | The name of the account that requested a handle to an object. | 5 |
SubjectDomainName | Subject's domain or computer name. | |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
ObjectServer | Has "Security Account Manager" value for this event. | 6 |
ObjectType | The type or class of the object that was accessed. | 11 |
ObjectName | The name of an object for which access was requested. | 24 |
HandleId | Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4662: An operation was performed on an object." This parameter might not be captured in the event, and in that case appears as "0x0". | |
TransactionId | Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the Transaction ID, such as "4660(S): An object was deleted." | |
AccessList | The list of access rights which were requested by Subject\Security ID. These access rights depend on Object Type. | 5 |
AccessReason | ||
AccessMask | Hexadecimal mask for the operation that was requested or performed. Bitmask flags
| 1 |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". | |
Properties UnicodeString | Depends on Object Type. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in "4661: A handle to an object was requested" from Audit SAM subcategory. | 10 |
RestrictedSidCount | Number of restricted SIDs in the token. Applicable to only specific Object Types. | |
ProcessId | Hexadecimal Process ID of the process that requested the handle. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | |
ProcessName | Full path and the name of the executable for the process. | 5 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4661,
"version": 1,
"level": 0,
"task": 12803,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T10:41:36.4583208+00:00",
"event_record_id": 2050112,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 5376
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security Account Manager",
"ObjectType": "SAM_DOMAIN",
"ObjectName": "DC=cell-a,DC=ludus,DC=domain",
"HandleId": "0x2cb76f9d840",
"TransactionId": "{00000000-0000-0000-0000-000000000000}",
"AccessList": "%%1537\n\t\t\t\t%%1538\n\t\t\t\t%%1539\n\t\t\t\t%%1540\n\t\t\t\t%%5392\n\t\t\t\t%%5394\n\t\t\t\t%%5395\n\t\t\t\t%%5396\n\t\t\t\t%%5397\n\t\t\t\t%%5398\n\t\t\t\t%%5399\n\t\t\t\t%%5400\n\t\t\t\t",
"AccessReason": "-",
"AccessMask": "0xf01fd",
"PrivilegeList": "-",
"Properties": "---\n\t{19195a5a-6da0-11d0-afd3-00c04fd930c9}\n%%1537\n%%1538\n%%1539\n%%1540\n%%5392\n%%5394\n%%5395\n%%5396\n%%5397\n%%5398\n%%5399\n%%5400\n\t\t{c7407360-20bf-11d0-a768-00aa006e0529}\n\t\t\t{bf9679a4-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679a5-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679a6-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679bb-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679c2-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679c3-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967a09-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967a0b-0de6-11d0-a285-00aa003049e2}\n\t\t{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}\n\t\t\t{bf967a34-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967a33-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679c5-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967a61-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967977-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf96795e-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679ea-0de6-11d0-a285-00aa003049e2}\n\t\t{ab721a52-1e2f-11d0-9819-00aa0040529b}\n",
"RestrictedSidCount": "0",
"ProcessId": "0x32c",
"ProcessName": "C:\\Windows\\System32\\lsass.exe"
},
"message": "A handle to an object was requested.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity Account Manager\r\n\tObject Type:\tSAM_DOMAIN\r\n\tObject Name:\tDC=cell-a,DC=ludus,DC=domain\r\n\tHandle ID:\t0x2cb76f9d840\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x32c\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\tDELETE\r\n\t\t\t\tREAD_CONTROL\r\n\t\t\t\tWRITE_DAC\r\n\t\t\t\tWRITE_OWNER\r\n\t\t\t\tReadPasswordParameters\r\n\t\t\t\tReadOtherParameters\r\n\t\t\t\tWriteOtherParameters\r\n\t\t\t\tCreateUser\r\n\t\t\t\tCreateGlobalGroup\r\n\t\t\t\tCreateLocalGroup\r\n\t\t\t\tGetLocalGroupMembership\r\n\t\t\t\tListAccounts\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t0xF01FD\r\n\tPrivileges Used for Access Check:\t-\r\n\tProperties:\t---\r\n\t{19195a5a-6da0-11d0-afd3-00c04fd930c9}\r\nDELETE\r\nREAD_CONTROL\r\nWRITE_DAC\r\nWRITE_OWNER\r\nReadPasswordParameters\r\nReadOtherParameters\r\nWriteOtherParameters\r\nCreateUser\r\nCreateGlobalGroup\r\nCreateLocalGroup\r\nGetLocalGroupMembership\r\nListAccounts\r\n\t\t{c7407360-20bf-11d0-a768-00aa006e0529}\r\n\t\t\t{bf9679a4-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a6-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679bb-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c2-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c3-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a09-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a0b-0de6-11d0-a285-00aa003049e2}\r\n\t\t{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}\r\n\t\t\t{bf967a34-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a33-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a61-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967977-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf96795e-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ea-0de6-11d0-a285-00aa003049e2}\r\n\t\t{ab721a52-1e2f-11d0-9819-00aa0040529b}\r\n\r\n\tRestricted SID Count:\t0"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ObjectServer | eq | Security Account Manager | 6 rules | sigma |
SubjectUserName | ends_with | $ | 5 rules | sigma |
process_name | ends_with | \lsass.exe | 5 rules | sigma |
ObjectName | starts_with | S-1-5-21- | 4 rules | sigma |
ObjectType | eq | SAM_USER | 4 rules | sigma |
ObjectName | ends_with | -500 | 3 rules | sigma |
ObjectName | ends_with | -512 | 3 rules | sigma |
ObjectType | eq | SAM_GROUP | 3 rules | sigma |
ObjectType | eq | SAM_DOMAIN | 2 rules | sigma |
AccessList | contains | %%5392 | 2 rules | sigma |
AccessList | contains | %%5447 | 2 rules | sigma |
ObjectName | starts_with | DC= | 2 rules | sigma |
ObjectName | starts_with | S-1-5-32- | 2 rules | sigma |
SubjectUserSid | eq | S-1-5-18 | 1 rule | elastic, sigma, splunk |
Authentication_Package | eq | NTLM | 1 rule | splunk |
Community Notes #
May indicate BloodHound-style LDAP reads.
This event covers SAM object handle requests. The default bitmask shown uses SAM_DOMAIN rights (the most commonly audited SAM object type). Bits 0x01–0x0400 vary by SAM object subtype:
| Bit | SAM_SERVER | SAM_DOMAIN | SAM_GROUP | SAM_ALIAS | SAM_USER |
|---|---|---|---|---|---|
| 0x01 | ConnectToServer | ReadPasswordParameters | ReadInformation | AddMember | ReadGeneralInformation |
| 0x02 | ShutdownServer | WritePasswordParameters | WriteAccount | RemoveMember | ReadPreferences |
| 0x04 | InitializeServer | ReadOtherParameters | AddMember | ListMembers | WritePreferences |
| 0x08 | CreateDomain | WriteOtherParameters | RemoveMember | ReadInformation | ReadLogon |
| 0x10 | EnumerateDomains | CreateUser | ListMembers | WriteAccount | ReadAccount |
| 0x20 | LookupDomain | CreateGlobalGroup | — | — | WriteAccount |
Standard rights are shared: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- AD Privileged Users or Groups Reconnaissance source high: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
- Password Policy Enumerated source medium: Detects when the password policy is enumerated.
- Reconnaissance Activity source high: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Show 5 more (8 total)
- Potential SAM database user credentials dumped with DCshadow source high: Detects scenarios where an attacker would dump user passwords using the DCshadow attack.
- SAM database user credentials dump with Mimikatz source high: Detects scenarios where an attacker dump the LSASS memory content using Mimikatz (sekurlsa module).
- Sensitive SAM domain user & groups discovery (native) source high: Detects scenarios where an attacker attempts to enumerate sensitive domain group settings and membership.
- Local domain group enumeration source high: Detects scenarios where an attacker attempts to enumerate domain local groups with tools like CME (--local-groups).
- Domain password policy enumeration source high: Detects scenarios where an attacker attempts to enumerate the domain password policy with native commands or tools like CME (--pass-pol).
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4661
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4661.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
Event ID 4662: An operation was performed on an object.
#Description
This event generates every time when an operation was performed on an Active Directory object. This event generates only if appropriate SACL was set for Active Directory object and performed operation meets this SACL. If operation failed then Failure event will be generated. You will get one 4662 for each operation type which was performed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid | SID of account that requested the operation. | 1 |
SubjectUserName | The name of the account that requested the operation. | 10 |
SubjectDomainName | Subject's domain or computer name. | 1 |
SubjectLogonId | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ObjectServer | Has "DS" value for this event. | 5 |
ObjectType | Type or class of the object that was accessed. | 7 |
ObjectName | Distinguished name of the object that was accessed. | 25 |
OperationType | The type of operation which was performed on an object. Typically has "Object Access" value for this event. | 3 |
HandleId | Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4661: A handle to an object was requested." This parameter might not be captured in the event, and in that case appears as "0x0". | |
AccessList | The type of access used for the operation. | |
AccessMask | Hexadecimal mask for the type of access used for the operation. See. Bitmask flags
| 13 |
Properties UnicodeString | First part is the type of access that was used. Typically has the same value as Accesses field. | 13 |
AdditionalInfo | -. | 9 |
AdditionalInfo2 | -. | 1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4662,
"version": 0,
"level": 0,
"task": 14080,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:57:43.3452684+00:00",
"event_record_id": 2879213,
"correlation": {},
"execution": {
"process_id": 816,
"thread_id": 964
},
"channel": "Security",
"computer": "telemetry-DC-b.cell-b.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-B$",
"SubjectDomainName": "cell-b",
"SubjectLogonId": "0x32e4a1",
"ObjectServer": "DS",
"ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
"ObjectName": "%{58cf85bf-775e-4cbe-91aa-4314eea73f75}",
"OperationType": "Object Access",
"HandleId": "0x0",
"AccessList": "%%7688\n\t\t\t\t",
"AccessMask": "0x100",
"Properties": "%%7688\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\n",
"AdditionalInfo": "-",
"AdditionalInfo2": ""
},
"message": "An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-B$\r\n\tAccount Domain:\t\tcell-b\r\n\tLogon ID:\t\t0x32E4A1\r\n\r\nObject:\r\n\tObject Server:\t\tDS\r\n\tObject Type:\t\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\tObject Name:\t\t%{58cf85bf-775e-4cbe-91aa-4314eea73f75}\r\n\tHandle ID:\t\t0x0\r\n\r\nOperation:\r\n\tOperation Type:\t\tObject Access\r\n\tAccesses:\t\tControl Access\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x100\r\n\tProperties:\t\tControl Access\r\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t"
}
Detection Patterns #
Kerberos Coercion Via DNS
Kerberos Coercion Via DNS
AD Replication Request Initiated
Credential Access: Private Keys
0 rules
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
SubjectUserName | ends_with | $ | 6 rules | sigma |
Properties | contains | 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | 6 rules | elastic, kusto, sigma |
Properties | contains | 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | 6 rules | elastic, kusto, sigma |
Properties | contains | 89e95b76-444d-4c62-991a-0facbeda640c | 6 rules | elastic, kusto, sigma |
AccessMask | eq | 0x100 | 5 rules | elastic, sigma, splunk |
ObjectServer | eq | DS | 5 rules | kusto, sigma |
SubjectUserName | starts_with | MSOL_ | 3 rules | sigma |
SubjectUserSid | eq | S-1-5-18 | 2 rules | elastic, sigma, splunk |
ObjectClass | eq | dnsNode | 2 rules | elastic, sigma, splunk |
ProviderName | contains | asi | 2 rules | kusto |
AccessMask | eq | 0x40000 | 2 rules | elastic, sigma |
OperationType | eq | Object Access | 2 rules | kusto, sigma |
SubjectDomainName | eq | Window Manager | 2 rules | sigma, splunk |
ObjectType | in | %{19195a5b-6da0-11d0-afd3-00c04fd930c9} | 2 rules | splunk |
ObjectType | in | domainDNS | 2 rules | splunk |
Community Notes #
Operation on AD object, may indicate enum of domain trusts, OUs, SPNs, ACLs. Also logged when an attacker uses mimikatz or similar to extract the DPAPI Domain Backup Key.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- AD Object WriteDAC Access source critical: Detects WRITE_DAC access to a domain object
- Active Directory Replication from Non Machine Account source critical: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
- Potential AD User Enumeration From Non-Machine Account source medium: Detects read access to a domain user from a non-machine account
Show 8 more (11 total)
- Mimikatz DC Sync source high: Detects Mimikatz DC sync security events
- DPAPI Domain Backup Key Extraction source high: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
- WMI Persistence - Security source medium: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
- Group Managed Service Accounts password dump - GoldenGMSA source high: Detects scenarios where an attacker attempts to dump Group Managed Services account (GMSA) passwords stored on writable domain controllers.
- Domain group enumeration source high: Detects scenarios where an attacker enumerates domain group with tools like CME (--groups).
- Active Directory honeypot enumerated by a suspicious host (Bloodhound) source high: Detects scenarios where an attacker is attempting to discover sensitive accounts using tools like Bloodhound. To find out the source of the enumeration, correlate the SubjectLogonId from ID 4662 with TargetLogonId from ID 4624.
- Replication privileges accessed to perform DCSync attack source high: Detects scenarios where an attacker use DCSync or SecretDump tool to exfiltrate Active Directory credentials
- Account accessed to attributes related to DCshadow source high: Detects scenarios where an attacker accessed attributes related to DCshadow attack in order to create a fake domain controller.
Elastic # view in coverage
- First Time Seen Account Performing DCSync source high: This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
- Potential Credential Access via DCSync source medium: This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
- Access to a Sensitive LDAP Attribute source medium: Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
Show 2 more (5 total)
- Suspicious Access to LDAP Attributes source low: Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
- WRITEDAC Access on Active Directory Object source low: Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.
Splunk # view in coverage
- Windows AD Abnormal Object Access Activity source: The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns,…
- Windows AD Privileged Object Access Activity source: The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This…
- Excessive DRSGetNCChanges Requests (Windows Event Log) source: Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a…
Show 1 more (4 total)
- Potential DCSync (Windows Event Log) source: Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a…
Kusto # view in coverage
- ADFS DKM Master Key Export source medium: Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this: https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469 https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339
- Large number of AD objects accessed by user source: This query detects a user accessing a large number of Group and User objects from Active Directory which is outside the baseline of normal behavior for that particular user.
- Shadow Credentials Added to Account (Alternative) source: This query searches for modifications to the 'msDS-KeyCredentialLink' property in Active Directory. There are two different events which contain information to detect such changes: 5136 and 4662. This detection uses the 4662, which is an alternative if 5136 is not available.
YARA-L # view in coverage
- ADFS DKM Key Access source: Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-access
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4662.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
Event ID 4663: An attempt was made to access an object.
#Description
This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of the account that accessed the object. | |
SubjectUserName UnicodeString | Name of the account that accessed the object. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ObjectServer UnicodeString | Has "Security" value for this event. | 1 |
ObjectType UnicodeString | Type of the object that was accessed. | 5 |
ObjectName UnicodeString | Name and identifying information for the object. For files, includes the full path. | 33 |
HandleId Pointer | Hexadecimal handle to the object. Correlates with Event ID 4656. | |
AccessList UnicodeString | Access rights used. | 5 |
AccessMask HexInt32 | Hexadecimal access mask for the requested operation. Access mask reference | 9 |
ProcessId Pointer | Hexadecimal Process ID of the process that accessed the object. | |
ProcessName UnicodeString | Full path and the name of the executable for the process. | 63 |
ResourceAttributes UnicodeString | Attributes associated with the object. "-" when not applicable. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4663,
"version": 1,
"level": 0,
"task": 12802,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:53.1096939+00:00",
"event_record_id": 3213666,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "Process",
"ObjectName": "\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe",
"HandleId": "0x1150",
"AccessList": "%%4484\n\t\t\t\t",
"AccessMask": "0x10",
"ProcessId": "0x1584",
"ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"ResourceAttributes": "-"
},
"message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x1150\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1584\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x10"
}
Detection Patterns #
18 rules
Sigma
Splunk
Credential Access: LSASS Memory
9 rules
Sigma
Sunburst And Supernova Backdoor
Defense Impairment: Modify Registry
1 rule
Collection: Audio Capture
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ObjectType | eq | File | 5 rules | sigma, splunk |
ObjectType | eq | Key | 5 rules | kusto, sigma |
EventType | in | RegistryKeyCreated | 5 rules | kusto |
EventType | in | RegistryValueSet | 5 rules | kusto |
EventType | eq | FileCreated | 4 rules | kusto |
ObjectName | ends_with | \lsass.exe | 4 rules | sigma |
SubjectUserName | ends_with | $ | 3 rules | sigma |
ObjectServer | eq | Security | 3 rules | sigma |
ObjectType | eq | Process | 3 rules | elastic, sigma |
AccessMask | eq | 0x6 | 3 rules | kusto, sigma |
EventType | eq | ProcessCreated | 2 rules | kusto |
IsActive | eq | true | 2 rules | kusto |
ObservableValue | is_not_null | | 2 rules | kusto |
signature_id | contains | 4656 | 2 rules | splunk |
AccessList | eq | %%4416 | 2 rules | splunk |
Community Notes #
An attempt was made to access an object. May catch mass permission changes or tampering. Also catches renaming, and may be noisy (pair with 4660).
The AccessMask shown assumes File access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType at runtime. Common alternatives:
| Bit | File | Registry | Process | Service |
|---|---|---|---|---|
| 0x01 | ReadData / ListDirectory | KEY_QUERY_VALUE | PROCESS_TERMINATE | SERVICE_QUERY_CONFIG |
| 0x02 | WriteData / AddFile | KEY_SET_VALUE | PROCESS_CREATE_THREAD | SERVICE_CHANGE_CONFIG |
| 0x04 | AppendData / AddSubDir | KEY_CREATE_SUB_KEY | PROCESS_SET_SESSIONID | SERVICE_QUERY_STATUS |
| 0x08 | ReadEA | KEY_ENUMERATE_SUB_KEYS | PROCESS_VM_OPERATION | SERVICE_ENUMERATE_DEPENDENTS |
| 0x10 | WriteEA | KEY_NOTIFY | PROCESS_VM_READ | SERVICE_START |
| 0x20 | Execute / Traverse | KEY_CREATE_LINK | PROCESS_VM_WRITE | SERVICE_STOP |
Standard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).
Binary Defense post Windows Defender ACL Blocking: A Silent Technique With Serious Impact — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for WRITE_DAC (0x40000) access to Defender paths paired with 4670 ACL changes.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- ISO Image Mounted source medium: Detects the mount of an ISO image on an endpoint
- Service Registry Key Read Access Request source low: Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
- File Access Of Signal Desktop Sensitive Data source medium: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
Show 6 more (9 total)
- Suspicious Teams Application Related ObjectAcess Event source high: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
- Task Manager used for LSASS dump (kernel) source high: Detects scenarios where an attacker attempt to dump the LSASS process via the Task Manager.
- CVE-2023-23397 Exploitation Attempt source critical: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.↳ also matchesEvent ID 4656: A handle to an object was requested.
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security source critical: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
- ScreenConnect User Database Modification - Security source medium: This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
- Access To Browser Credential Files By Uncommon Applications - Security source low: Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
Splunk # view in coverage
- ConnectWise ScreenConnect Path Traversal Windows SACL source: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the…
- Non Chrome Process Accessing Chrome Default Dir source: The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is…
- Non Firefox Process Access Firefox Profile Dir source: The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs,…
Show 17 more (24 total)
- SAM Database File Access Attempt source: The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the
windows\system32\configdirectory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to… - Windows Credential Access From Browser Password Store source: The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive…
- Windows Credentials from Password Stores Chrome Extension Access source: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because…
- Windows Credentials from Password Stores Chrome LocalState Access source: The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this…
- Windows Credentials from Password Stores Chrome Login Data Access source: The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security…
- Windows GrimResource - MMC Process Accessing APDS DLL source: GrimResource is a code execution technique discovered by Elastic Security in 2024 that abuses a stored XSS vulnerability in apds.dll to achieve arbitrary code execution inside mmc.exe, a signed, trusted Windows binary. The attack is…
- Windows Hosts File Access source: This Analytic detects the execution of a process attempting to access the hosts file. The hosts file is a critical file for network configuration and DNS resolution. If an attacker gains access to it, they can redirect traffic to malicious…
- Windows Increase in Group or Object Modification Activity source: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing…↳ also matchesEvent ID 4670: Permissions on an object were changed., Event ID 4727: A security-enabled global group was created., Event ID 4731: A security-enabled local group was created., Event ID 4734: A security-enabled local group was deleted., Event ID 4735: A security-enabled local group was changed., Event ID 4764: A group’s type was changed.
- Windows Non Discord App Access Discord LevelDB source: The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes…
- Windows Process Accessing Windows Recall Directory source: This detection triggers on a process accessing the Windows Recall directory. Recall is a new feature Microsoft release that takes screenshots every 5 or so seconds to provide context to it's AI features. The initial release of Recall was…
- Windows Product Key Registry Query source: This Analytic detects the execution of a process attempting to access the registry for product key recovery purposes. This behavior could be significant as it might indicate potential malware activity or attempts to bypass security…
- Windows Query Registry Browser List Application source: The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths.…
- Windows Query Registry UnInstall Program List source: The following analytic detects an access request on the uninstall registry key. It leverages Windows Security Event logs, specifically event code 4663. This activity is significant because adversaries or malware can exploit this key to…
- Windows Unsecured Outlook Credentials Access In Registry source: The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with…
- Windows Unusual FileZilla XML Config Access source: The following analytic identifies processes accessing FileZilla XML config files such as recentservers.xml and sitemanager.xml. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access…
- Windows Unusual Intelliform Storage Registry Access source: The following analytic identifies processes accessing Intelliform Storage Registry keys used by Internet Explorer. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This…
- ISO Image Mounted - Windows (Windows Event Log) source: Threat actors such as APT29 have used ISO files to deliver malicious code to target systems. Normally, when a file is downloaded from the internet, Windows adds a Zone Identifier to identify the file's origin (known as mark-of-the-web or…
Kusto # view in coverage
- Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.↳ also matchesEvent ID 4688: A new process has been created., Event ID 5156: The Windows Filtering Platform has permitted a connection.
- Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matchesEvent ID 4688: A new process has been created.
- WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.
Show 2 more (5 total)
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:↳ also matchesEvent ID 4657: A registry value was modified. - Microsoft Recommended Driver Block List source: The query below detects loading or creation of a vulnerable driver that is listed in the Microsoft recommended driver block rules.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4663_v1.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
- MS Learn PROCESS_* access rights https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
Event ID 4664: An attempt was made to create a hard link.
#Description
This event generates when an NTFS hard link was successfully created.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made an attempt to create the hard link. |
SubjectUserName UnicodeString | The name of the account that made an attempt to create the hard link. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
FileName UnicodeString | The name of a file or folder that new hard link refers to. |
LinkName UnicodeString | Full path name with new hard link file name. |
TransactionId GUID | Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID, such as "4660(S): An object was deleted." |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4664,
"version": 0,
"level": 0,
"task": 12800,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:22:20.6573922+00:00",
"event_record_id": 2926182,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 7864
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"FileName": "C:\\Windows\\servicing\\Packages\\Microsoft-Windows-msmq-adintegration-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.20348.1.cat",
"LinkName": "C:\\Windows\\WinSxS\\Temp\\InFlight\\c8dec39bf4fadc01df0700009c05c402\\c8dec39bf4fadc01e00700009c05c402_catalog",
"TransactionId": "{00000000-0000-0000-0000-000000000000}"
},
"message": "An attempt was made to create a hard link.\r\n\r\nSubject:\r\n\tAccount Name:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLink Information:\r\n\tFile Name:\tC:\\Windows\\servicing\\Packages\\Microsoft-Windows-msmq-adintegration-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.20348.1.cat\r\n\tLink Name:\tC:\\Windows\\WinSxS\\Temp\\InFlight\\c8dec39bf4fadc01df0700009c05c402\\c8dec39bf4fadc01e00700009c05c402_catalog\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}"
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- NTFS hard link creation source medium: Detects scenarios where an attacker attempts to create a hard link.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4664
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4664
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4664.yml
Event ID 4665: An attempt was made to create an application client context.
#Description
An attempt was made to create an application client context.
Message #
Fields #
| Name | Description |
|---|---|
AppName UnicodeString | [Application Information] Application Name. |
AppInstance UInt64 | [Application Information] Application Instance ID. |
ClientName UnicodeString | The name of the account that requested the "assign token to process" operation. |
ClientDomain UnicodeString | [Subject] Client Domain. |
ClientLogonId UInt64 | [Subject] Client Context ID. |
Status UInt32 | [Application Information] Status. NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4665
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4665
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4665.yml
Event ID 4666: An application attempted an operation.
#Description
An application attempted an operation.
Message #
Fields #
| Name | Description |
|---|---|
AppName UnicodeString | [Application Information] Application Name. |
AppInstance UInt64 | [Application Information] Application Instance ID. |
ObjectName UnicodeString | [Object] Object Name. |
ScopeName UnicodeString | [Object] Scope Names. |
ClientName UnicodeString | The name of the account that requested the "assign token to process" operation. |
ClientDomain UnicodeString | [Subject] Client Domain. |
ClientLogonId UInt64 | [Subject] Client Context ID. |
Role UnicodeString | (Access Request Information) Role. |
Group UnicodeString | [Access Request Information] Groups. |
OperationName UnicodeString | [Access Request Information] Operation Name. |
OperationId UInt32 | [Access Request Information] (. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4666
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4666
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4666.yml
Event ID 4667: An application client context was deleted.
#Description
An application client context was deleted.
Message #
Fields #
| Name | Description |
|---|---|
AppName UnicodeString | [Application Information] Application Name. |
AppInstance UInt64 | [Application Information] Application Instance ID. |
ClientName UnicodeString | The name of the account that requested the "assign token to process" operation. |
ClientDomain UnicodeString | [Subject] Client Domain. |
ClientLogonId UInt64 | [Subject] Client Context ID. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4667
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4667
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4667.yml
Event ID 4668: An application was initialized.
#Description
An application was initialized.
Message #
Fields #
| Name | Description |
|---|---|
AppName UnicodeString | [Application Information] Application Name. |
AppInstance UInt64 | [Application Information] Application Instance ID. |
ClientName UnicodeString | The name of the account that requested the "assign token to process" operation. |
ClientDomain UnicodeString | [Subject] Client Domain. |
ClientLogonId UInt64 | [Subject] Client ID. |
StoreUrl UnicodeString | [Additional Information] Policy Store URL. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4668
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4668
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4668.yml
Event ID 4670: Permissions on an object were changed.
#Description
This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of the account that changed the object's permissions. | |
SubjectUserName UnicodeString | Name of the account that changed the object's permissions. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ObjectServer UnicodeString | Has "Security" value for this event. | |
ObjectType UnicodeString | Type of the object whose permissions were changed. | 2 |
ObjectName UnicodeString | Name and identifying information for the object. For files, includes the full path. "-" for token objects. | |
HandleId Pointer | Hexadecimal handle to the object. | |
OldSd UnicodeString | Previous SDDL security descriptor for the object. | |
NewSd UnicodeString | New SDDL security descriptor for the object. | |
ProcessId Pointer | Hexadecimal Process ID of the process that changed the permissions. | |
ProcessName UnicodeString | Full path and the name of the executable for the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4670,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:52:27.0312120+00:00",
"event_record_id": 2141121,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3844
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "Token",
"ObjectName": "-",
"HandleId": "0x280",
"OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)",
"NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)",
"ProcessId": "0x324",
"ProcessName": "C:\\Windows\\System32\\services.exe"
},
"message": "Permissions on an object were changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tToken\r\n\tObject Name:\t-\r\n\tHandle ID:\t0x280\r\n\r\nProcess:\r\n\tProcess ID:\t0x324\r\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\r\n\r\nPermissions Change:\r\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\r\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ObjectType | eq | Key | 1 rule | kusto, sigma |
Community Notes #
Permissions on an object were changed, may detect ACL edits on files, registry, or tokens that grant elevated rights.
Binary Defense post Windows Defender ACL Blocking: A Silent Technique With Serious Impact — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for ACL changes targeting Defender paths (e.g. C:\ProgramData\Microsoft\Windows Defender\) paired with 4663 WRITE_DAC access.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4670
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4670.yml
Event ID 4671: An application attempted to access a blocked ordinal through the TBS.
#Description
An application attempted to access a blocked ordinal through the TBS.
Message #
Fields #
| Name | Description |
|---|---|
CallerUserSid SID | [Subject] Security ID |
CallerUserName UnicodeString | [Subject] Account Name |
CallerDomainName UnicodeString | [Subject] Account Domain |
CallerLogonId HexInt64 | [Subject] Logon ID |
Ordinal UInt32 | [Subject] Ordinal. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4671
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4671
Event ID 4672: Special privileges assigned to new logon.
#Description
This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account to which special privileges were assigned. |
SubjectUserName UnicodeString | The name of the account to which special privileges were assigned. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
PrivilegeList UnicodeString | The list of sensitive privileges, assigned to the new logon. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4672,
"version": 0,
"level": 0,
"task": 12548,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:49.2401689+00:00",
"event_record_id": 3213577,
"correlation": {},
"execution": {
"process_id": 896,
"thread_id": 4272
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x296120d",
"PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege"
},
"message": "Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nPrivileges:\t\tSeSecurityPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\r\n\t\t\tSeEnableDelegationPrivilege"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
AuthenticationPackageName | eq | NTLM | 1 rule | elastic, kusto, sigma, splunk |
unique_targets | gt | 30 | 1 rule | splunk |
RelativeTargetName | eq | winreg | 1 rule | elastic, sigma |
TargetDomainName | in | PUT YOUR AD DOMAINS HERE! | 1 rule | kusto |
TargetDomainName | in | contoso | 1 rule | kusto |
TargetDomainName | in | contoso.local | 1 rule | kusto |
subnet | is_null | | 1 rule | kusto |
Community Notes #
Detects Administrator or SYSTEM-equivalent sessions at logon time.
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Special Privileged Logon On Multiple Hosts source: The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is…
Kusto # view in coverage
- Potentially Relayed NTLM Authentication - Microsoft Sentinel source: The below query detects NTLM logons where Network Address in the logon event doesn't match the Workstation Name's IP. This indicates potentially relayed NTLM authentication. It analyzes only the logons with domain accounts having admin privileges.↳ also matchesEvent ID 4624: An account was successfully logged on.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4672.yml
Event ID 4673: A privileged service was called.
#Description
This event generates when an attempt was made to perform privileged system service operations. This event generates, for example, when SeSystemtimePrivilege, SeCreateGlobalPrivilege, or SeTcbPrivilege privilege was used.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested privileged operation. | 1 |
SubjectUserName UnicodeString | The name of the account that requested privileged operation. | 1 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ObjectServer UnicodeString | Contains the name of the Windows subsystem calling the routine. | |
Service UnicodeString | Supplies a name of the privileged subsystem service or function. | 2 |
PrivilegeList UnicodeString | The list of user privileges which were requested. Privilege constants reference | 2 |
ProcessId Pointer | Hexadecimal Process ID of the process that attempted to call the privileged service. | |
ProcessName UnicodeString | Full path and the name of the executable for the process. | 22 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4673,
"version": 0,
"level": 0,
"task": 13056,
"opcode": 0,
"keywords": -9218868437227405312,
"time_created": "2026-06-13T14:08:49.2466124+00:00",
"event_record_id": 3213596,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x296120d",
"ObjectServer": "Security",
"Service": "-",
"PrivilegeList": "SeTcbPrivilege",
"ProcessId": "0x7f4",
"ProcessName": "C:\\Windows\\System32\\svchost.exe"
},
"message": "A privileged service was called.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nService:\r\n\tServer:\tSecurity\r\n\tService Name:\t-\r\n\r\nProcess:\r\n\tProcess ID:\t0x7f4\r\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\r\n\r\nService Request Information:\r\n\tPrivileges:\t\tSeTcbPrivilege"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
SubjectUserSid | eq | S-1-5-18 | 1 rule | elastic, sigma, splunk |
process_name | eq | c:\windows\system32\svchost.exe | 1 rule | sigma |
process_name | ends_with | \procexp.exe | 1 rule | sigma |
process_name | ends_with | \procexp64.exe | 1 rule | sigma |
process_name | ends_with | \procmon.exe | 1 rule | sigma |
process_name | ends_with | \procmon64.exe | 1 rule | sigma |
Community Notes #
Logs use of SeDebugPrivilege (often precedes scraping memory), SeTcbPrivilege.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' source high: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
- Potential Privileged System Service Operation - SeLoadDriverPrivilege source medium: Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
- Privilege SeMachineAccountPrivilege abuse source medium: Detects scenarios where an attacker abuse the SeMachineAccountPrivilege which allows per default any authenticated user to join a computer to the domain. Later on, this computer account can be manipulated in order to elevate privileges.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4673
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4673.yml
Event ID 4674: An operation was attempted on a privileged object.
#Description
This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested privileged operation. | |
SubjectUserName UnicodeString | The name of the account that requested privileged operation. | 1 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | 1 |
ObjectServer UnicodeString | Contains the name of the Windows subsystem calling the routine. | 2 |
ObjectType UnicodeString | The type of an object that was accessed during the operation. | 2 |
ObjectName UnicodeString | The name of the object that was accessed during the operation. | 16 |
HandleId Pointer | Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4656: A handle to an object was requested" event in appropriate/other subcategory. | |
AccessMask UnicodeString | The desired access mask. This mask depends on Object Server and Object Type parameters values. Access mask reference | |
PrivilegeList UnicodeString | The list of user privileges which were requested. Privilege constants reference | 1 |
ProcessId Pointer | Hexadecimal Process ID of the process that attempted the operation on the privileged object. | |
ProcessName UnicodeString | Full path and the name of the executable for the process. | 4 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4674,
"version": 0,
"level": 0,
"task": 13056,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:52.3798917+00:00",
"event_record_id": 3213643,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x296120d",
"ObjectServer": "Security",
"ObjectType": "-",
"ObjectName": "-",
"HandleId": "0x828",
"AccessMask": "983103",
"PrivilegeList": "SeTakeOwnershipPrivilege",
"ProcessId": "0x1eb8",
"ProcessName": "C:\\Windows\\System32\\wsmprovhost.exe"
},
"message": "An operation was attempted on a privileged object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\t-\r\n\tObject Name:\t-\r\n\tObject Handle:\t0x828\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1eb8\r\n\tProcess Name:\tC:\\Windows\\System32\\wsmprovhost.exe\r\n\r\nRequested Operation:\r\n\tDesired Access:\t983103\r\n\tPrivileges:\t\tSeTakeOwnershipPrivilege"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ObjectType | eq | Key | 1 rule | kusto, sigma |
event.outcome | eq | success | 1 rule | elastic |
ObjectServer | eq | Security | 1 rule | sigma |
ObjectServer | eq | SC Manager | 1 rule | kusto, sigma |
LogonId | eq | 0x3e4 | 1 rule | sigma |
ObjectType | eq | SC_MANAGER OBJECT | 1 rule | sigma |
event.category | eq | iam | 1 rule | elastic |
Community Notes #
Logs direct interaction with objects that require SeSecurity/SeTakeOwnership, ie SAM hives.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- SCM Database Privileged Operation source medium: Detects non-system users performing privileged operation os the SCM database
- Impacket DCOMexec privilege abuse via MMC source high: Detects scenarios where an attacker execute the Impacket DCOMexec tool in order to abuse DCOM services.
- Backdoor introduction via registry permission change through WMI (DAMP) source high: Detects scenarios where an attacker modifies registry permissions on a local or remote target in order to introduce a backdoor and dump hashes and credentials.
Elastic # view in coverage
- Suspicious SeIncreaseBasePriorityPrivilege Use source high: Identifies attempts to use the SeIncreaseBasePriorityPrivilege privilege by an unusual process. This could be related to hijack execution flow of a process via threats priority manipulation.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4674
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4674.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
Event ID 4675: SIDs were filtered.
#Description
SIDs were filtered.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | [Target Account] Security ID |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TdoDirection UInt32 | [Trust Information] Trust Direction Known values
|
TdoAttributes UInt32 | [Trust Information] Trust Attributes |
TdoType UInt32 | [Trust Information] Trust Type Known values
|
TdoSid SID | [Trust Information] TDO Domain SID |
SidList UnicodeString | Filtered SIDs |
Detection Patterns #
Stealth: Valid Accounts
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4675
Event ID 4688: A new process has been created.
#Description
This event generates every time a new process starts.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested the "create process" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "create process" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that created the process. Correlates with Event ID 4624. | |
NewProcessId Pointer | Hexadecimal Process ID of the new process. | |
NewProcessName UnicodeString | Full path and the name of the executable for the new process. | 158 |
TokenElevationType UnicodeString | UAC elevation type of the new process token: Default (no UAC split), Full (elevated administrator), or Limited (standard user UAC split). Known values
| |
ProcessId Pointer | Hexadecimal Process ID of the process which ran the new process. | |
CommandLine UnicodeString | Full command line of the new process. Requires the "Include command line in process creation events" audit policy setting to be enabled; empty otherwise. | 1965 |
TargetUserSid SID | SID of the account the new process runs as, when different from the creator (e.g., CreateProcessAsUser/RunAs). S-1-0-0 when not applicable. | 1 |
TargetUserName UnicodeString | Name of the account the new process runs as. Empty when the process runs as the creator's session. | 8 |
TargetDomainName UnicodeString | Target account's domain or computer name. | 6 |
TargetLogonId HexInt64 | Logon session ID for the target account context. 0x0 when the process runs as the creator's session. | |
ParentProcessName UnicodeString | Full path of the parent process. | 182 |
MandatoryLabel SID | SID of integrity label which was assigned to the new process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4688,
"version": 2,
"level": 0,
"task": 13312,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:49.2497694+00:00",
"event_record_id": 3213597,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"NewProcessId": "0x1eb8",
"NewProcessName": "C:\\Windows\\System32\\wsmprovhost.exe",
"TokenElevationType": "%%1936",
"ProcessId": "0x254",
"CommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "domainadmin",
"TargetDomainName": "cell-c",
"TargetLogonId": "0x296120d",
"ParentProcessName": "C:\\Windows\\System32\\svchost.exe",
"MandatoryLabel": "S-1-16-12288"
},
"message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x1eb8\r\n\tNew Process Name:\tC:\\Windows\\System32\\wsmprovhost.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tMandatory Label:\t\tS-1-16-12288\r\n\tCreator Process ID:\t0x254\r\n\tCreator Process Name:\tC:\\Windows\\System32\\svchost.exe\r\n\tProcess Command Line:\tC:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
}
Detection Patterns #
1300 rules
Sigma
Elastic
Splunk
Network Connection
Event Log
Xsl Script Execution
Event Log
Event Log
Event Log
Remote Msi Installation
1 rule
Credential Access: DCSync
1 rule
1 rule
Persistence: Account Manipulation
1 rule
1 rule
1 rule
1 rule
Execution: Exploitation for Client Execution
Privilege Escalation: Bypass User Account Control
1 rule
Stealth: Create Process with Token
1 rule
Stealth: Token Impersonation/Theft
1 rule
Stealth: Create Process with Token
1 rule
Stealth: Msiexec
1 rule
Stealth: Impair Defenses
1 rule
Credential Access: LSASS Memory
Credential Access: LSASS Memory
1 rule
Credential Access: Steal or Forge Authentication Certificates
1 rule
Lateral Movement: Exploitation of Remote Services
Lateral Movement: Exploitation of Remote Services
Command & Control: Remote Desktop Software
Exfiltration: Exfiltration Over Alternative Protocol
Stealth: Clear Windows Event Logs
0 rules
Credential Access: NTDS
0 rules
Discovery: System Network Configuration Discovery
0 rules
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
event.type | eq | start | 238 rules | elastic |
process_name | eq | powershell.exe | 91 rules | elastic, splunk |
process_name | eq | cmd.exe | 71 rules | elastic, splunk |
Image | ends_with | \powershell.exe | 66 rules | sigma |
Image | ends_with | \cmd.exe | 58 rules | sigma |
process_name | eq | pwsh.exe | 55 rules | elastic, splunk |
Image | ends_with | \pwsh.exe | 54 rules | sigma |
process_name | eq | rundll32.exe | 48 rules | elastic, splunk |
process_name | eq | powershell_ise.exe | 46 rules | elastic, splunk |
process_name | eq | wmic.exe | 43 rules | elastic, splunk |
Image | ends_with | \rundll32.exe | 41 rules | sigma |
Image | ends_with | \wscript.exe | 40 rules | sigma |
Image | ends_with | \cscript.exe | 40 rules | sigma |
Image | ends_with | \mshta.exe | 35 rules | sigma |
Image | ends_with | \regsvr32.exe | 35 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Chromium Browser Headless Execution To Mockbin Like Site source high: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
- NtdllPipe Like Activity Execution source high: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
- Potentially Suspicious Child Process Of ClickOnce Application source medium: Detects potentially suspicious child processes of a ClickOnce deployment application
Show 17 more (122 total)
- Potential Discovery Activity Via Dnscmd.EXE source medium: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
- Uncommon FileSystem Load Attempt By Format.com source high: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
- Potentially Suspicious GoogleUpdate Child Process source high: Detects potentially suspicious child processes of "GoogleUpdate.exe"
- Arbitrary Binary Execution Using GUP Utility source medium: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
- HackTool - LaZagne Execution source medium: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
- HackTool - Wmiexec Default Powershell Command source high: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
- ImagingDevices Unusual Parent/Child Processes source high: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
- Suspicious Execution of InstallUtil Without Log source medium: Uses the .NET InstallUtil.exe application in order to execute image without log
- Suspicious Shells Spawn by Java Utility Keytool source high: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
- Suspicious Processes Spawned by Java.EXE source high: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
- Shell Process Spawned by Java.EXE source medium: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
- Potentially Suspicious Execution Of PDQDeployRunner source medium: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
- Suspicious Obfuscated PowerShell Code source high: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
- Email Exifiltration Via Powershell source high: Detects email exfiltration via powershell cmdlets
- Potential Suspicious Windows Feature Enabled - ProcCreation source medium: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
- Suspicious PowerShell Invocations - Specific - ProcessCreation source medium: Detects suspicious PowerShell invocation command parameters
- Suspicious PowerShell Mailbox Export to Share source critical: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Elastic # view in coverage
- Potential LSASS Clone Creation via PssCaptureSnapShot source high: Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Splunk # view in coverage
- Unusually Long Command Line source: The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This…
- 1 or 2 Character Executable (Windows Event Log) source: Adversaries have been known to occasionally use executable files named with only 1 or 2 word characters
- 3CXDesktopApp.exe Execution (Windows Event Log) source: Malicious activity has been detected on March 29, 2023, originating from a legitimate and signed binary called 3CXDesktopApp, which is a softphone application from 3CX. This malicious activity includes beaconing to infrastructure…
Show 17 more (263 total)
- Abuse EQNEDT32.EXE (Windows Event Log) source: Detects potential malicious Microsoft Office payload (CVE-2017-11882 or CVE-2018-0798) on host. Equation Editor
- Access Common Package Config file (Windows Event Log) source: Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. An Adversary with access could identify or modify configuration of packages in order to execute code…
- Account Password Changed from Command Line - Windows (Windows Event Log) source: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.…
- Account set to active via Net.exe (Windows Event Log) source: Adversaries may obtain and abuse credentials of a default or disabled account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the…
- ADExplorer Snapshot Creation (Windows Event Log) source: Active Directory Explorer (AD Explorer) is a tool from the Sysinternals suite that allows users to view, search, and analyze objects within Active Directory, and it includes the capability to take snapshots of the AD database for offline…
- Adfind Commands (Windows Event Log) source: AdFind is a free command-line query tool that can be used for gathering information from Active Directory. In some instances Adversaries have renamed adfind in order to avoid detection. This use case looks for common commands of Adfind
- Adfind Execution (Windows Event Log) source: AdFind is a free command-line query tool that can be used for gathering information from Active Directory. This use case looks for process executions of Adfind
- Advanced IP Scanner Execution (Windows Event Log) source: Advanced IP Scanner is a legitimate utility that can perform network scanning. Several threat actors, including UNC2465, Conti, Pysa ransomware and FIN12, have been reported to use Advanced IP Scanner during reconnaissance activities
- Advanced Port Scanner Execution (Windows Event Log) source: Advanced Port Scanner is a free network scanner that allows users to quickly find open ports on network computers and retrieve versions of programs running on the ports it detects. Threat actors using Rhysida ransomware have been reported…
- AnyDesk Command Line Execution (Windows Event Log) source: For most users, normal AnyDesk activity is executed via the GUI. This use case detects anydesk.exe calls from cmd.exe or PowerShell.exe. Install commands have been filtered out by default
- AnyDesk Execution from Suspicious Folder (Windows Event Log) source: Adversaries may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software,…
- AnyDesk Silent Install (Windows Event Log) source: An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. BlackByte ransomware group has been observed performing silent installs…
- Application Discovery - Windows (Windows Event Log) source: Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on…
- ATBroker.exe Execution (Windows Event Log) source: Helper binary for Assistive Technology (AT), Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry
- Attempted Veeam Database Credential Dump (Windows Event Log) source: Operators from the Diavol ransomware gang were observed using sqlcmd to extract encrypted credentials from Veeam databases that were decrypted using a publicly documented technique on Veeam's R+D forums. This use case detects commands…
- Attrib.exe Metasploit File Dropper (Windows Event Log) source: Using attrib.exe, an adversary may display or change file attributes in order to bypass UAC restrictions. Metasploits file_dropper.rb, which is include in some payloads uses this to assist in removing artifacts
- AutoHotkey Execution (Windows Event Log) source: Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be…
Kusto # view in coverage
- SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- Unusual identity creation using exchange powershell source high: The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/
- Identify Mango Sandstorm powershell commands source high: The query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
Show 17 more (28 total)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript source medium: This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- Midnight Blizzard - Script payload stored in Registry source medium: This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- Silk Typhoon New UM Service Child Process source medium: This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- Powershell Empire Cmdlets Executed in Command Line source medium: This query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.
- DEV-0270 New User Creation source high: The following query tries to detect creation of a new user using a known DEV-0270 username/password schema
- Dev-0270 Malicious Powershell usage source high: DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.
- Dev-0270 Registry IOC - September 2022 source high: The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes
- Dev-0270 WMIC Discovery source high: The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.
- Windows Binaries Executed from Non-Default Directory source medium: The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\Windows, C:\Windows\System32 etc.). Ref: https://lolbas-project.github.io/
- Base64 encoded Windows process command-lines source medium: Identifies instances of a base64-encoded PE file header seen in the process command line parameter.
- Process executed from binary hidden in Base64 encoded file source medium: Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64.
- Malware in the recycle bin source medium: The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin. The list of these binaries is sourced from https://lolbas-project.github.io/ References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.
- Caramel Tsunami Actor IOC - July 2021 source high: Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami
- Chia_Crypto_Mining IOC - June 2021 source low: Identifies a match across IOC's related to Chia cryptocurrency farming/plotting activity
- NRT Base64 Encoded Windows Process Command-lines source medium: This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.
- NRT Process executed from binary hidden in Base64 encoded file source medium: Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64.
- New EXE deployed via Default Domain or Default Domain Controller Policies source high: This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain.
YARA-L # view in coverage
- Base64 Encoded PowerShell Command Detected source: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
- ConvertTo-SecureString Cmdlet Usage Via CommandLine source: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
- Copy From Or To Admin Share Or Sysvol Folder source: Detects a copy command or a copy utility execution to or from an Admin share or remote
Show 17 more (55 total)
- CreateDump Process Dump source: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
- Direct Autorun Keys Modification source: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe
- File Download Using Notepad++ GUP Utility source: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files
- File Download Via Windows Defender MpCmpRun.EXE source: Detects the use of Windows Defender MpCmdRun.EXE to download files
- Finger.EXE Execution source: Detects execution of the finger.exe utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of finger.exe can be considered suspicious and worth investigating.
- HackTool - Dumpert Process Dumper Execution source: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
- Hacktool - IronSharpPack Execution source: Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
- HackTool - Mimikatz Execution source: Detection well-known mimikatz command line arguments
- Purple Knight Tool Execution Detected source: This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized reconnaissance by adversaries attempting to map domain weaknesses.
- Hacktool - SharpSuccessor Execution source: SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators linked to SharpSuccessor activity, which may signal privilege escalation attempts in Active Directory environments.
- Hacktool - WinPEAS Execution Patterns source: This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team assessments and by adversaries seeking to elevate privileges after gaining initial access. WinPEAS checks are well-documented in the HackTricks knowledge base.
- Impacket WMIExec CISA Report source: Detects the artifacts generally associated with the use of wmiexec.py
- Local Accounts Discovery source: Local accounts, System Owner/User discovery using operating systems utilities
- LSASS Dump Keyword In CommandLine source: Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process
- MITRE ATT&CK T1021.002 Windows Admin Share Basic source: Detect the use of net use for SMB/Windows admin shares
- MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity source: Net use commands for SMB/Windows admin shares based on asset entity group
- MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment source: Net use commands for SMB/Windows admin shares focused on UDM enriched user fields
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4688-process-created.md
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4688_v2.yml
Event ID 4689: A process has exited.
#Description
This event generates every time a process has exited.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "terminate process" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "terminate process" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that terminated the process. Correlates with Event ID 4624. |
Status HexInt32 | Hexadecimal exit code of exited/terminated process. NTSTATUS reference |
ProcessId Pointer | Hexadecimal Process ID of the ended/terminated process. |
ProcessName UnicodeString | Full path and the executable name of the exited/terminated process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4689,
"version": 0,
"level": 0,
"task": 13313,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:29.6959757+00:00",
"event_record_id": 3213424,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4004
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0xbf3b6",
"Status": "0x0",
"ProcessId": "0x64c",
"ProcessName": "C:\\ludus\\background\\bginfo.exe"
},
"message": "A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0xBF3B6\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x64c\r\n\tProcess Name:\tC:\\ludus\\background\\bginfo.exe\r\n\tExit Status:\t0x0"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | ProcessCreated | 2 rules | kusto |
CommandLine | contains | -s | 2 rules | kusto, sigma, splunk |
CommandLine | contains | -r | 2 rules | kusto, sigma |
CommandLine | contains | delete | 1 rule | kusto, sigma, splunk |
ProviderName | eq | MDATP | 1 rule | kusto |
CommandLine | contains | accepteula | 1 rule | kusto, sigma, splunk |
CommandLine | contains | -q | 1 rule | kusto, sigma, splunk |
CommandLine | contains | advfirewall | 1 rule | kusto, sigma |
CommandLine | contains | /set | 1 rule | kusto, splunk |
CommandLine | contains | execute | 1 rule | kusto, sigma |
CommandLine | contains | regread | 1 rule | kusto, sigma |
CommandLine | contains | set-mppreference | 1 rule | kusto, sigma, splunk |
CommandLine | contains | shadow | 1 rule | kusto, sigma, splunk |
CommandLine | contains | window.close | 1 rule | kusto, sigma |
CommandLine | contains | windefend | 1 rule | kusto, sigma |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4689
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-termination
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4689
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4689.yml
Event ID 4690: An attempt was made to duplicate a handle to an object.
#Description
An attempt was made to duplicate a handle to an object.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid | SID of account that made an attempt to duplicate a handle to an object. |
SubjectUserName | The name of the account that made an attempt to duplicate a handle to an object. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
SourceHandleId | Hexadecimal value of a handle which was duplicated. |
SourceProcessId | Hexadecimal Process ID of the process which opened the Source Handle ID before it was duplicated. |
TargetHandleId | Hexadecimal value of the new handle (the copy of Source Handle ID). |
TargetProcessId | Hexadecimal Process ID of the process which opened the Target Handle ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4690,
"version": 0,
"level": 0,
"task": 12807,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:53.1095914+00:00",
"event_record_id": 3213663,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"SourceHandleId": "0x1150",
"SourceProcessId": "0x1584",
"TargetHandleId": "0x23c",
"TargetProcessId": "0x4"
},
"message": "An attempt was made to duplicate a handle to an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nSource Handle Information:\r\n\tSource Handle ID:\t0x1150\r\n\tSource Process ID:\t0x1584\r\n\r\nNew Handle Information:\r\n\tTarget Handle ID:\t0x23c\r\n\tTarget Process ID:\t0x4"
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-handle-manipulation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4690
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4690.yml
Event ID 4691: Indirect access to an object was requested.
#Description
This event indicates that indirect access to an object was requested.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested an access to the object. |
SubjectUserName UnicodeString | The name of the account that requested an access to the object. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectType UnicodeString | The type of an object for which access was requested. |
ObjectName UnicodeString | Full path and name of the object for which access was requested. |
AccessList UnicodeString | [Access Request Information] Accesses. |
AccessMask HexInt32 | The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If Desired Access is not presented, then this parameter will have "0" value. Access mask reference |
ProcessId Pointer | Hexadecimal Process ID of the process through which the access was requested. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4691
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4691
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4691.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
Event ID 4692: Backup of data protection master key was attempted.
#Description
This event generates every time that a backup is attempted for the DPAPI Master Key.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested backup operation. |
SubjectUserName UnicodeString | The name of the account that requested backup operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
MasterKeyId UnicodeString | Unique identifier of a master key which backup was created. |
RecoveryServer UnicodeString | The name (typically - DNS name) of the computer that you contacted to back up your Master Key. |
RecoveryKeyId UnicodeString | [Key Information] Recovery Key ID. |
FailureReason HexInt32 | Hexadecimal unique status code of performed operation. Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4692,
"version": 0,
"level": 0,
"task": 13314,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-14T16:30:04.309269+00:00",
"event_record_id": 2554242,
"correlation": {
"ActivityID": "0375AF68-73B8-434A-AE18-9AF03149A7A2"
},
"execution": {
"process_id": 1092,
"thread_id": 4244
},
"channel": "Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x1470e85",
"MasterKeyId": "0bb6fb5d-7c2d-44b7-8df0-e4526299350b",
"RecoveryServer": "",
"RecoveryKeyId": "fed516d7-c48c-48e4-8eb3-77f6590ccb36",
"FailureReason": "0x0"
},
"message": ""
}
Community Notes #
Backup of a user/computer master key to the DC, rarely seen after first logon. Several events may indicate key theft or mass profile creation.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- DPAPI Domain Master Key Backup Attempt source medium: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4692
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4692
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4692.yml
Event ID 4693: Recovery of data protection master key was attempted.
#Description
This event generates every time that recovery is attempted for a DPAPI Master Key.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "recover" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "recover" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
MasterKeyId UnicodeString | Unique identifier of a master key which was recovered. |
RecoveryReason HexInt32 | [Key Information] Recovery Server. |
RecoveryServer UnicodeString | The name (typically - DNS name) of the computer that you contacted to recover your Master Key. |
RecoveryKeyId UnicodeString | [Key Information] Recovery Key ID. |
FailureId HexInt32 | [Status Information] Status Code. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"event_source_name": "",
"event_id": 4693,
"version": 0,
"level": 0,
"task": 13314,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-05-09T01:44:04.1217572+00:00",
"event_record_id": 1374202,
"correlation": {
"ActivityID": "{8136b4b2-df15-0001-28b5-368115dfdc01}"
},
"execution": {
"process_id": 856,
"thread_id": 10732
},
"channel": "Security",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
"SubjectUserName": "localuser",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x9768e82",
"MasterKeyId": "a4925fae-ad66-4b84-9d47-a6b5f25cb296",
"RecoveryReason": "0x5c005c",
"RecoveryServer": "tel2-DC01-2022.ludus.domain",
"RecoveryKeyId": "",
"FailureId": "0x660000"
},
"message": ""
}
Community Notes #
May appear when an attacker re-uses offline profiles or moves tokens between hosts. Correlate with LogonType 7/9 in 4624. Detecting Credential Stealing Attacks Through Active In-Network Defense
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4693
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4693
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4693.yml
Event ID 4694: Protection of auditable protected data was attempted.
#Description
This event generates if DPAPI's CryptProtectData() function was used with CRYPTPROTECT_AUDIT flag (dwFlags) enabled."
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "recover" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "recover" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, 4624 An account was successfully logged on. |
DataDescription UnicodeString | [Protected Data] Key Identifier. |
MasterKeyId UnicodeString | [Protected Data] Data Description. |
ProtectedDataFlags HexInt32 | [Protected Data] Protected Data Flags. |
CryptoAlgorithms UnicodeString | Cryptographic Algorithms of the protection. |
FailureReason HexInt32 | [Status Information] Status Code. Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4694,
"version": 0,
"level": 0,
"task": 13314,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T11:13:17.1720276+00:00",
"event_record_id": 148419,
"correlation": {
"ActivityID": "{AFDF3271-EE92-0002-8732-DFAF92EEDC01}"
},
"execution": {
"process_id": 716,
"thread_id": 856
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x3e7",
"DataDescription": "f473ef67-ece5-43ff-96f1-8e4afb28b032",
"MasterKeyId": "Microsoft Edge",
"ProtectedDataFlags": "0x10",
"CryptoAlgorithms": "AES-256 , SHA2-512 ",
"FailureReason": "0x0"
},
"message": "Protection of auditable protected data was attempted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProtected Data:\r\n\tData Description:\tMicrosoft Edge\r\n\tKey Identifier:\tf473ef67-ece5-43ff-96f1-8e4afb28b032\r\n\tProtected Data Flags:\t0x10\r\n\tProtection Algorithms:\tAES-256 , SHA2-512 \r\n\r\nStatus Information:\r\n\tStatus Code:\t0x0"
}
Community Notes #
When seen outside of software installation it may indicate payload staging hidden in DPAPI.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4694
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4694
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4694.yml
Event ID 4695: Unprotection of auditable protected data was attempted.
#Description
This event generates if DPAPI CryptUnprotectData() function was used to unprotect "auditable" data that was encrypted using CryptProtectData() function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "recover" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "recover" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, 4624 An account was successfully logged on. |
DataDescription UnicodeString | [Protected Data] Key Identifier. |
MasterKeyId UnicodeString | [Protected Data] Data Description. |
ProtectedDataFlags HexInt32 | [Protected Data] Protected Data Flags. |
CryptoAlgorithms UnicodeString | Cryptographic Algorithms of the protection. |
FailureReason HexInt32 | [Status Information] Status Code. Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4695,
"version": 0,
"level": 0,
"task": 13314,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T11:13:16.4858984+00:00",
"event_record_id": 148405,
"correlation": {
"ActivityID": "{AFDF3271-EE92-0002-8732-DFAF92EEDC01}"
},
"execution": {
"process_id": 716,
"thread_id": 856
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0xb66c2",
"DataDescription": "8a90013b-ac90-4aba-b6ae-569774230578",
"MasterKeyId": "Microsoft Edge",
"ProtectedDataFlags": "0x0",
"CryptoAlgorithms": "3DES-192 , SHA1-160 ",
"FailureReason": "0x0"
},
"message": "Unprotection of auditable protected data was attempted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xB66C2\r\n\r\nProtected Data:\r\n\tData Description:\tMicrosoft Edge\r\n\tKey Identifier:\t8a90013b-ac90-4aba-b6ae-569774230578\r\n\tProtected Data Flags:\t0x0\r\n\tProtection Algorithms:\t3DES-192 , SHA1-160 \r\n\r\nStatus Information:\r\n\tStatus Code:\t0x0"
}
Community Notes #
Pair with 4694 to identify which user accessed encrypted blobs.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4695
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4695
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4695.yml
Event ID 4696: A primary token was assigned to process.
#Description
This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "assign token to process" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "assign token to process" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
TargetUserSid SID | SID of account through which the security token will be assigned to the new process. |
TargetUserName UnicodeString | The name of the account through which the security token will be assigned to the new process. |
TargetDomainName UnicodeString | Subject's domain or computer name. |
TargetLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
TargetProcessId Pointer | Hexadecimal Process ID of the new process with new security token. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager. |
TargetProcessName UnicodeString | Full path and the name of the executable for the new process. |
ProcessId Pointer | Hexadecimal Process ID of the process which started the new process with the new security token. |
ProcessName UnicodeString | Full path and the name of the executable for the process which ran the new process with new security token. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4696,
"version": 0,
"level": 0,
"task": 13312,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:46.0531218+00:00",
"event_record_id": 1715898,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 176
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "-",
"TargetDomainName": "-",
"TargetLogonId": "0x3e7",
"TargetProcessId": "0xac",
"TargetProcessName": "Registry",
"ProcessId": "0x4",
"ProcessName": ""
},
"message": "A primary token was assigned to process.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x4\r\n\tProcess Name:\t\r\n\r\nTarget Process:\r\n\tTarget Process ID:\t0xac\r\n\tTarget Process Name:\tRegistry\r\n\r\nNew Token Information:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4696
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4696.yml
Event ID 4697: A service was installed in the system.
#Description
This event generates when new service was installed in the system.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that was used to install the service. | |
SubjectUserName UnicodeString | The name of the account that was used to install the service. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ServiceName UnicodeString | The name of installed service. | 28 |
ServiceFileName UnicodeString | This is the fully rooted path to the file that the Service Control Manager will execute to start the service. | 90 |
ServiceType HexInt32 | Indicates the type of service that was registered with the Service Control Manager. The field is a winsvc.h SERVICE_* bitmask; SCM combines bits when registering (e.g., 0x110 = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS for an interactive own-process service). The event log renders this field as a hex string (0x1, 0x10, 0x110, etc.) since the field type is HexInt32. Bitmask flags
| 1 |
ServiceStartType UInt32 | The service start type can have one of the following values (see: https://msdn.microsoft.com/library/windows/desktop/ms682450(v=vs.85).aspx). Known values
| 1 |
ServiceAccount UnicodeString | The security context that the service will run as when started. | |
ClientProcessStartKey UInt64 | ||
ClientProcessId UInt32 | 1 | |
ParentProcessId UInt32 | 1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4697,
"version": 1,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:51:28.3287063+00:00",
"event_record_id": 1904986,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 7632
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"ServiceName": "KslD",
"ServiceFileName": "system32\\drivers\\wd\\KslD.sys",
"ServiceType": "0x1",
"ServiceStartType": "3",
"ServiceAccount": "LocalSystem",
"ClientProcessStartKey": "4222124650660656",
"ClientProcessId": "4284",
"ParentProcessId": "804"
},
"message": "A service was installed in the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nService Information:\r\n\tService Name: \t\tKslD\r\n\tService File Name:\tsystem32\\drivers\\wd\\KslD.sys\r\n\tService Type: \t\t0x1\r\n\tService Start Type:\t3\r\n\tService Account: \t\tLocalSystem"
}
Detection Patterns #
8 rules
Sigma
Persistence: Windows Service
8 rules
Sigma
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ServiceFileName | contains | cmd | 5 rules | sigma |
ServiceFileName | contains | powershell | 4 rules | sigma |
LogonType | eq | Network | 3 rules | elastic, kusto, sigma, splunk |
EventType | eq | service-installed | 3 rules | elastic |
ServiceFileName | contains | && | 3 rules | sigma |
ServiceFileName | contains | /c | 3 rules | sigma |
EventType | eq | logged-in | 2 rules | elastic |
event.outcome | eq | success | 2 rules | elastic |
ClientProcessId | eq | 0 | 2 rules | elastic, sigma |
parent_process_id | eq | 0 | 2 rules | elastic, sigma |
ServiceFileName | contains | %comspec% | 2 rules | sigma |
ServiceFileName | contains | -f | 2 rules | sigma |
ServiceFileName | contains | invoke | 2 rules | sigma |
ServiceFileName | contains | rundll32 | 2 rules | sigma |
ServiceFileName | contains | shell32.dll | 2 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- CobaltStrike Service Installations - Security source high: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
- HybridConnectionManager Service Installation source high: Rule to detect the Hybrid Connection Manager service installation.
- Invoke-Obfuscation CLIP+ Launcher - Security source high: Detects Obfuscated use of Clip.exe to execute PowerShell
Show 17 more (22 total)
- Invoke-Obfuscation Obfuscated IEX Invocation - Security source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
- Invoke-Obfuscation STDIN+ Launcher - Security source high: Detects Obfuscated use of stdin to execute PowerShell
- Invoke-Obfuscation VAR+ Launcher - Security source high: Detects Obfuscated use of Environment Variables to execute PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - Security source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER - Security source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
- Invoke-Obfuscation Via Stdin - Security source high: Detects Obfuscated Powershell via Stdin in Scripts
- Invoke-Obfuscation Via Use Clip - Security source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
- Invoke-Obfuscation Via Use MSHTA - Security source high: Detects Obfuscated Powershell via use MSHTA in Scripts
- Invoke-Obfuscation Via Use Rundll32 - Security source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
- Credential Dumping Tools Service Execution - Security source high: Detects well-known credential dumping tools execution via service execution events
- Metasploit Or Impacket Service Installation Via SMB PsExec source high: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security source high: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
- Windows Pcap Drivers source medium: Detects Windows Pcap driver installation based on a list of associated .sys files.
- PowerShell Scripts Installed as Services - Security source high: Detects powershell script installed as a Service
- Remote Access Tool Services Have Been Installed - Security source medium: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
- Service Installed By Unusual Client - Security source high: Detects a service installed by a client which has PID 0 or whose parent has PID 0
Elastic # view in coverage
- Windows Service Installed via an Unusual Client source high: Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
YARA-L # view in coverage
- Suspicious Windows Service Installation Detected source: This detection rule identifies the creation of a Windows service with a suspicious or known malicious name, as logged by Windows Event ID 7045 (
A service was installed in the system). Threat actors, including those associated with ransomware and other advanced persistent threats (APTs), often create services to achieve persistence, lateral movement, remote execution, or privilege escalation. Detection of such activity is critical for identifying early-stage post-compromise behavior.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4697
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4697.yml
- MS Learn winsvc.h SERVICE_* dwServiceType bitmask https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicea
Event ID 4698: A scheduled task was created.
#Description
This event generates every time a new scheduled task is created.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid | SID of the account that created the scheduled task. | |
SubjectUserName | Name of the account that created the scheduled task. | |
SubjectDomainName | Subject's domain or computer name. | |
SubjectLogonId | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
TaskName | Name of the new scheduled task. | 26 |
TaskContent | The XML content of the new task. | 64 |
ClientProcessStartKey | ||
ClientProcessId | ||
ParentProcessId | ||
RpcCallClientLocality | ||
FQDN |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4698,
"version": 1,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T06:01:41.4533033+00:00",
"event_record_id": 1910118,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 8060
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"TaskName": "\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan",
"TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\n<Task version=\"1.3\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\n <RegistrationInfo>\n <Description>Periodic scan task.</Description>\n <URI>\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan</URI>\n </RegistrationInfo>\n <Triggers>\n <CalendarTrigger>\n <StartBoundary>2000-01-01T03:11:06</StartBoundary>\n <EndBoundary>2100-01-01T00:00:00</EndBoundary>\n <Enabled>true</Enabled>\n <ScheduleByDay>\n <DaysInterval>1</DaysInterval>\n </ScheduleByDay>\n </CalendarTrigger>\n </Triggers>\n <Principals>\n <Principal id=\"LocalSystem\">\n <UserId>S-1-5-18</UserId>\n <RunLevel>HighestAvailable</RunLevel>\n </Principal>\n </Principals>\n <Settings>\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\n <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\n <AllowHardTerminate>true</AllowHardTerminate>\n <StartWhenAvailable>true</StartWhenAvailable>\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\n <IdleSettings>\n <Duration>PT0H1M0S</Duration>\n <WaitTimeout>PT4H0M0S</WaitTimeout>\n <StopOnIdleEnd>false</StopOnIdleEnd>\n <RestartOnIdle>false</RestartOnIdle>\n </IdleSettings>\n <AllowStartOnDemand>true</AllowStartOnDemand>\n <Enabled>true</Enabled>\n <Hidden>false</Hidden>\n <RunOnlyIfIdle>true</RunOnlyIfIdle>\n <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\n <WakeToRun>false</WakeToRun>\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\n <Priority>7</Priority>\n </Settings>\n <Actions Context=\"LocalSystem\">\n <Exec>\n <Command>C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\MpCmdRun.exe</Command>\n <Arguments>Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob</Arguments>\n </Exec>\n </Actions>\n</Task>",
"ClientProcessStartKey": "4222124650660656",
"ClientProcessId": "4284",
"ParentProcessId": "804",
"RpcCallClientLocality": "0",
"FQDN": "telemetry-DC-a.cell-a.ludus.domain"
},
"message": "A scheduled task was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan\r\n\tTask Content: \t\t<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.3\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Description>Periodic scan task.</Description>\r\n <URI>\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan</URI>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <CalendarTrigger>\r\n <StartBoundary>2000-01-01T03:11:06</StartBoundary>\r\n <EndBoundary>2100-01-01T00:00:00</EndBoundary>\r\n <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"LocalSystem\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <Duration>PT0H1M0S</Duration>\r\n <WaitTimeout>PT4H0M0S</WaitTimeout>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>true</RunOnlyIfIdle>\r\n <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\r\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n </Settings>\r\n <Actions Context=\"LocalSystem\">\r\n <Exec>\r\n <Command>C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\MpCmdRun.exe</Command>\r\n <Arguments>Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t4222124650660656\r\n\tClientProcessId: \t\t\t4284\r\n\tParentProcessId: \t\t\t804\r\n\tFQDN: \t\t0\r\n\t"
}
Detection Patterns #
Scheduled Task
Scheduled Task
Scheduled Task With Suspicious
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | scheduled-task-created | 3 rules | elastic |
TaskContent | contains | rundll32 | 2 rules | sigma |
CommandLine | is_not_null | | 1 rule | kusto, splunk |
RelativeTargetName | eq | svcctl | 1 rule | kusto, sigma |
RelativeTargetName | eq | atsvc | 1 rule | kusto, sigma |
short_lived | eq | TRUE | 1 rule | splunk |
ClientProcessId | eq | 0 | 1 rule | elastic, sigma |
CommandLine | match | (?i)\-(L|R|N|D|C)|IdentitiesOnly=yes|StrictHostKeyChecking=no|ssh | 1 rule | splunk |
CommandLine | match | \d{1,5}:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5} | 1 rule | splunk |
CommandLine | match | \w+@\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} | 1 rule | splunk |
TaskName | eq | \Microsoft\DefenderService | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\ATPUpd | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Application Experience\StartupAppTaskCheck | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Application Experience\StartupAppTaskCkeck | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Data Integrity Scan\Data Integrity Update | 1 rule | sigma |
Community Notes #
May also indicate remote creation via relayed SMB/WinRM session, PS cmdlets, DCOM over RPC, WMI, others.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Suspicious Scheduled Task Creation source high: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
- Fortinet APT group abuse on Windows (task) source high: Detects scenarios where APT actors exploits Fortinet vulnerabilities to gain access into Windows infrastructure.
- OilRig APT Schedule Task Persistence - Security source critical: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Show 3 more (6 total)
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor source high: Hunts for known SVR-specific scheduled task names↳ also matchesEvent ID 4699: A scheduled task was deleted., Event ID 4702: A scheduled task was updated.
- Diamond Sleet APT Scheduled Task Creation source critical: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
- Kapeka Backdoor Scheduled Task Creation source high: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
Elastic # view in coverage
- Remote Scheduled Task Creation via RPC source medium: Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.
- A scheduled task was created source low: Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
Splunk # view in coverage
- Randomly Generated Scheduled Task Name source: The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the
ut_shannonfunction from the URL ToolBox Splunk application to measure the entropy of the… - Schedule Task with HTTP Command Arguments source: The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their…
- Schedule Task with Rundll32 Command Trigger source: The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32.…
Show 8 more (11 total)
- Windows Hidden Schedule Task Settings source: The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior…
- Windows Level RMM Watchdog Task Created source: Detects the watchdog task created when Level is installed. Level is a commercial remote management tool from Level.io. Remote management tools, when used for legitimate purposes, can help IT professionals and system administrators remotely…
- Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr source: The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be…
- WinEvent Scheduled Task Created to Spawn Shell source: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are…
- WinEvent Scheduled Task Created Within Public Path source: The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like…
- Hidden Scheduled Task Created - Windows (Windows Event Log) source: A hidden scheduled task in Windows is a task configured to run specified actions silently without displaying any visible program windows or interfaces to the user. Threat actors may abuse this feature to persistently execute malicious…
- Impacket atexec.py Scheduled Task Creation (Windows Event Log) source: Impacket's atexec.py is a tool designed for executing commands on a target system via the Windows Task Scheduler to run arbitrary commands with the privileges of the account under which the scheduler is running, often providing a method…
- Rare Schedule Task Created (Windows Event Log) source: Schedule tasks are often a form of persistence utilized by threat actors. This use case looks for rare occurrences for when a task is created
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4698.yml
Event ID 4699: A scheduled task was deleted.
#Description
This event generates every time a scheduled task was deleted.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid | SID of the account that deleted the scheduled task. | |
SubjectUserName | Name of the account that deleted the scheduled task. | 1 |
SubjectDomainName | Subject's domain or computer name. | |
SubjectLogonId | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
TaskName | Name of the deleted scheduled task. | 10 |
TaskContent | The XML of the deleted task. | |
ClientProcessStartKey | ||
ClientProcessId | ||
ParentProcessId | ||
RpcCallClientLocality | ||
FQDN |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4699,
"version": 1,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:56:25.0128261+00:00",
"event_record_id": 1249001,
"correlation": {
"ActivityID": "{4CADC93F-FB3A-0001-A9C9-AD4C3AFBDC01}"
},
"execution": {
"process_id": 760,
"thread_id": 8388
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x3e7",
"TaskName": "\\Microsoft\\Windows\\Server Manager\\RemovewYukon",
"TaskContent": "",
"ClientProcessStartKey": "2814749767107018",
"ClientProcessId": "7364",
"ParentProcessId": "2000",
"RpcCallClientLocality": "0",
"FQDN": "telemetry-DC-d.cell-d.ludus.domain"
},
"message": "A scheduled task was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\Server Manager\\RemovewYukon\r\n\tTask Content: \t\t\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t2814749767107018\r\n\tClientProcessId: \t\t\t7364\r\n\tParentProcessId: \t\t\t2000\r\n\tFQDN: \t\t0\r\n\t"
}
Detection Patterns #
Scheduled Task
Scheduled Task
Execution: Scheduled Task
1 rule
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
RelativeTargetName | eq | svcctl | 1 rule | kusto, sigma |
RelativeTargetName | eq | atsvc | 1 rule | kusto, sigma |
short_lived | eq | TRUE | 1 rule | splunk |
EventType | eq | scheduled-task-created | 1 rule | elastic |
TaskName | contains | \windows\bitlocker | 1 rule | sigma |
TaskName | contains | \windows\exploitguard | 1 rule | sigma |
TaskName | contains | \windows\systemrestore\sr | 1 rule | sigma |
TaskName | contains | \windows\windows defender\ | 1 rule | sigma |
TaskName | contains | \windows\windowsbackup\ | 1 rule | sigma |
TaskName | contains | \windows\windowsupdate\ | 1 rule | sigma |
TaskName | eq | \Microsoft\DefenderService | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\ATPUpd | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Application Experience\StartupAppTaskCheck | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Application Experience\StartupAppTaskCkeck | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Data Integrity Scan\Data Integrity Update | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor source high: Hunts for known SVR-specific scheduled task names↳ also matchesEvent ID 4698: A scheduled task was created., Event ID 4702: A scheduled task was updated.
- Scheduled Task Deletion source low: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4699
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4699.yml
Event ID 4700: A scheduled task was enabled.
#Description
This event generates every time a scheduled task is enabled.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "enable scheduled task" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "enable scheduled task" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
TaskName UnicodeString | Name of the enabled scheduled task. |
TaskContent UnicodeString | XML content of the enabled scheduled task. |
ClientProcessStartKey UInt64 | Creation time of the client process that made the request. |
ClientProcessId UInt32 | Process ID of the client process that made the request. |
ParentProcessId UInt32 | Parent process ID of the client process. |
RpcCallClientLocality UInt32 | RPC call locality indicator for the client. |
FQDN UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4700,
"version": 1,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-08T23:13:42.036906+00:00",
"event_record_id": 1552683,
"correlation": {
"ActivityID": "0973643C-548D-4680-AA95-124DB4FF8472"
},
"execution": {
"process_id": 780,
"thread_id": 2440
},
"channel": "Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-20",
"SubjectUserName": "LAB-WIN11$",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x3e4",
"TaskName": "\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTaskLogon",
"TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Version>1.0</Version>\r\n <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)</SecurityDescriptor>\r\n <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\r\n <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\r\n <Description>$(@%systemroot%\\system32\\sppc.dll,-202)</Description>\r\n <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTaskLogon</URI>\r\n </RegistrationInfo>\r\n <Principals>\r\n <Principal id=\"InteractiveUser\">\r\n <GroupId>S-1-5-4</GroupId>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <AllowHardTerminate>false</AllowHardTerminate>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Hidden>true</Hidden>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <RestartOnFailure>\r\n <Count>3</Count>\r\n <Interval>PT1M</Interval>\r\n </RestartOnFailure>\r\n <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n </Settings>\r\n <Triggers>\r\n <LogonTrigger />\r\n </Triggers>\r\n <Actions Context=\"InteractiveUser\">\r\n <ComHandler>\r\n <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\r\n <Data><![CDATA[logon]]></Data>\r\n </ComHandler>\r\n </Actions>\r\n</Task>",
"ClientProcessStartKey": 1970324836977758,
"ClientProcessId": 5592,
"ParentProcessId": 204,
"RpcCallClientLocality": 0,
"FQDN": "LAB-WIN11.ludus.domain"
},
"message": ""
}
Detection Patterns #
Scheduled Task With Suspicious
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
CommandLine | is_not_null | | 1 rule | kusto, splunk |
RelativeTargetName | eq | svcctl | 1 rule | kusto, sigma |
RelativeTargetName | eq | atsvc | 1 rule | kusto, sigma |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4700
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4700
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4700.yml
Event ID 4701: A scheduled task was disabled.
#Description
This event generates every time a scheduled task is disabled.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested the "disable scheduled task" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "disable scheduled task" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
TaskName UnicodeString | Name of the disabled scheduled task. | 1 |
TaskContent UnicodeString | XML content of the disabled scheduled task. | |
ClientProcessStartKey UInt64 | Creation time of the client process that made the request. | |
ClientProcessId UInt32 | Process ID of the client process that made the request. | |
ParentProcessId UInt32 | Parent process ID of the client process. | |
RpcCallClientLocality UInt32 | RPC call locality indicator for the client. | |
FQDN UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4701,
"version": 1,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-09T18:21:07.550543+00:00",
"event_record_id": 1753741,
"correlation": {
"ActivityID": "B6034439-245E-4C44-9C16-887F1090313D"
},
"execution": {
"process_id": 8,
"thread_id": 6100
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-WIN11$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TaskName": "\\Microsoft\\Windows\\EnterpriseMgmt\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\Wsc Startup event listener created by enrollment client",
"TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.4\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>\r\n <Author>Microsoft Corporation</Author>\r\n <URI>\\Microsoft\\Windows\\EnterpriseMgmt\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\Wsc Startup event listener created by enrollment client</URI>\r\n </RegistrationInfo>\r\n <Principals>\r\n <Principal id=\"LocalSystem\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <Enabled>false</Enabled>\r\n <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>\r\n <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>\r\n <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n </Settings>\r\n <Triggers>\r\n <WnfStateChangeTrigger>\r\n <StateName>7510BCA33A1D8541</StateName>\r\n </WnfStateChangeTrigger>\r\n </Triggers>\r\n <Actions Context=\"LocalSystem\">\r\n <Exec>\r\n <Command>%windir%\\system32\\deviceenroller.exe</Command>\r\n <Arguments>/s \"69C01DBD-8068-44F9-9507-8A9DF76C127A\" /c /WscStartupAlert</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>",
"ClientProcessStartKey": 3940649673950061,
"ClientProcessId": 9152,
"ParentProcessId": 840,
"RpcCallClientLocality": 0,
"FQDN": "LAB-WIN11"
},
"message": ""
}
Detection Patterns #
Execution: Scheduled Task
1 rule
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
RelativeTargetName | eq | svcctl | 1 rule | kusto, sigma |
RelativeTargetName | eq | atsvc | 1 rule | kusto, sigma |
TaskName | contains | \windows\bitlocker | 1 rule | sigma |
TaskName | contains | \windows\exploitguard | 1 rule | sigma |
TaskName | contains | \windows\systemrestore\sr | 1 rule | sigma |
TaskName | contains | \windows\windows defender\ | 1 rule | sigma |
TaskName | contains | \windows\windowsbackup\ | 1 rule | sigma |
TaskName | contains | \windows\windowsupdate\ | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Defrag Deactivation - Security source medium: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4701
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4701.yml
Event ID 4702: A scheduled task was updated.
#Description
This event generates every time scheduled task was updated/changed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid | SID of the account that updated the scheduled task. | |
SubjectUserName | Name of the account that updated the scheduled task. | |
SubjectDomainName | Subject's domain or computer name. | |
SubjectLogonId | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
TaskName | Name of the updated scheduled task. | |
TaskContentNew | The new XML for the updated task. | 32 |
ClientProcessStartKey | ||
ClientProcessId | ||
ParentProcessId | ||
RpcCallClientLocality | ||
FQDN |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4702,
"version": 1,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:52:57.3167039+00:00",
"event_record_id": 2141356,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 968
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-20",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e4",
"TaskName": "\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask",
"TaskContentNew": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\n<Task version=\"1.6\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\n <RegistrationInfo>\n <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\n <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\n <Version>1.0</Version>\n <Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>\n <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>\n <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>\n </RegistrationInfo>\n <Triggers>\n <CalendarTrigger>\n <StartBoundary>2026-06-14T05:38:57Z</StartBoundary>\n <Enabled>true</Enabled>\n <ScheduleByDay>\n <DaysInterval>1</DaysInterval>\n </ScheduleByDay>\n </CalendarTrigger>\n </Triggers>\n <Principals>\n <Principal id=\"NetworkService\">\n <UserId>S-1-5-20</UserId>\n <RunLevel>LeastPrivilege</RunLevel>\n </Principal>\n </Principals>\n <Settings>\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\n <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\n <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>\n <AllowHardTerminate>false</AllowHardTerminate>\n <StartWhenAvailable>true</StartWhenAvailable>\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\n <IdleSettings>\n <StopOnIdleEnd>true</StopOnIdleEnd>\n <RestartOnIdle>false</RestartOnIdle>\n </IdleSettings>\n <AllowStartOnDemand>true</AllowStartOnDemand>\n <Enabled>true</Enabled>\n <Hidden>true</Hidden>\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\n <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\n <WakeToRun>false</WakeToRun>\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\n <Priority>7</Priority>\n <RestartOnFailure>\n <Interval>PT1M</Interval>\n <Count>3</Count>\n </RestartOnFailure>\n </Settings>\n <Actions Context=\"NetworkService\">\n <ComHandler>\n <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\n <Data><![CDATA[timer]]></Data>\n </ComHandler>\n </Actions>\n</Task>",
"ClientProcessStartKey": "4222124650661718",
"ClientProcessId": "1888",
"ParentProcessId": "804",
"RpcCallClientLocality": "0",
"FQDN": "telemetry-DC-a.cell-a.ludus.domain"
},
"message": "A scheduled task was updated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-20\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E4\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\r\n\tTask New Content: \t\t<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.6\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\r\n <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\r\n <Version>1.0</Version>\r\n <Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>\r\n <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>\r\n <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <CalendarTrigger>\r\n <StartBoundary>2026-06-14T05:38:57Z</StartBoundary>\r\n <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"NetworkService\">\r\n <UserId>S-1-5-20</UserId>\r\n <RunLevel>LeastPrivilege</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>false</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>true</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\r\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n <RestartOnFailure>\r\n <Interval>PT1M</Interval>\r\n <Count>3</Count>\r\n </RestartOnFailure>\r\n </Settings>\r\n <Actions Context=\"NetworkService\">\r\n <ComHandler>\r\n <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\r\n <Data><![CDATA[timer]]></Data>\r\n </ComHandler>\r\n </Actions>\r\n</Task>\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t4222124650661718\r\n\tClientProcessId: \t\t\t1888\r\n\tParentProcessId: \t\t\t804\r\n\tFQDN: \t\t0\r\n\t"
}
Detection Patterns #
Scheduled Task With Suspicious
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
CommandLine | is_not_null | | 1 rule | kusto, splunk |
TaskName | eq | \Microsoft\DefenderService | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\ATPUpd | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Application Experience\StartupAppTaskCheck | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Application Experience\StartupAppTaskCkeck | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Data Integrity Scan\Data Integrity Update | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\DefenderUPDService | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\IISUpdateService | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Speech\SpeechModelInstallTask | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\WiMSDFS | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Windows Defender\Defender Update Service | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Windows Defender\Service Update | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Windows Error Reporting\CheckReporting | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Windows Error Reporting\SubmitReporting | 1 rule | sigma |
TaskName | eq | \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart | 1 rule | sigma |
Community Notes #
May indicate path or trigger edits.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Suspicious Scheduled Task Update source high: Detects update to a scheduled task event that contain suspicious keywords.
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor source high: Hunts for known SVR-specific scheduled task names↳ also matchesEvent ID 4698: A scheduled task was created., Event ID 4699: A scheduled task was deleted.
Elastic # view in coverage
- Unusual Scheduled Task Update source low: Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4702
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4702.yml
Event ID 4703: A user right was adjusted.
#Description
A token right was adjusted.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested the "enable" or "disable" operation for Target Account privileges. | |
SubjectUserName UnicodeString | The name of the account that requested the "enable" or "disable" operation for Target Account privileges. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
TargetUserSid SID | SID of account for which privileges were enabled or disabled. | |
TargetUserName UnicodeString | The name of the account for which privileges were enabled or disabled. | |
TargetDomainName UnicodeString | Subject's domain or computer name. | |
TargetLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
ProcessName UnicodeString | Full path and the name of the executable for the process. | 5 |
ProcessId Pointer | Hexadecimal Process ID of the process that enabled or disabled token privileges. | |
EnabledPrivilegeList UnicodeString | The list of enabled user rights. Privilege constants reference | 2 |
DisabledPrivilegeList UnicodeString | The list of disabled user rights. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4703,
"version": 0,
"level": 0,
"task": 13317,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:53.1401365+00:00",
"event_record_id": 3213669,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "TELEMETRY-DC-C$",
"TargetDomainName": "cell-c",
"TargetLogonId": "0x3e7",
"ProcessName": "C:\\Windows\\System32\\svchost.exe",
"ProcessId": "0xf1c",
"EnabledPrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege",
"DisabledPrivilegeList": "-"
},
"message": "A token right was adjusted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xf1c\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nEnabled Privileges:\r\n\t\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeIncreaseQuotaPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeSystemtimePrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeShutdownPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeUndockPrivilege\r\n\t\t\tSeManageVolumePrivilege\r\n\r\nDisabled Privileges:\r\n\t\t\t-"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
event_count | lt | 5 | 1 rule | splunk |
signature_id | contains | 4656 | 1 rule | splunk |
Community Notes #
Generated when token privileges are changed (tracks rights like SeDebugPrivilege, SeLoadDriverPrivilege).
Detection Rules #
View all rules referencing this event →
Elastic # view in coverage
- SeDebugPrivilege Enabled by a Suspicious Process source medium: Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate privileges and bypass access controls.
Splunk # view in coverage
- Windows Access Token Manipulation SeDebugPrivilege source: The following analytic detects a process enabling the "SeDebugPrivilege" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-token-right-adjusted
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4703
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4703.yml
Event ID 4704: A user right was assigned.
#Description
This event generates every time local user right policy is changed and user right was assigned to an account.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that made a change to local user right policy. | |
SubjectUserName UnicodeString | The name of the account that made a change to local user right policy. | 1 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
TargetSid SID | The SID of security principal for which user rights were assigned. | |
PrivilegeList UnicodeString | The list of assigned user rights. Privilege constants reference | 1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4704,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:35:55.2201193+00:00",
"event_record_id": 3189915,
"correlation": {
"ActivityID": "{AA583517-FAF4-0001-8535-58AAF4FADC01}"
},
"execution": {
"process_id": 896,
"thread_id": 7952
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"TargetSid": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415",
"PrivilegeList": "SeAuditPrivilege"
},
"message": "A user right was assigned.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Account:\r\n\tAccount Name:\t\tS-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\r\n\r\nNew Right:\r\n\tUser Right:\t\tSeAuditPrivilege"
}
Detection Patterns #
Stealth: Access Token Manipulation
Community Notes #
Tracks changes to token privileges.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Enabled User Right in AD to Control User Objects source high: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Elastic # view in coverage
- Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal source high: Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a security principal. This right enables computer and user accounts to be trusted for delegation. Attackers can abuse it to compromise Active Directory accounts and elevate their privileges.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4704
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4704.yml
Event ID 4705: A user right was removed.
#Description
This event generates every time local user right policy is changed and user right was removed from an account.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid | SID of account that made a change to local user right policy. |
SubjectUserName | The name of the account that made a change to local user right policy. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
TargetSid | The SID of security principal for which user rights were removed. |
PrivilegeList | The list of removed user rights. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4705,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-12T20:23:39.973927Z",
"event_record_id": 1239002,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 2980
},
"channel": "Security",
"computer": "fs02.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x202dac8",
"TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1158",
"PrivilegeList": "SeCreateTokenPrivilege"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4705
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4705
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4705.yml
Event ID 4706: A new trust was created to a domain.
#Description
This event generates when a new trust was created to a domain.
Message #
Fields #
| Name | Description |
|---|---|
DomainName | The name of new trusted domain. |
DomainSid | SID of new trusted domain. |
SubjectUserSid | SID of account that requested the "create domain trust" operation. |
SubjectUserName | The name of the account that requested the "create domain trust" operation. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
TdoType | The type of new trust. Known values
|
TdoDirection | The direction of new trust. Known values
|
TdoAttributes | The decimal value of attributes for new trust. |
SidFilteringEnabled | SID Filtering state for the new trust. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4706,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-06-22T14:02:41.639162Z",
"event_record_id": 3175612,
"correlation": {},
"execution": {
"process_id": 596,
"thread_id": 11064
},
"channel": "Security",
"computer": "CDCWTRDC01.mypartner.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"DomainName": "rootblue.lan",
"DomainSid": "S-1-5-21-392370121-190461309-2151315433",
"SubjectUserSid": "S-1-5-21-1407145384-2259788832-4099636412-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "MYPARTNER",
"SubjectLogonId": "0xffad8559",
"TdoType": 2,
"TdoDirection": 3,
"TdoAttributes": 8,
"SidFilteringEnabled": "%%1796"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- A New Trust Was Created To A Domain source medium: Addition of domains is seldom and should be verified for legitimacy.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4706
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4706.yml
Event ID 4707: A trust to a domain was removed.
#Description
This event generates when a domain trust was removed.
Message #
Fields #
| Name | Description |
|---|---|
DomainName UnicodeString | [Domain Information] Domain Name. |
DomainSid SID | [Domain Information] Domain ID. |
SubjectUserSid SID | SID of account that requested the "remove domain trust" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "remove domain trust" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4707
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4707.yml
Event ID 4709: The IPsec Policy Agent service was started.
#Description
The IPsec Policy Agent service was started.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | Policy Source |
param3 UnicodeString |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4709
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4709
Event ID 4710: The IPsec Policy Agent service was disabled.
#Description
The IPsec Policy Agent service was disabled.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4710
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4710
Event ID 4711: param1
#Description
param1
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4711
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4711
Event ID 4712: IPsec Policy Agent encountered a potentially serious failure.
#Description
IPsec Policy Agent encountered a potentially serious failure.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4712
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4712
Event ID 4713: Kerberos policy was changed.
#Description
This event generates when Kerberos policy was changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made a change to Kerberos policy. |
SubjectUserName UnicodeString | The name of the account that made a change to Kerberos policy. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
KerberosPolicyChange UnicodeString | '--' means no changes, otherwise each change is shown as: Parameter_Name: new_value (old_value). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4713,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:28:27.466929+00:00",
"event_record_id": 16696941,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11540
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-DC01$",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x3e7",
"KerberosPolicyChange": "KerMaxT: 0x430e234000 (0x53d1ac1000); KerLogoff: 0x7ffdce8d4d08 (0x1); "
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4713
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4713
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4713.yml
Event ID 4714: Data Recovery Agent group policy for Encrypting File System (EFS) has changed.
#Description
Data Recovery Agent group policy for Encrypting File System (EFS) has changed. The new changes have been applied.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
EfsPolicyChange UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"event_source_name": "",
"event_id": 4714,
"version": 0,
"level": 0,
"task": 13573,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:12.649403+00:00",
"event_record_id": 16250501,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 7468
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4714
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4714
Event ID 4715: The audit policy (SACL) on an object was changed.
#Description
This event generates every time local audit policy security descriptor changes.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "change local audit policy security descriptor (SACL)" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "change local audit policy security descriptor (SACL)" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
OldSd UnicodeString | The old Security Descriptor Definition Language (SDDL) value for the audit policy. |
NewSd UnicodeString | New Security Descriptor Definition Language (SDDL) value for the audit policy. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4715
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4715.yml
Event ID 4716: Trusted domain information was modified.
#Description
Trusted domain information was modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "modify domain trust settings" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "modify domain trust settings" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
DomainName UnicodeString | The name of changed trusted domain. If this attribute was not changed, then it will have "-" value. |
DomainSid SID | The name of changed trusted domain. If this attribute was not changed, then it will have "-" value. |
TdoType UInt32 | The type of new trust. If this attribute was not changed, then it will have "-" value or its old value. Known values
|
TdoDirection UInt32 | The direction of new trust. If this attribute was not changed, then it will have "-" value or its old value. Known values
|
TdoAttributes UInt32 | [New Trust Information] Trust Attributes. |
SidFilteringEnabled UnicodeString | [New Trust Information] SID Filtering. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4716
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4716.yml
Event ID 4717: System security access was granted to an account.
#Description
This event generates every time local logon user right policy is changed and logon right was granted to an account. You will see unique event for every user if logon user rights were granted to multiple accounts.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made a change to local logon right user policy. |
SubjectUserName UnicodeString | The name of the account that made a change to local logon right user policy. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
TargetSid SID | The SID of the security principal for which logon right was granted. |
AccessGranted UnicodeString | The name of granted logon right. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4717,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:35:55.2159844+00:00",
"event_record_id": 3189912,
"correlation": {
"ActivityID": "{AA583517-FAF4-0001-8535-58AAF4FADC01}"
},
"execution": {
"process_id": 896,
"thread_id": 7952
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"TargetSid": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415",
"AccessGranted": "SeServiceLogonRight"
},
"message": "System security access was granted to an account.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount Modified:\r\n\tAccount Name:\t\tS-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\r\n\r\nAccess Granted:\r\n\tAccess Right:\t\tSeServiceLogonRight"
}
Detection Patterns #
Stealth: Access Token Manipulation
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4717
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4717
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4717.yml
Event ID 4718: System security access was removed from an account.
#Description
This event generates every time local logon user right policy is changed and logon right was removed from an account. You will see unique event for every user if logon user rights were removed for multiple accounts.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made a change to local logon right user policy. |
SubjectUserName UnicodeString | The name of the account that made a change to local logon right user policy. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
TargetSid SID | The SID of the security principal for which logon right was removed. |
AccessRemoved UnicodeString | The name of removed logon right. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4718,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-07T16:44:47.045997+00:00",
"event_record_id": 89,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0000-8485-DCC19E4AD801"
},
"execution": {
"process_id": 648,
"thread_id": 700
},
"channel": "Security",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "MINWINPC$",
"SubjectDomainName": "",
"SubjectLogonId": "0x3e7",
"TargetSid": "S-1-5-90-0",
"AccessRemoved": "SeInteractiveLogonRight"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4718
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4718
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4718.yml
Event ID 4719: System audit policy was changed.
#Description
This event generates when the computer's audit policy changes.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that made a change to local audit policy. | |
SubjectUserName UnicodeString | He name of the account that made a change to local audit policy. | 1 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
CategoryId UnicodeString | The name of auditing Category which subcategory was changed. Known values
| |
SubcategoryId UnicodeString | The name of auditing Subcategory which was changed. Known values
| |
SubcategoryGuid GUID | The unique subcategory GUID. Known values
| 30 |
AuditPolicyChanges UnicodeString | Changes which were made for "Subcategory" Known values
| 13 |
ClientProcessId UInt32 | ||
ClientProcessStartKey UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4719,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:18:24.9057236+00:00",
"event_record_id": 2172904,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 7776
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x333bffe",
"CategoryId": "%%8279",
"SubcategoryId": "%%14083",
"SubcategoryGuid": "{0cce923e-69ae-11d9-bed3-505054503030}",
"AuditPolicyChanges": "%%8449, %%8451"
},
"message": "System audit policy was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x333BFFE\r\n\r\nAudit Policy Change:\r\n\tCategory:\t\tDS Access\r\n\tSubcategory:\t\tDetailed Directory Service Replication\r\n\tSubcategory GUID:\t{0cce923e-69ae-11d9-bed3-505054503030}\r\n\tChanges:\t\tSuccess Added, Failure added"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
AuditPolicyChanges | contains | %%8448 | 3 rules | sigma |
AuditPolicyChanges | contains | %%8450 | 3 rules | sigma |
AuditPolicyChanges | in | %%8448 | 2 rules | splunk |
AuditPolicyChanges | in | %%8448, %%8450 | 2 rules | splunk |
AuditPolicyChanges | in | %%8450 | 2 rules | splunk |
Changes | in | Failure removed | 2 rules | splunk |
Changes | in | Success removed | 2 rules | splunk |
Changes | in | Success removed, Failure removed | 2 rules | splunk |
SubcategoryGuid | eq | {0CCE9210-69AE-11D9-BED3-505054503030} | 2 rules | sigma |
SubcategoryGuid | eq | {0CCE9211-69AE-11D9-BED3-505054503030} | 2 rules | sigma |
SubcategoryGuid | eq | {0CCE9212-69AE-11D9-BED3-505054503030} | 2 rules | sigma |
SubcategoryGuid | eq | {0CCE9215-69AE-11D9-BED3-505054503030} | 2 rules | sigma |
SubcategoryGuid | eq | {0CCE9217-69AE-11D9-BED3-505054503030} | 2 rules | sigma |
SubcategoryGuid | eq | {0CCE921B-69AE-11D9-BED3-505054503030} | 2 rules | sigma |
SubcategoryGuid | eq | {0CCE922B-69AE-11D9-BED3-505054503030} | 2 rules | sigma |
Community Notes #
System audit policy changed. Attackers often disable auditing to reduce detection.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Windows Event Auditing Disabled source low: Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
- Important Windows Event Auditing Disabled source high: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
- Audit policy disabled by command line source high: Detects scenarios where an attacker attempts disbaled the audit policy for defense evasion purposes.
Elastic # view in coverage
- Sensitive Audit Policy Sub-Category Disabled source medium: Identifies attempts to disable auditing for some security sensitive audit policy sub-categories. This is often done by attackers in an attempt to evade detection and forensics on a system.
Splunk # view in coverage
- Windows AD Domain Controller Audit Policy Disabled source: The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is…
- Windows Important Audit Policy Disabled source: The following analytic detects the disabling of important audit policies. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4719
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4719.yml
- Win32 ntsecapi.h audit-subcategory GUID DEFINE_GUID block https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/
Event ID 4720: A user account was created.
#Description
This event generates every time a new user object is created. This event generates on domain controllers, member servers, and workstations.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName UnicodeString | The name of the user account that was created. | 9 |
TargetDomainName UnicodeString | Domain name of created user account. | |
TargetSid SID | SID of created user account. | 2 |
SubjectUserSid SID | SID of account that requested the "create user account" operation. | 1 |
SubjectUserName UnicodeString | The name of the account that requested the "create user account" operation. | 1 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference | |
SamAccountName UnicodeString | Pre-Windows 2000 logon name of the new account (sAMAccountName attribute). | 3 |
DisplayName UnicodeString | Display name of the new account (displayName attribute). | |
UserPrincipalName UnicodeString | User Principal Name of the new account (e.g., user@domain.com). "-" for local accounts. | |
HomeDirectory UnicodeString | Home directory path (homeDirectory attribute). Must be a UNC path if HomePath is set. "-" if not configured. | |
HomePath UnicodeString | Drive letter mapped to the home directory (homeDrive attribute), e.g., "H:". "-" if not configured. | |
ScriptPath UnicodeString | Logon script path (scriptPath attribute). "-" if not configured. | |
ProfilePath UnicodeString | Profile path (profilePath attribute). "-" if not configured. | |
UserWorkstations UnicodeString | Comma-separated list of workstations the account can log on from (userWorkstations attribute). "-" if unrestricted. | |
PasswordLastSet UnicodeString | Time the account's password was last set (pwdLastSet attribute). | |
AccountExpires UnicodeString | Date when the account expires (accountExpires attribute). Empty if not set. | |
PrimaryGroupId UnicodeString | RID of the account's primary group. 513 (Domain Users) for typical user accounts. | |
AllowedToDelegateTo UnicodeString | SPNs to which this account can present delegated Kerberos credentials (AllowedToDelegateTo attribute). "-" for most accounts. | |
OldUacValue UnicodeString | Previous userAccountControl value. Always "0x0" for newly created accounts. UAC flags reference | |
NewUacValue UnicodeString | New userAccountControl value applied to the account. UAC flags reference | |
UserAccountControl UnicodeString | Human-readable list of userAccountControl attribute changes applied during creation. | |
UserParameters UnicodeString | Opaque Dial-in settings blob. Shows \<value changed, but not displayed> in Event ID 4738 when any Dial-in tab setting is modified. "-" if not configured. | |
SidHistory UnicodeString | Previous SIDs if the account was migrated from another domain (sIDHistory attribute). Usually "-" for new accounts. | |
LogonHours UnicodeString | Permitted logon hours (logonHours attribute). Typically "\\" for new manually created accounts; "All" for local accounts. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4720,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T00:51:32.2049172+00:00",
"event_record_id": 6330,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 3716
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "domainadmin",
"TargetDomainName": "cell-d",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
"SubjectUserName": "localuser",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0xa30bd",
"PrivilegeList": "-",
"SamAccountName": "domainadmin",
"DisplayName": "-",
"UserPrincipalName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"ScriptPath": "-",
"ProfilePath": "-",
"UserWorkstations": "-",
"PasswordLastSet": "%%1794",
"AccountExpires": "%%1794",
"PrimaryGroupId": "513",
"AllowedToDelegateTo": "-",
"OldUacValue": "0x0",
"NewUacValue": "0x211",
"UserAccountControl": "\n\t\t%%2080\n\t\t%%2084\n\t\t%%2089",
"UserParameters": "-",
"SidHistory": "-",
"LogonHours": "%%1793"
},
"message": "A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xA30BD\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\r\nAttributes:\r\n\tSAM Account Name:\tdomainadmin\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x211\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Normal Account' - Enabled\r\n\t\t'Don't Expire Password' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-"
}
Detection Patterns #
5 rules
Splunk
Persistence: Account Manipulation
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetUserName | ends_with | $ | 3 rules | kusto, sigma |
AccountType | eq | User | 2 rules | kusto |
All_Changes.result_id | eq | 4720 | 2 rules | splunk |
TargetUserName | eq | HomeGroupUser$ | 2 rules | sigma |
Computer | eq | %domain_controllers% | 1 rule | sigma |
SubjectUserSid | starts_with | S-1-5-21- | 1 rule | sigma |
OldTargetUserName | ends_with | $ | 1 rule | elastic, sigma |
TargetSid | eq | S-1-5-32-544 | 1 rule | kusto, sigma |
CommandLine | match | (?i)(\-u)|(user)|(localgroup)|(group) | 1 rule | splunk |
CommandLine | match | (?i).add | 1 rule | splunk |
NewTargetUserName | ends_with | $ | 1 rule | sigma |
NewTargetUserName | match | $ | 1 rule | sigma |
TimeDelta | ge | 0 | 1 rule | kusto |
signature_id | match | (?i)4720 | 1 rule | splunk |
user_group | match | (?i)(users)|(administrators)|(remote) | 1 rule | splunk |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Hidden Local User Creation source high: Detects the creation of a local hidden user account which should not happen for event ID 4720.
- Suspicious Windows ANONYMOUS LOGON Local Account Created source high: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
- Local User Creation source low: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
Show 2 more (5 total)
- User account created by a computer account source high: Detects scenarios where an attacker would abuse some privileges while realying host credentials to escalate privileges.
- Fortinet APT group abuse on Windows (user) source high: Detects scenarios where APT actors exploits Fortinet vulnerabilities to gain access into Windows infrastructure.
Splunk # view in coverage
- Windows Create Local Account source: The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is…
Kusto # view in coverage
- Fake computer account created source medium: This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.
YARA-L # view in coverage
- Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4726: A user account was deleted.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4720-account-created.md
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4720.yml
Event ID 4722: A user account was enabled.
#Description
This event generates every time user or computer object is enabled.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName UnicodeString | The name of the account that was enabled. | 5 |
TargetDomainName UnicodeString | Target account's domain or computer name. | |
TargetSid SID | SID of account that was enabled. | |
SubjectUserSid SID | SID of account that requested the "enable account" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "enable account" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4722,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T00:58:03.3603916+00:00",
"event_record_id": 6613,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 2500
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "TELEMETRY-W11-D$",
"TargetDomainName": "cell-d",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x27dc13"
},
"message": "A user account was enabled.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x27DC13\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\tAccount Domain:\t\tcell-d"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TimeDelta | ge | 0 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Disabled guest or builtin account activated source medium: Detects scenarios where an attacker enables a disabled builtin account.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4722.yml
Event ID 4723: An attempt was made to change an account's password.
#Description
An attempt was made to change an account's password.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName | The name of the account for which the password change was requested. | |
TargetDomainName | Target account's domain or computer name. | |
TargetSid | SID of account for which the password change was requested. | 1 |
SubjectUserSid | SID of account that made an attempt to change Target's Account password. | 1 |
SubjectUserName | The name of the account that made an attempt to change Target's Account password. | |
SubjectDomainName | Subject's domain or computer name. | |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4723,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2021-12-04T22:47:47.872773Z",
"event_record_id": 233289145,
"correlation": {
"#attributes": {
"ActivityID": "D96638DA-E4F9-0001-F038-66D9F9E4D701"
}
},
"execution": {
"process_id": 596,
"thread_id": 3492
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "hacker2",
"TargetDomainName": "OFFSEC",
"TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1242",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x10e7c4430",
"PrivilegeList": "-"
}
}
Detection Patterns #
Persistence: Account Manipulation
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
SubjectUserSid | starts_with | S-1-5-21- | 1 rule | sigma |
TargetSid | starts_with | S-1-5-21- | 1 rule | sigma |
Total | gt | 5 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- User password change using current hash password - ChangeNTLM (Mimikatz) source high: Detects scenarios where an attacker resets a user account by using the compromised NTLM password hash. The newly clear text password defined by the attacker can be then used in order to login into services like Outlook Web Access (OWA), RDP, SharePoint... As ID 4723 refers to user changing is own password, the SubjectSid and TargetSid should be equal. However in a change initiated by Mimikatz, they will be different. Correlate the event ID 4723, 4624 and 5145 using the "SubjectLogonId" field to identify the source of the reset.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4723
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4723.yml
Event ID 4724: An attempt was made to reset an account's password.
#Description
This event generates every time an account attempted to reset the password for another account.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName UnicodeString | The name of the account for which password reset was requested. | 1 |
TargetDomainName UnicodeString | Target account's domain or computer name. | |
TargetSid SID | SID of account for which password reset was requested. | 1 |
SubjectUserSid SID | SID of account that made an attempt to reset Target's Account password. | |
SubjectUserName UnicodeString | The name of the account that made an attempt to reset Target's Account password. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4724,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T00:51:32.6147700+00:00",
"event_record_id": 1404479,
"correlation": {},
"execution": {
"process_id": 808,
"thread_id": 3064
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "domainadmin",
"TargetDomainName": "cell-a",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
"SubjectUserName": "localuser",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x1a69fef"
},
"message": "An attempt was made to reset an account's password.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x1A69FEF\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-a"
}
Detection Patterns #
Persistence: Account Manipulation
1 rule
1 rule
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
LogonType | eq | Network | 1 rule | elastic, kusto, sigma, splunk |
src_ip | eq | ::1 | 1 rule | elastic, sigma |
ShareName | wildcard | \\*\IPC$ | 1 rule | sigma |
src_ip | eq | 127.0.0.1 | 1 rule | sigma |
AuthenticationPackageName | eq | NTLM | 1 rule | elastic, kusto, sigma, splunk |
TargetUserName | ends_with | $ | 1 rule | kusto, sigma |
EventType | eq | logged-in | 1 rule | elastic |
event.outcome | eq | success | 1 rule | elastic |
Computer | eq | %domain_controllers% | 1 rule | sigma |
SubjectUserSid | starts_with | S-1-5-21- | 1 rule | sigma |
TargetSid | starts_with | S-1-5-21- | 1 rule | sigma |
RelativeTargetName | eq | samr | 1 rule | sigma |
status | eq | success | 1 rule | splunk |
unique_users | gt | 5 | 1 rule | splunk |
Total | gt | 5 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Suspicious Kerberos password account reset to issue potential Golden ticket source medium: Detects scenarios where a suspicious password reset of the Krbtgt account is performed by attacker to issue a potential Golden ticket.
Splunk # view in coverage
- Windows Multiple Account Passwords Changed source: The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4724.yml
Event ID 4725: A user account was disabled.
#Description
This event generates every time user or computer object is disabled.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the account that was disabled. |
TargetDomainName UnicodeString | Target account's domain or computer name. |
TargetSid SID | SID of account that was disabled. |
SubjectUserSid SID | SID of account that requested the "disable account" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "disable account" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4725,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-10-25T22:53:19.612560+00:00",
"event_record_id": 2634,
"correlation": {
"ActivityID": "D5BBEBF4-0795-0001-A8EC-BBD59507DA01"
},
"execution": {
"process_id": 824,
"thread_id": 880
},
"channel": "Security",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Administrator",
"TargetDomainName": "WINDEVEVAL",
"TargetSid": "S-1-5-21-2533829718-189860685-2477588761-500",
"SubjectUserSid": "S-1-5-21-2533829718-189860685-2477588761-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "WINDEVEVAL",
"SubjectLogonId": "0x42eea"
},
"message": ""
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
status | eq | success | 1 rule | splunk |
unique_users | gt | 5 | 1 rule | splunk |
TimeDelta | ge | 0 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Multiple Accounts Disabled source: The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4725
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4725.yml
Event ID 4726: A user account was deleted.
#Description
This event generates every time user object was deleted. This event generates on domain controllers, member servers, and workstations.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName | The name of the account that was deleted. |
TargetDomainName | Target account's domain or computer name. |
TargetSid | SID of account that was deleted. |
SubjectUserSid | SID of account that requested the "delete user account" operation. |
SubjectUserName | The name of the account that requested the "delete user account" operation. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4726,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-01-24T17:03:25.009874Z",
"event_record_id": 1934526,
"correlation": {},
"execution": {
"process_id": 480,
"thread_id": 1496
},
"channel": "Security",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "3teamssixf$",
"TargetDomainName": "FS03VULN",
"TargetSid": "S-1-5-21-2721507831-1374043488-2540227515-1008",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x14f509e2",
"PrivilegeList": "-"
}
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
status | eq | success | 1 rule | splunk |
unique_users | gt | 5 | 1 rule | splunk |
All_Changes.result_id | eq | 4720 | 1 rule | splunk |
TimeDelta | ge | 0 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Multiple Accounts Deleted source: The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the
wineventlog_securitydataset, segmenting data…
YARA-L # view in coverage
- Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matchesEvent ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4720: A user account was created.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4726.yml
Event ID 4727: A security-enabled global group was created.
#Description
Event 4727 is the same as 4731, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4727(S) generates only for domain groups, so the Local sections in event 4731 do not apply.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName UnicodeString | The name of the group that was created. | 23 |
TargetDomainName UnicodeString | Domain or computer name of the created group. | |
TargetSid SID | [New Group] Security ID. | |
SubjectUserSid SID | SID of account that requested the "create group" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "create group" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference | |
SamAccountName UnicodeString | This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply a name of new group. | |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and in that case appears as "-". For local groups it is not applicable and always has "-" value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4727,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-07T16:44:41.241410+00:00",
"event_record_id": 51,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0000-8485-DCC19E4AD801"
},
"execution": {
"process_id": 648,
"thread_id": 652
},
"channel": "Security",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Storage Replica Administrators",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-582",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "MINWINPC$",
"SubjectDomainName": "",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "Storage Replica Administrators",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
Persistence: Domain Account
1 rule
Persistence: Domain Account
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
AccountType | eq | User | 1 rule | kusto |
TargetSid | regex_match | S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$ | 1 rule | kusto |
TargetSid | regex_match | S-1-5-32-5[0-9][0-9]$ | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matchesEvent ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4727
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4727
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4727.yml
Event ID 4728: A member was added to a security-enabled global group.
#Description
Event 4728 is the same as 4732, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4728(S) generates only for domain groups, so the Local sections in event 4732 do not apply.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
MemberName UnicodeString | Distinguished name (DN) of the account added to the group. "-" for local groups even when the member is a domain account. | 2 |
MemberSid SID | SID of account that was added to the group. | |
TargetUserName UnicodeString | The name of the group to which new member was added. | 43 |
TargetDomainName UnicodeString | Domain or computer name of the group to which the new member was added. | |
TargetSid SID | SID of the group to which new member was added. | 11 |
SubjectUserSid SID | SID of account that requested the "add member to the group" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "add member to the group" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference | |
MembershipExpirationTime |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4728,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T00:51:32.6079798+00:00",
"event_record_id": 6344,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 3716
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "CN=domainadmin,CN=Users,DC=cell-d,DC=ludus,DC=domain",
"MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetUserName": "Group Policy Creator Owners",
"TargetDomainName": "cell-d",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-520",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
"SubjectUserName": "localuser",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0xa30bd",
"PrivilegeList": "-"
},
"message": "A member was added to a security-enabled global group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xA30BD\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tCN=domainadmin,CN=Users,DC=cell-d,DC=ludus,DC=domain\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-520\r\n\tGroup Name:\t\tGroup Policy Creator Owners\r\n\tGroup Domain:\t\tcell-d\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
14 rules
Sigma
13 rules
Sigma
13 rules
Sigma
Member Added
12 rules
Sigma
Member Added
11 rules
Sigma
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetSid | regex_match | S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$ | 3 rules | kusto |
TargetSid | regex_match | S-1-5-32-5[0-9][0-9]$ | 3 rules | kusto |
AccountType | eq | User | 2 rules | kusto |
TargetSid | starts_with | S-1-5-21- | 2 rules | sigma |
TargetSid | ends_with | -520 | 2 rules | sigma |
SubjectUserSid | eq | S-1-5-18 | 1 rule | elastic, sigma, splunk |
TargetUserName | eq | DnsAdmins | 1 rule | sigma, splunk |
Community Notes #
Member added to security-enabled global group. May indicate domain-level privilege escalation, ie membership in Domain Admins.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matchesEvent ID 4727: A security-enabled global group was created., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.
Elastic # view in coverage
- Active Directory Group Modification by SYSTEM source medium: Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.
Splunk # view in coverage
- Windows AD add Self to Group source: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or…
- Windows AD Privileged Group Modification source: This detection identifies when users are added to privileged Active Directory groups by leveraging the Windows Security Event Code 4728 along with a lookup of privileged AD groups provided by Splunk Enterprise Security. Attackers often add…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4728
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4728.yml
Event ID 4729: A member was removed from a security-enabled global group.
#Description
Event 4729 is the same as 4733, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4729(S) generates only for domain groups, so the Local sections in event 4733 do not apply.
Message #
Fields #
| Name | Description |
|---|---|
MemberName | Distinguished name (DN) of the account removed from the group. "-" for local groups even when the member is a domain account. |
MemberSid | SID of account that was removed from the group. |
TargetUserName | The name of the group from which the member was removed. For example: ServiceDesk. |
TargetDomainName | Domain or computer name of the group from which the member was removed. |
TargetSid | SID of the group from which the member was removed. |
SubjectUserSid | SID of account that requested the "remove member from the group" operation. |
SubjectUserName | The name of the account that requested the "remove member from the group" operation. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4729,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-01-24T17:03:25.009874Z",
"event_record_id": 1934525,
"correlation": {},
"execution": {
"process_id": 480,
"thread_id": 1496
},
"channel": "Security",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-21-2721507831-1374043488-2540227515-1008",
"TargetUserName": "None",
"TargetDomainName": "FS03VULN",
"TargetSid": "S-1-5-21-2721507831-1374043488-2540227515-513",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x14f509e2",
"PrivilegeList": "-"
}
}
Detection Patterns #
Persistence: Account Manipulation
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetSid | regex_match | S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$ | 1 rule | kusto |
TargetSid | regex_match | S-1-5-32-5[0-9][0-9]$ | 1 rule | kusto |
Community Notes #
A member was removed from a security-enabled global group, may be an effort to slow IR or clean-up after escalation. Security-enabled local group changed, indicates changes to local Administrators or Remote Desktop Users.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4729
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4729
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4729.yml
Event ID 4730: A security-enabled global group was deleted.
#Description
Event 4730 is the same as 4734, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4730(S) generates only for domain groups, so the Local sections in event 4734 do not apply.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was deleted. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain or computer name of the deleted group. |
TargetSid SID | SID of deleted group. |
SubjectUserSid SID | SID of account that requested the "delete group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4730,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:14.140561+00:00",
"event_record_id": 16240240,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6288
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_global",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1118",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
Persistence: Domain Account
1 rule
Persistence: Account Manipulation
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4730
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4730
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4730.yml
Event ID 4731: A security-enabled local group was created.
#Description
This event generates every time a new security-enabled (security) local group was created. This event generates on domain controllers, member servers, and workstations.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was created. |
TargetDomainName UnicodeString | Domain or computer name of the created group. |
TargetSid SID | [New Group] Security ID. |
SubjectUserSid SID | SID of account that requested the "create group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "create group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply a name of new group. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and in that case appears as "-". For local groups it is not applicable and always has "-" value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4731,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:18:54.2855734+00:00",
"event_record_id": 822701,
"correlation": {},
"execution": {
"process_id": 712,
"thread_id": 5924
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Access-Denied Assistance Users",
"TargetDomainName": "cell-d",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-2602",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "Access-Denied Assistance Users",
"SidHistory": "-"
},
"message": "A security-enabled local group was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nNew Group:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-2602\r\n\tGroup Name:\t\tAccess-Denied Assistance Users\r\n\tGroup Domain:\t\tcell-d\r\n\r\nAttributes:\r\n\tSAM Account Name:\tAccess-Denied Assistance Users\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
Persistence: Domain Account
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
AccountType | eq | User | 1 rule | kusto |
TargetSid | regex_match | S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$ | 1 rule | kusto |
TargetSid | regex_match | S-1-5-32-5[0-9][0-9]$ | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matchesEvent ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4731
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4731
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4731.yml
Event ID 4732: A member was added to a security-enabled local group.
#Description
This event generates every time a new member was added to a security-enabled (security) local group.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
MemberName UnicodeString | Distinguished name (DN) of the account added to the group. "-" for local groups even when the member is a domain account. | |
MemberSid SID | SID of account that was added to the group. | 1 |
TargetUserName UnicodeString | The name of the group to which new member was added. | 3 |
TargetDomainName UnicodeString | Domain or computer name of the group to which the new member was added. | |
TargetSid SID | SID of the group to which new member was added. | 24 |
SubjectUserSid SID | SID of account that requested the "add member to the group" operation. | 2 |
SubjectUserName UnicodeString | The name of the account that requested the "add member to the group" operation. | 1 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference | |
MembershipExpirationTime |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4732,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:40:38.0272728+00:00",
"event_record_id": 1207739,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 944
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1001",
"TargetUserName": "RDS Remote Access Servers",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-575",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
},
"message": "A member was added to a security-enabled local group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1001\r\n\tAccount Name:\t\t-\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-575\r\n\tGroup Name:\t\tRDS Remote Access Servers\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
13 rules
Sigma
Splunk
Member Added
12 rules
Sigma
Member Added
11 rules
Sigma
Member Added
11 rules
Sigma
Persistence: Account Manipulation
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
AccountType | eq | User | 3 rules | kusto |
TargetSid | regex_match | S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$ | 3 rules | kusto |
TargetSid | regex_match | S-1-5-32-5[0-9][0-9]$ | 3 rules | kusto |
SubjectUserSid | eq | S-1-5-18 | 2 rules | elastic, sigma, splunk |
TargetSid | eq | S-1-5-32-544 | 2 rules | kusto, sigma |
TargetUserName | eq | DnsAdmins | 2 rules | sigma, splunk |
TargetSid | starts_with | S-1-5-32 | 2 rules | sigma |
CommandLine | match | (?i)(\-u)|(user)|(localgroup)|(group) | 1 rule | splunk |
CommandLine | match | (?i).add | 1 rule | splunk |
TargetUserName | starts_with | Administr | 1 rule | sigma |
signature_id | match | (?i)4720 | 1 rule | splunk |
user_group | match | (?i)(users)|(administrators)|(remote) | 1 rule | splunk |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- User Added to Local Administrator Group source medium: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
- High risk local/domain local group membership change source high: Detects scenarios where a suspicious group membership is changed. Having Microsoft LAPS installed may trigger false positive events for the builtin administrators group triggered by the system account (S-1-5-18).
- Medium risk local/domain local group membership change source high: Detects scenarios where a suspicious group membership is changed.
Splunk # view in coverage
- Windows DnsAdmins New Member Added source: The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this…
Kusto # view in coverage
- Local Admin Group Changes source high: This query searches for changes to the local administrators group. Blogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4732.yml
Event ID 4733: A member was removed from a security-enabled local group.
#Description
This event generates every time member was removed from security-enabled (security) local group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName | Distinguished name (DN) of the account removed from the group. "-" for local groups even when the member is a domain account. |
MemberSid | SID of account that was removed from the group. |
TargetUserName | The name of the group from which the member was removed. For example: ServiceDesk. |
TargetDomainName | Domain or computer name of the group from which the member was removed. |
TargetSid | SID of the group from which the member was removed. |
SubjectUserSid | SID of account that requested the "remove member from the group" operation. |
SubjectUserName | The name of the account that requested the "remove member from the group" operation. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4733,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:13:10.3360440+00:00",
"event_record_id": 2882805,
"correlation": {},
"execution": {
"process_id": 852,
"thread_id": 4760
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-17",
"TargetUserName": "IIS_IUSRS",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-568",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
},
"message": "A member was removed from a security-enabled local group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-17\r\n\tAccount Name:\t\t-\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-568\r\n\tGroup Name:\t\tIIS_IUSRS\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetSid | regex_match | S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$ | 1 rule | kusto |
TargetSid | regex_match | S-1-5-32-5[0-9][0-9]$ | 1 rule | kusto |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4733.yml
Event ID 4734: A security-enabled local group was deleted.
#Description
This event generates every time security-enabled (security) local group is deleted. This event generates on domain controllers, member servers, and workstations.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was deleted. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain or computer name of the deleted group. |
TargetSid SID | SID of deleted group. |
SubjectUserSid SID | SID of account that requested the "delete group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4734,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:14.168517+00:00",
"event_record_id": 16240246,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 1756
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_domlocal",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1119",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4734
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4734
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4734.yml
Event ID 4735: A security-enabled local group was changed.
#Description
This event generates every time a security-enabled (security) local group is changed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was changed. For example: ServiceDesk. |
TargetDomainName UnicodeString | SID of changed group. |
TargetSid SID | SID of changed group. |
SubjectUserSid SID | SID of account that requested the "change group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "change group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. For local groups it is not applicable and always has "-" value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4735,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:13:10.3426710+00:00",
"event_record_id": 2882816,
"correlation": {},
"execution": {
"process_id": 852,
"thread_id": 4760
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "IIS_IUSRS",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-568",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "-",
"SidHistory": "-"
},
"message": "A security-enabled local group was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-568\r\n\tGroup Name:\t\tIIS_IUSRS\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4735
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4735.yml
Event ID 4737: A security-enabled global group was changed.
#Description
Event 4737 is the same as 4735, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4737(S) generates only for domain groups, so the Local sections in event 4735 do not apply.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was changed. For example: ServiceDesk. |
TargetDomainName UnicodeString | SID of changed group. |
TargetSid SID | SID of changed group. |
SubjectUserSid SID | SID of account that requested the "change group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "change group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. For local groups it is not applicable and always has "-" value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4737,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T01:01:27.8749648+00:00",
"event_record_id": 6842,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 856
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Domain Controllers",
"TargetDomainName": "cell-d",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-516",
"SubjectUserSid": "S-1-5-7",
"SubjectUserName": "ANONYMOUS LOGON",
"SubjectDomainName": "NT AUTHORITY",
"SubjectLogonId": "0x3e6",
"PrivilegeList": "-",
"SamAccountName": "-",
"SidHistory": "-"
},
"message": "A security-enabled global group was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E6\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-516\r\n\tGroup Name:\t\tDomain Controllers\r\n\tGroup Domain:\t\tcell-d\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matchesEvent ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4737
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4737.yml
Event ID 4738: A user account was changed.
#Description
This event generates every time user object is changed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
Dummy UnicodeString | ||
TargetUserName UnicodeString | The name of the account that was changed. | |
TargetDomainName UnicodeString | Target account's domain or computer name. | |
TargetSid SID | SID of account that was changed. | |
SubjectUserSid SID | SID of account that requested the "change user account" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "change user account" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference | |
SamAccountName UnicodeString | Logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ladmin. Local accounts always populate it. | |
DisplayName UnicodeString | It is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name. Local accounts always populate it. | |
UserPrincipalName UnicodeString | Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. For local accounts, this field is not applicable and always has "-" value. | |
HomeDirectory UnicodeString | User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. Local accounts always populate it. | |
HomePath UnicodeString | Specifies the drive letter to which to map the UNC path specified by homeDirectory account's attribute. The drive letter must be specified in the form "DRIVE_LETTER:". For example - "H:". Local accounts always populate it. | |
ScriptPath UnicodeString | Specifies the path of the account's logon script. Local accounts always populate it. | |
ProfilePath UnicodeString | Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. Local accounts always populate it. | |
UserWorkstations UnicodeString | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. For local accounts, this field is not applicable and always appears as "\." | |
PasswordLastSet UnicodeString | Last time the account's password was modified. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual user account password reset. Local accounts always populate it. | |
AccountExpires UnicodeString | The date when the account expires. For example, "9/21/2015 12:00:00 AM". Local accounts always populate it. | |
PrimaryGroupId UnicodeString | Relative Identifier (RID) of user's object primary group. | |
AllowedToDelegateTo UnicodeString | The list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of user account, if at least one SPN is registered for user account. If the SPNs list on Delegation tab of a user account was changed, you will see the new SPNs list in AllowedToDelegateTo field (note that you will see the new list instead of changes) of this event. | 1 |
OldUacValue UnicodeString | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of userAccountControl attribute of user object. UAC flags reference | 24 |
NewUacValue UnicodeString | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. UAC flags reference | 24 |
UserAccountControl UnicodeString | Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. In the "User Account Control field text" column, you can see the text that will be displayed in the User Account Control field in 4738 event. | 8 |
UserParameters UnicodeString | If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user's account properties, then you will see \<value changed, but not displayed> in this field. For local accounts, this field is not applicable and always has "\" value. | |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. | 8 |
LogonHours UnicodeString | Hours that the account is allowed to logon to the domain. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4738,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T00:51:32.6146449+00:00",
"event_record_id": 1404478,
"correlation": {},
"execution": {
"process_id": 808,
"thread_id": 3064
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Dummy": "-",
"TargetUserName": "domainadmin",
"TargetDomainName": "cell-a",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
"SubjectUserName": "localuser",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x1a69fef",
"PrivilegeList": "-",
"SamAccountName": "-",
"DisplayName": "-",
"UserPrincipalName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"ScriptPath": "-",
"ProfilePath": "-",
"UserWorkstations": "-",
"PasswordLastSet": "5/28/2026 12:51:32 AM",
"AccountExpires": "-",
"PrimaryGroupId": "-",
"AllowedToDelegateTo": "-",
"OldUacValue": "-",
"NewUacValue": "-",
"UserAccountControl": "-",
"UserParameters": "-",
"SidHistory": "-",
"LogonHours": "-"
},
"message": "A user account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x1A69FEF\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-a\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t5/28/2026 12:51:32 AM\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
Domain Sid History Addition
Persistence: Account Manipulation
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
OperationType | eq | %%14674 | 1 rule | elastic, sigma, splunk |
AttributeLDAPDisplayName | eq | serviceprincipalname | 1 rule | elastic, kusto, sigma, splunk |
user.id | ne | S-1-5-18 | 1 rule | elastic |
ObjectClass | eq | user | 1 rule | elastic, kusto, sigma, splunk |
AllowedToDelegateTo | eq | - | 1 rule | sigma |
match | is_not_null | | 1 rule | splunk |
AttributeLDAPDisplayName | eq | msds-allowedtoactonbehalfofotheridentity | 1 rule | kusto, sigma |
Community Notes #
User account changed, may capture priv-esc, password changes, or UAC flag changes.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Weak Encryption Enabled and Kerberoast source high: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
- Account password set to never expire. source medium: Detects scenarios where an account password is set to never expire.
- Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction) source high: Detects scenarios where an attacker removes security protection from a sensitive account to escalate privileges
Show 4 more (7 total)
- Account set with Kerberos DES encryption activated (weakness introduction) source high: Detects scenarios where an attacker set an account with DES Kerberos encryption to perform ticket brutforce.
- Account set with Kerberos pre-authentication not required (AS-REP Roasting) source high: Detects scenarios where an attacker set an account with Kerberos pre-authentication not required to perform offline brutforce. Account with this status can be checked with the following command > "Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol".
- Account set with password not required (weakness introduction) source medium: Detects scenarios where an attacker set an account with password not required to perform privilege escalation attack.
- Account set with reversible encryption (weakness introduction) source high: Detects scenarios where an attacker set an account with reversible encryption to facilitate brutforce or cracking operations.
Elastic # view in coverage
- Kerberos Pre-authentication Disabled for User source medium: Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
- KRBTGT Delegation Backdoor source high: Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
Splunk # view in coverage
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl source: The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling…
Kusto # view in coverage
- AD account with Don't Expire Password source low: Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to "Don't Expire Password - Enabled".
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4738
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4738.yml
Event ID 4739: Domain Policy was changed.
#Description
This event generates when one of the following changes was made to local computer security policy: Computer's "\Security Settings\Account Policies\Account Lockout Policy" settings were modified. Computer's "\Security Settings\Account Policies\Password Policy" settings were modified. "Network security: Force logoff when logon hours expire" group policy setting was changed. Domain functional level was changed or some other attributes changed (see details in event description).
Message #
Fields #
| Name | Description |
|---|---|
DomainPolicyChanged UnicodeString | The type of change which was made. The format is "policy_name modified". |
DomainName UnicodeString | The name of domain for which policy changes were made. |
DomainSid SID | The SID of domain for which policy changes were made. |
SubjectUserSid SID | SID of account that made a change to specific local policy. |
SubjectUserName UnicodeString | The name of the account that made a change to specific local policy. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
MinPasswordAge UnicodeString | "\Security Settings\Account Policies\Password Policy\Minimum password age" group policy. Numeric value. |
MaxPasswordAge UnicodeString | "\Security Settings\Account Policies\Password Policy\Maximum password age" group policy. Numeric value. |
ForceLogoff UnicodeString | "\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire" group policy. |
LockoutThreshold UnicodeString | "\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold" group policy. Numeric value. |
LockoutObservationWindow UnicodeString | "\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after" group policy. Numeric value. |
LockoutDuration UnicodeString | "\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration" group policy. Numeric value. |
PasswordProperties UnicodeString | [Changed Attributes] Password Properties. |
MinPasswordLength UnicodeString | "\Security Settings\Account Policies\Password Policy\Minimum password length" group policy. Numeric value. |
PasswordHistoryLength UnicodeString | "\Security Settings\Account Policies\Password Policy\Enforce password history" group policy. Numeric value. |
MachineAccountQuota UnicodeString | Ms-DS-MachineAccountQuota domain attribute was modified. Numeric value. |
MixedDomainMode UnicodeString | [Changed Attributes] Mixed Domain Mode. |
DomainBehaviorVersion UnicodeString | MsDS-Behavior-Version domain attribute was modified. Numeric value. |
OemInformation UnicodeString | Not used. present for backward compatibility. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4739,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:34.991613+00:00",
"event_record_id": 2783,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"DomainPolicyChanged": "Password Policy",
"DomainName": "WINDEV2310EVAL",
"DomainSid": "S-1-5-21-1992711665-1655669231-58201500",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"MinPasswordAge": "ퟏ~",
"MaxPasswordAge": "ퟏ~",
"ForceLogoff": "-",
"LockoutThreshold": "-",
"LockoutObservationWindow": "-",
"LockoutDuration": "-",
"PasswordProperties": "8",
"MinPasswordLength": "0",
"PasswordHistoryLength": "0",
"MachineAccountQuota": "-",
"MixedDomainMode": "-",
"DomainBehaviorVersion": "-",
"OemInformation": "-"
},
"message": ""
}
Community Notes #
Attackers with Domain Admin may weaken password/lockout requirements to speed credential attacks. May precede password spraying or Kerberos ticket forgery. Pair with 4768 and 4771. Also a prelude to DCShadow or other directory-level attacks.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4739
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4739.yml
Event ID 4740: A user account was locked out.
#Description
This event generates every time a user account is locked out. For user accounts, this event generates on domain controllers, member servers, and workstations.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Account That Was Locked Out] Account Name. |
TargetDomainName UnicodeString | The name of computer account from which logon attempt was received and after which target account was locked out. |
TargetSid SID | [Account That Was Locked Out] Security ID. |
SubjectUserSid SID | SID of account that performed the lockout operation. |
SubjectUserName UnicodeString | The name of the account that performed the lockout operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4740,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:03:33.513406+00:00",
"event_record_id": 16594636,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 10928
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "KrbTestLockout",
"TargetDomainName": "LAB-DC01",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1268",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-DC01$",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x3e7"
},
"message": ""
}
Community Notes #
Pair with 4625 and related IPs during investigation. Review Caller_Computer_Name.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4740.yml
Event ID 4741: A computer account was created.
#Description
This event generates every time a new computer object is created. This event generates only on domain controllers.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName | The name of the computer account that was created. For example: WIN81$. | 1 |
TargetDomainName | Domain name of created computer account. | |
TargetSid | SID of created computer account. | |
SubjectUserSid | SID of account that requested the "create Computer object" operation. | 1 |
SubjectUserName | The name of the account that requested the "create Computer object" operation. | 1 |
SubjectDomainName | Subject's domain name. | 2 |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". | 1 |
SamAccountName | Logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$. | |
DisplayName | The value of displayName attribute of new computer object. It is a name displayed in the address book for a particular account (typically - user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set. | |
UserPrincipalName | Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of userPrincipalName attribute of new computer object. | |
HomeDirectory | User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new computer object. | |
HomePath | Specifies the drive letter to which to map the UNC path specified by homeDirectory account's attribute. The drive letter must be specified in the form "DRIVE_LETTER:". | |
ScriptPath | Specifies the path of the account's logon script. This parameter contains the value of scriptPath attribute of new computer object. For computer objects, it is optional, and typically is not set. | |
ProfilePath | Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new computer object. For computer objects, it is optional, and typically is not set. | |
UserWorkstations | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. This parameter contains the value of userWorkstations attribute of new computer object. | |
PasswordLastSet | Last time the account's password was modified. For manually created computer account, using Active Directory Users and Computers snap-in, this field typically has value "\". | |
AccountExpires | The date when the account expires. This parameter contains the value of accountExpires attribute of new computer object. | |
PrimaryGroupId | Relative Identifier (RID) of computer's object primary group. | |
AllowedToDelegateTo UnicodeString | The list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of computer account. | |
OldUacValue | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. Old UAC value always "0x0" for new computer accounts. This parameter contains the previous value of userAccountControl attribute of computer object. | |
NewUacValue | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of userAccountControl attribute of new computer object. | 2 |
UserAccountControl | Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the userAccountControl value was considered to be "0x0", and then it was changed from "0x0" to the real value for the account's userAccountControl attribute. | |
UserParameters | If you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer's account properties, then you will see \<value changed, but not displayed> in this field in "4742(S): A computer account was changed." | |
SidHistory | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. | |
LogonHours | Hours that the account is allowed to logon to the domain. The value of logonHours attribute of new computer object. For computer objects, it is optional, and typically is not set. You will see \ value for new created computer accounts in event 4741. | |
DnsHostName | Name of computer account as registered in DNS. The value of dNSHostName attribute of new computer object. For manually created computer account objects this field has value "-". | |
ServicePrincipalNames | The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of servicePrincipalName attribute of new computer object. For manually created computer objects it is typically equals "-". This is an example of Service Principal Names field for new domain joined workstation: | 4 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4741,
"version": 0,
"level": 0,
"task": 13825,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T00:58:03.3602699+00:00",
"event_record_id": 6612,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 2500
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "TELEMETRY-W11-D$",
"TargetDomainName": "cell-d",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x27dc13",
"PrivilegeList": "-",
"SamAccountName": "TELEMETRY-W11-D$",
"DisplayName": "-",
"UserPrincipalName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"ScriptPath": "-",
"ProfilePath": "-",
"UserWorkstations": "-",
"PasswordLastSet": "5/28/2026 12:58:03 AM",
"AccountExpires": "%%1794",
"PrimaryGroupId": "515",
"AllowedToDelegateTo": "-",
"OldUacValue": "0x0",
"NewUacValue": "0x80",
"UserAccountControl": "\n\t\t%%2087",
"UserParameters": "-",
"SidHistory": "-",
"LogonHours": "%%1793",
"DnsHostName": "telemetry-W11-d.cell-d.ludus.domain",
"ServicePrincipalNames": "\n\t\tHOST/telemetry-W11-d.cell-d.ludus.domain\n\t\tRestrictedKrbHost/telemetry-W11-d.cell-d.ludus.domain\n\t\tHOST/TELEMETRY-W11-D\n\t\tRestrictedKrbHost/TELEMETRY-W11-D"
},
"message": "A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x27DC13\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\tAccount Domain:\t\tcell-d\r\n\r\nAttributes:\r\n\tSAM Account Name:\tTELEMETRY-W11-D$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t5/28/2026 12:58:03 AM\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x80\r\n\tUser Account Control:\t\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\ttelemetry-W11-d.cell-d.ludus.domain\r\n\tService Principal Names:\t\r\n\t\tHOST/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tRestrictedKrbHost/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tHOST/TELEMETRY-W11-D\r\n\t\tRestrictedKrbHost/TELEMETRY-W11-D\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-"
}
Detection Patterns #
Defense Impairment: Rogue Domain Controller
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetUserName | ends_with | $ | 1 rule | kusto, sigma |
SubjectUserSid | starts_with | S-1-5-21- | 1 rule | sigma |
Community Notes #
May alert on golden ticket style attacks.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Suspicious computer account created by a computer account source high: Detects scenarios where an attacker abuse MachineAccountQuota privilege and pre-create a computer object for abusing RBCD delegation.
- Computer account created with privileges source high: Detects scenarios where an attacker creates a computer account with privileges for later exploitation.
Splunk # view in coverage
- Windows Computer Account Created by Computer Account source: The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to…
- Windows Computer Account With SPN source: The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4741
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4741.yml
Event ID 4742: A computer account was changed.
#Description
This event generates every time a computer object is changed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ComputerAccountChange | ||
TargetUserName | The name of the computer account that was changed. | |
TargetDomainName | Domain name of changed computer account. | |
TargetSid | SID of changed computer account. | |
SubjectUserSid | SID of account that requested the "change Computer object" operation. | |
SubjectUserName | The name of the account that requested the "change Computer object" operation. | 4 |
SubjectDomainName | Subject's domain name. | |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". | |
SamAccountName | Logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). | |
DisplayName | It is a name displayed in the address book for a particular account (typically - user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set. | |
UserPrincipalName | Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. For computer objects, it is optional, and typically is not set. | |
HomeDirectory | User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. For computer objects, it is optional, and typically is not set. | |
HomePath | Specifies the drive letter to which to map the UNC path specified by homeDirectory account's attribute. The drive letter must be specified in the form "DRIVE_LETTER:". For example - "H:". For computer objects, it is optional, and typically is not set. | |
ScriptPath | Specifies the path of the account's logon script. For computer objects, it is optional, and typically is not set. | |
ProfilePath | Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. For computer objects, it is optional, and typically is not set. | |
UserWorkstations | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. For computer objects, it is optional, and typically is not set. | |
PasswordLastSet | Last time the account's password was modified. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual computer account reset action or automatically every 30 days by default for computer objects. | 2 |
AccountExpires | The date when the account expires. For computer objects, it is optional, and typically is not set. | |
PrimaryGroupId | Relative Identifier (RID) of computer's object primary group. | |
AllowedToDelegateTo UnicodeString | The list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of computer account. If the SPNs list on Delegation tab of a computer account was changed, you will see the new SPNs list in AllowedToDelegateTo field (note that you will see the new list instead of changes) of this event. | 3 |
OldUacValue | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of userAccountControlattribute of computer object. | |
NewUacValue | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. | |
UserAccountControl | Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. In the "User Account Control field text" column, you can see text that will be displayed in the User Account Controlfield in 4742 event. | 7 |
UserParameters | If you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer's account properties, then you will see \<value changed, but not displayed> in this field. | |
SidHistory | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. | |
LogonHours | Hours that the account is allowed to logon to the domain. For computer objects, it is optional, and typically is not set. | |
DnsHostName | Name of computer account as registered in DNS. | |
ServicePrincipalNames | The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in Service Principal Names field (note that you will see the new list instead of changes). | 6 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4742,
"version": 0,
"level": 0,
"task": 13825,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T01:00:57.5443661+00:00",
"event_record_id": 6811,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 5112
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ComputerAccountChange": "-",
"TargetUserName": "TELEMETRY-W11-D$",
"TargetDomainName": "cell-d",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
"SubjectUserName": "TELEMETRY-W11-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x282eb3",
"PrivilegeList": "-",
"SamAccountName": "-",
"DisplayName": "-",
"UserPrincipalName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"ScriptPath": "-",
"ProfilePath": "-",
"UserWorkstations": "-",
"PasswordLastSet": "-",
"AccountExpires": "-",
"PrimaryGroupId": "-",
"AllowedToDelegateTo": "-",
"OldUacValue": "-",
"NewUacValue": "-",
"UserAccountControl": "-",
"UserParameters": "-",
"SidHistory": "-",
"LogonHours": "-",
"DnsHostName": "-",
"ServicePrincipalNames": "\n\t\tHOST/telemetry-W11-d.cell-d.ludus.domain\n\t\tRestrictedKrbHost/telemetry-W11-d.cell-d.ludus.domain\n\t\tHOST/TELEMETRY-W11-D\n\t\tRestrictedKrbHost/TELEMETRY-W11-D\n\t\tTERMSRV/telemetry-W11-d.cell-d.ludus.domain\n\t\tTERMSRV/TELEMETRY-W11-D\n\t\tWSMAN/telemetry-W11-d.cell-d.ludus.domain\n\t\tWSMAN/telemetry-W11-d"
},
"message": "A computer account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x282EB3\r\n\r\nComputer Account That Was Changed:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\tAccount Domain:\t\tcell-d\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t-\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t\r\n\t\tHOST/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tRestrictedKrbHost/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tHOST/TELEMETRY-W11-D\r\n\t\tRestrictedKrbHost/TELEMETRY-W11-D\r\n\t\tTERMSRV/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tTERMSRV/TELEMETRY-W11-D\r\n\t\tWSMAN/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tWSMAN/telemetry-W11-d\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
Domain Sid History Addition
Defense Impairment: Rogue Domain Controller
1 rule
Defense Impairment: Rogue Domain Controller
1 rule
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
AllowedToDelegateTo | eq | - | 3 rules | sigma |
ServicePrincipalNames | contains | gc/ | 3 rules | sigma |
SubjectUserName | ends_with | $ | 2 rules | sigma |
UserAccountControl | eq | %%2093 | 2 rules | sigma |
UserAccountControl | eq | %%2098 | 2 rules | sigma |
AttributeLDAPDisplayName | eq | serviceprincipalname | 1 rule | elastic, kusto, sigma, splunk |
TargetUserName | ends_with | $ | 1 rule | kusto, sigma |
Computer | eq | %domain_controllers% | 1 rule | sigma |
user.id | starts_with | S-1-12-1- | 1 rule | elastic |
user.id | starts_with | S-1-5-21- | 1 rule | elastic |
match | is_not_null | | 1 rule | splunk |
SubjectUserName | eq | ANONYMOUS LOGON | 1 rule | sigma, splunk |
AttributeValue | starts_with | GC/ | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Host set with constrained delegation source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
- Host set with unconstrained delegation source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
- Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
Show 4 more (7 total)
- Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
- Host unconstrained delegation settings changed for potential abuse (Rubeus) source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
- Suspicious modification of a fake domain controller SPN (DCshadow) source high: Detects scenarios where an attacker updates the Service Principal Name (SPN) of a fake domain controller account in order to perform DCshadow attack.
- Suspicious modification of a computer account SPN source high: Detects scenarios where an attacker update the Service Principal Name (SPN) of a computer account in order to perform "Kerberos redirection" and escalate privileges.
Elastic # view in coverage
- Remote Computer Account DnsHostName Update source high: Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.
Splunk # view in coverage
- Detect Computer Changed with Anonymous Account source: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON". This activity can be significant…
- Windows Computer Account Changed to Domain Controller source: Detects a modification to the User Account Control flags for a computer account where the
SERVER_TRUST_ACCOUNTflag is set. This flag is normally associated with domain controller computer accounts. This activity may indicate a… - ZeroLogon CVE-2020-1472 (Windows Event Log) source: The vulnerability allows an attacker to set a password for the computer account of an Active Directory Domain Controller, which can then be abused to pull credentials from the Domain Controller
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4742
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4742.yml
Event ID 4743: A computer account was deleted.
#Description
This event generates every time a computer object is deleted. This event generates only on domain controllers.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName | The name of the computer account that was deleted. For example: WIN81$. |
TargetDomainName | Domain name of deleted computer account. |
TargetSid | SID of deleted computer account. |
SubjectUserSid | SID of account that requested the "delete Computer object" operation. |
SubjectUserName | The name of the account that requested the "delete Computer object" operation. |
SubjectDomainName | Subject's domain name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4743,
"version": 0,
"level": 0,
"task": 13825,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-12T19:36:44.227880Z",
"event_record_id": 16334944,
"correlation": {},
"execution": {
"process_id": 528,
"thread_id": 3156
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "YOURPC$",
"TargetDomainName": "OFFSEC",
"TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1167",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1158",
"SubjectUserName": "lambda-user",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x87e482b",
"PrivilegeList": "-"
}
}
Detection Patterns #
1 rule
Defense Impairment: Rogue Domain Controller
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4743
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4743.yml
Event ID 4744: A security-disabled local group was created.
#Description
Event 4744 is the same as 4749, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was created. |
TargetDomainName UnicodeString | [New Group] Group Domain. |
TargetSid SID | SID of created group. |
SubjectUserSid SID | SID of account that requested the "create group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "create group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4744,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T14:07:43.9070682+00:00",
"event_record_id": 23552272,
"correlation": {},
"execution": {
"process_id": 868,
"thread_id": 3620
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "SAA-LocalDist-140743",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1389",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xaf6fd24",
"PrivilegeList": "-",
"SamAccountName": "SAA-LocalDist-140743",
"SidHistory": "-"
},
"message": "A security-disabled local group was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tludus\r\n\tLogon ID:\t\t0xAF6FD24\r\n\r\nNew Group:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1389\r\n\tGroup Name:\t\tSAA-LocalDist-140743\r\n\tGroup Domain:\t\tludus\r\n\r\nAttributes:\r\n\tSAM Account Name:\tSAA-LocalDist-140743\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
Persistence: Domain Account
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4744
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4744
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4744.yml
Event ID 4745: A security-disabled local group was changed.
#Description
Event 4745 is the same as 4750, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was changed. For example: ServiceDesk. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | SID of changed group. |
SubjectUserSid SID | SID of account that requested the "change group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "change group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4745
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4745
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4745.yml
Event ID 4746: A member was added to a security-disabled local group.
#Description
Event 4746 is the same as 4751, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | Distinguished name of account that was added to the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-". |
MemberSid SID | SID of account that was added to the group. |
TargetUserName UnicodeString | The name of the group to which new member was added. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain name of the group to which new member was added. |
TargetSid SID | SID of the group to which new member was added. |
SubjectUserSid SID | SID of account that requested the "add member to the group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "add member to the group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
MembershipExpirationTime FILETIME | Expiration time. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4746
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4746
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4746.yml
Event ID 4747: A member was removed from a security-disabled local group.
#Description
Event 4747 is the same as 4752, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | Distinguished name of account that was removed from the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-". |
MemberSid SID | SID of account that was removed from the group. |
TargetUserName UnicodeString | The name of the group from which the member was removed. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain name of the group from which the member was removed. |
TargetSid SID | SID of the group from which the member was removed. |
SubjectUserSid SID | SID of account that requested the "remove member from the group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "remove member from the group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4747
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4747
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4747.yml
Event ID 4748: A security-disabled local group was deleted.
#Description
Event 4748 is the same as 4753, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was deleted. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | SID of deleted group. |
SubjectUserSid SID | SID of account that requested the "delete group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4748
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4748
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4748.yml
Event ID 4749: A security-disabled global group was created.
#Description
This event generates every time a new security-disabled (distribution) global group was created. This event generates only on domain controllers.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was created. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | SID of created group. |
SubjectUserSid SID | SID of account that requested the "create group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "create group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4749,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:04.301935+00:00",
"event_record_id": 16239926,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6292
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_distro",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1121",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-",
"SamAccountName": "evtgen_distro",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
Persistence: Domain Account
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4749
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4749
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4749.yml
Event ID 4750: A security-disabled global group was changed.
#Description
This event generates every time security-disabled (distribution) global group is changed.This event generates only on domain controllers.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was changed. For example: ServiceDesk. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | SID of changed group. |
SubjectUserSid SID | SID of account that requested the "change group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "change group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4750,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:45.668811+00:00",
"event_record_id": 16619490,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 7768
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "TestAuditGroup_Distribution",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec",
"PrivilegeList": "-",
"SamAccountName": "-",
"SidHistory": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4750
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4750
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4750.yml
Event ID 4751: A member was added to a security-disabled global group.
#Description
This event generates every time a new member was added to a security-disabled (distribution) global group. This event generates only on domain controllers. For every added member you will get separate 4751 event. You will typically see "4750: A security-disabled global group was changed." event without any changes in it prior to 4751 event.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | Distinguished name of account that was added to the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-". |
MemberSid SID | SID of account that was added to the group. |
TargetUserName UnicodeString | The name of the group to which new member was added. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain name of the group to which new member was added. |
TargetSid SID | SID of the group to which new member was added. |
SubjectUserSid SID | SID of account that requested the "add member to the group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "add member to the group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
MembershipExpirationTime FILETIME | Expiration time. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4751,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:45.668821+00:00",
"event_record_id": 16619491,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 7768
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "CN=testaudit1,CN=Users,DC=ludus,DC=domain",
"MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1290",
"TargetUserName": "TestAuditGroup_Distribution",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec",
"PrivilegeList": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4751
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4751
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4751.yml
Event ID 4752: A member was removed from a security-disabled global group.
#Description
This event generates every time member was removed from the security-disabled (distribution) global group. This event generates only on domain controllers. For every removed member you will get separate 4752 event.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | Distinguished name of account that was removed from the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-". |
MemberSid SID | SID of account that was removed from the group. |
TargetUserName UnicodeString | The name of the group from which the member was removed. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain name of the group from which the member was removed. |
TargetSid SID | SID of the group from which the member was removed. |
SubjectUserSid SID | SID of account that requested the "remove member from the group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "remove member from the group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4752,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:46.319360+00:00",
"event_record_id": 16619502,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 3104
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "CN=testaudit1,CN=Users,DC=ludus,DC=domain",
"MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1290",
"TargetUserName": "TestAuditGroup_Distribution",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec",
"PrivilegeList": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4752
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4752
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4752.yml
Event ID 4753: A security-disabled global group was deleted.
#Description
This event generates every time security-disabled (distribution) global group is deleted. This event generates only on domain controllers.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was deleted. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | SID of deleted group. |
SubjectUserSid SID | SID of account that requested the "delete group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4753,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:24:00.966756+00:00",
"event_record_id": 16290238,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 7132
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "TestDistGroup",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1132",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4753
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4753
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4753.yml
Event ID 4754: A security-enabled universal group was created.
#Description
Event 4754 is the same as 4731, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4754(S) generates only for domain groups, so the Local sections in event 4731 do not apply.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was created. |
TargetDomainName UnicodeString | Domain or computer name of the created group. |
TargetSid SID | [Group] Security ID. |
SubjectUserSid SID | SID of account that requested the "create group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "create group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply a name of new group. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and in that case appears as "-". For local groups it is not applicable and always has "-" value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4754,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:04.236865+00:00",
"event_record_id": 16239922,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 1756
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_universal",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-",
"SamAccountName": "evtgen_universal",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
Persistence: Domain Account
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetSid | regex_match | S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$ | 1 rule | kusto |
TargetSid | regex_match | S-1-5-32-5[0-9][0-9]$ | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matchesEvent ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4754
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4754
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4754.yml
Event ID 4755: A security-enabled universal group was changed.
#Description
Event 4737 is the same as 4735, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4755(S) generates only for domain groups, so the Local sections in event 4735 do not apply.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was changed. For example: ServiceDesk. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | [Group] Security ID. |
SubjectUserSid SID | SID of account that requested the "change group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "change group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. For local groups it is not applicable and always has "-" value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4755,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:04.432295+00:00",
"event_record_id": 16239937,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6292
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_universal",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-",
"SamAccountName": "-",
"SidHistory": "-"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matchesEvent ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4756: A member was added to a security-enabled universal group.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4755
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4755.yml
Event ID 4756: A member was added to a security-enabled universal group.
#Description
Event 4756 is the same as 4732, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4756(S) generates only for domain groups, so the Local sections in event 4732 do not apply.
Message #
Fields #
| Name | Description |
|---|---|
MemberName | Distinguished name (DN) of the account added to the group. "-" for local groups even when the member is a domain account. |
MemberSid | SID of account that was added to the group. |
TargetUserName | The name of the group to which new member was added. |
TargetDomainName | Domain or computer name of the group to which the new member was added. |
TargetSid | SID of the group to which new member was added. |
SubjectUserSid | SID of account that requested the "add member to the group" operation. |
SubjectUserName | The name of the account that requested the "add member to the group" operation. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". |
MembershipExpirationTime |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4756,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T00:51:32.5934865+00:00",
"event_record_id": 6342,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 3712
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "CN=domainadmin,CN=Users,DC=cell-d,DC=ludus,DC=domain",
"MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetUserName": "Schema Admins",
"TargetDomainName": "cell-d",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-518",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
"SubjectUserName": "localuser",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0xa30bd",
"PrivilegeList": "-"
},
"message": "A member was added to a security-enabled universal group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xA30BD\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tCN=domainadmin,CN=Users,DC=cell-d,DC=ludus,DC=domain\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-518\r\n\tAccount Name:\t\tSchema Admins\r\n\tAccount Domain:\t\tcell-d\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
13 rules
Sigma
Member Added
12 rules
Sigma
Member Added
12 rules
Sigma
Member Added
12 rules
Sigma
Persistence: Domain Account
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetSid | regex_match | S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$ | 3 rules | kusto |
TargetSid | regex_match | S-1-5-32-5[0-9][0-9]$ | 3 rules | kusto |
AccountType | eq | User | 2 rules | kusto |
TargetSid | starts_with | S-1-5-21- | 2 rules | sigma |
TargetSid | ends_with | -520 | 2 rules | sigma |
TargetUserName | eq | DnsAdmins | 1 rule | sigma, splunk |
Community Notes #
May capture cross-domain privilege escalation in a multi-forest trust.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matchesEvent ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4756
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4756
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4756.yml
Event ID 4757: A member was removed from a security-enabled universal group.
#Description
Event 4757 is the same as 4733, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4757(S) generates only for domain groups, so the Local sections in event 4733 do not apply.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | Distinguished name (DN) of the account removed from the group. "-" for local groups even when the member is a domain account. |
MemberSid SID | SID of account that was removed from the group. |
TargetUserName UnicodeString | The name of the group from which the member was removed. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain or computer name of the group from which the member was removed. |
TargetSid SID | SID of the group from which the member was removed. |
SubjectUserSid SID | SID of account that requested the "remove member from the group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "remove member from the group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4757,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T14:07:43.8693306+00:00",
"event_record_id": 23552269,
"correlation": {},
"execution": {
"process_id": 868,
"thread_id": 4912
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "CN=saa-mem-140743,OU=SecAuditAD-Test,DC=ludus,DC=domain",
"MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1388",
"TargetUserName": "SAA-UniSec-140743",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1387",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xaf6fd24",
"PrivilegeList": "-"
},
"message": "A member was removed from a security-enabled universal group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tludus\r\n\tLogon ID:\t\t0xAF6FD24\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1388\r\n\tAccount Name:\t\tCN=saa-mem-140743,OU=SecAuditAD-Test,DC=ludus,DC=domain\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1387\r\n\tGroup Name:\t\tSAA-UniSec-140743\r\n\tGroup Domain:\t\tludus\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4757
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4757
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4757.yml
Event ID 4758: A security-enabled universal group was deleted.
#Description
Event 4758 is the same as 4734, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4758(S) generates only for domain groups, so the Local sections in event 4734 do not apply.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was deleted. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain or computer name of the deleted group. |
TargetSid SID | SID of deleted group. |
SubjectUserSid SID | SID of account that requested the "delete group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4758,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:14.194447+00:00",
"event_record_id": 16240252,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6288
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_universal",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4758
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4758
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4758.yml
Event ID 4759: A security-disabled universal group was created.
#Description
Event 4759 is the same as 4749, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was created. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | SID of created group. |
SubjectUserSid SID | SID of account that requested the "create group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "create group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4759,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T14:07:43.9472572+00:00",
"event_record_id": 23552281,
"correlation": {},
"execution": {
"process_id": 868,
"thread_id": 3620
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "SAA-UniDist-140743",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1390",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xaf6fd24",
"PrivilegeList": "-",
"SamAccountName": "SAA-UniDist-140743",
"SidHistory": "-"
},
"message": "A security-disabled universal group was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tludus\r\n\tLogon ID:\t\t0xAF6FD24\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1390\r\n\tGroup Name:\t\tSAA-UniDist-140743\r\n\tGroup Domain:\t\tludus\r\n\r\nAttributes:\r\n\tSAM Account Name:\tSAA-UniDist-140743\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}
Detection Patterns #
Persistence: Domain Account
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4759
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4759
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4759.yml
Event ID 4760: A security-disabled universal group was changed.
#Description
Event 4760 is the same as 4750, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was changed. For example: ServiceDesk. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | SID of changed group. |
SubjectUserSid SID | SID of account that requested the "change group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "change group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
SamAccountName UnicodeString | This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. |
SidHistory UnicodeString | Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4760
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4760
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4760.yml
Event ID 4761: A member was added to a security-disabled universal group.
#Description
Event 4761 is the same as 4751, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | Distinguished name of account that was added to the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-". |
MemberSid SID | SID of account that was added to the group. |
TargetUserName UnicodeString | The name of the group to which new member was added. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain name of the group to which new member was added. |
TargetSid SID | SID of the group to which new member was added. |
SubjectUserSid SID | SID of account that requested the "add member to the group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "add member to the group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
MembershipExpirationTime FILETIME | Expiration time. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4761
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4761
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4761.yml
Event ID 4762: A member was removed from a security-disabled universal group.
#Description
Event 4762 is the same as 4752, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | Distinguished name of account that was removed from the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-". |
MemberSid SID | SID of account that was removed from the group. |
TargetUserName UnicodeString | The name of the group from which the member was removed. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain name of the group from which the member was removed. |
TargetSid SID | SID of the group from which the member was removed. |
SubjectUserSid SID | SID of account that requested the "remove member from the group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "remove member from the group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4762
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4762
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4762.yml
Event ID 4763: A security-disabled universal group was deleted.
#Description
Event 4763 is the same as 4753, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the group that was deleted. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | SID of deleted group. |
SubjectUserSid SID | SID of account that requested the "delete group" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete group" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4763
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4763
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4763.yml
Event ID 4764: A group’s type was changed.
#Description
This event generates every time group's type is changed. This event generates for both security and distribution groups. This event generates only on domain controllers.
Message #
Fields #
| Name | Description |
|---|---|
GroupTypeChange UnicodeString | Contains three parts: " Changed To .". They cannot have the same value at the same time. |
TargetUserName UnicodeString | The name of the group, which type was changed. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain or computer name of the changed group. |
TargetSid SID | SID of changed group. |
SubjectUserSid SID | SID of account that requested the "change group type" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "change group type" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4764,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:10.897820+00:00",
"event_record_id": 16240135,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6288
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"GroupTypeChange": "Security Disabled Global Group Changed to Security Enabled Global Group.",
"TargetUserName": "evtgen_distro",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1121",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4764
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4764.yml
Event ID 4765: SID History was added to an account.
#Description
SID History was added to an account.
Message #
Fields #
| Name | Description |
|---|---|
SourceUserName | |
SourceSid | |
TargetUserName | |
TargetDomainName | |
TargetSid | |
SubjectUserSid | |
SubjectUserName | |
SubjectDomainName | |
SubjectLogonId | |
PrivilegeList | |
SidList | [Additional Information] SID List. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4765,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2017-06-12T23:39:43.512986Z",
"event_record_id": 8075,
"correlation": {},
"execution": {
"process_id": 496,
"thread_id": 1696
},
"channel": "Security",
"computer": "2012r2srv.maincorp.local",
"security": {
"user_id": ""
}
},
"event_data": {
"SourceUserName": "maincorp.local\\Domain Admins",
"SourceSid": "S-1-5-21-2634088540-571122920-1382659128-512",
"TargetUserName": "labuser",
"TargetDomainName": "MAINCORP",
"TargetSid": "S-1-5-21-2634088540-571122920-1382659128-1104",
"SubjectUserSid": "S-1-5-21-2634088540-571122920-1382659128-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "MAINCORP",
"SubjectLogonId": "0x432c8",
"PrivilegeList": "-",
"SidList": "-"
}
}
Detection Patterns #
Community Notes #
May indicate DCShadow or similar lateral movement attacks.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4765
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4766: An attempt to add SID History to an account failed.
#Description
An attempt to add SID History to an account failed.
Message #
Fields #
| Name | Description |
|---|---|
SourceUserName UnicodeString | [Target Account] Account Name |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TargetSid UnicodeString | [Target Account] Security ID |
SubjectUserName UnicodeString | [Security ID] Account Name |
SubjectDomainName UnicodeString | [Security ID] Account Domain |
SubjectLogonId UnicodeString | [Security ID] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Detection Patterns #
Community Notes #
May indicate DCShadow or similar lateral movement attacks.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4766
Event ID 4767: A user account was unlocked.
#Description
This event generates every time a user account is unlocked. For user accounts, this event generates on domain controllers, member servers, and workstations.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | SID of account that performed the unlock operation. |
SubjectUserName UnicodeString | The name of the account that performed the unlock operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4767,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:10.398421+00:00",
"event_record_id": 16240087,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 1756
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_user3",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1115",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4767.yml
Event ID 4768: A Kerberos authentication ticket (TGT) was requested.
#Description
This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). This event generates only on domain controllers. If TGT issue fails then you will see Failure event with Result Code field not equal to "0x0". This event doesn't generate for Result Codes: 0x10, 0x17 and 0x18. Event "4771: Kerberos pre-authentication failed." generates instead.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName | Name of the account for which the TGT was requested. Computer accounts end with $. | 19 |
TargetDomainName | Kerberos realm of the requesting account. May appear in various formats. | |
TargetSid | SID of the account for which the TGT was requested. | |
ServiceName | Service in the Kerberos realm to which the TGT request was sent. Typically krbtgt for TGT requests. For failure events, typically in the form krbtgt/REALM_NAME. | 4 |
ServiceSid | SID of the service account to which the TGT request was sent. | 3 |
TicketOptions | Ticket flags as a hexadecimal bitmask. Bitmask flags
| 3 |
Status | Hexadecimal result code for the TGT issue operation. Known values
| 15 |
TicketEncryptionType | Encryption type used for the issued TGT. Known values
| 4 |
PreAuthType | Pre-authentication type used in the TGT request. Known values
| 2 |
IpAddress | IP address of the computer from which the TGT request was received. | 8 |
IpPort | Source port of the client connection for the TGT request. | |
CertIssuerName | Name of the CA that issued the smart card certificate. | |
CertSerialNumber | Serial number of the smart card certificate. | |
CertThumbprint | Thumbprint of the smart card certificate. | 5 |
ResponseTicket | ||
AccountSupportedEncryptionTypes | ||
AccountAvailableKeys | ||
ServiceSupportedEncryptionTypes | ||
ServiceAvailableKeys | ||
DCSupportedEncryptionTypes | ||
DCAvailableKeys | ||
ClientAdvertizedEncryptionTypes | ||
SessionKeyEncryptionType | ||
PreAuthEncryptionType |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4768,
"version": 0,
"level": 0,
"task": 14339,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:54:35.6842605+00:00",
"event_record_id": 1248113,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 2572
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "domainuser",
"TargetDomainName": "CELL-D.LUDUS.DOMAIN",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1104",
"ServiceName": "krbtgt",
"ServiceSid": "S-1-5-21-1006758700-2167138679-1475694448-502",
"TicketOptions": "0x40810010",
"Status": "0x0",
"TicketEncryptionType": "0x12",
"PreAuthType": "2",
"IpAddress": "::ffff:10.1.50.21",
"IpPort": "49929",
"CertIssuerName": "",
"CertSerialNumber": "",
"CertThumbprint": ""
},
"message": "A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tdomainuser\r\n\tSupplied Realm Name:\tCELL-D.LUDUS.DOMAIN\r\n\tUser ID:\t\t\tS-1-5-21-1006758700-2167138679-1475694448-1104\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.1.50.21\r\n\tClient Port:\t\t49929\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120."
}
Detection Patterns #
Stealth: Domain Accounts
1 rule
Credential Access: Exploitation for Credential Access
1 rule
Lateral Movement: Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetUserName | ne | *$ | 6 rules | splunk |
Status | eq | 0 | 4 rules | sigma |
isOutlier | eq | 1 | 3 rules | splunk |
src_ip | eq | %domain_controllers_ips% | 3 rules | sigma |
ServiceSid | ends_with | -502 | 3 rules | sigma |
Status | eq | 0x6 | 3 rules | splunk |
src_ip | eq | ::1 | 2 rules | elastic, sigma |
TargetUserName | ends_with | $ | 2 rules | kusto, sigma |
TicketEncryptionType | eq | 0x17 | 2 rules | kusto, sigma, splunk |
unique_accounts | gt | 30 | 2 rules | splunk |
TargetUserName | eq | *$ | 2 rules | sigma, splunk |
PreAuthType | eq | 0 | 2 rules | sigma |
Status | eq | 0x12 | 2 rules | splunk |
src_ip | eq | 127.0.0.1 | 1 rule | sigma |
short_lived | eq | TRUE | 1 rule | splunk |
Community Notes #
Kerberos TGT request (consider Pass-the-Ticket, Golden TGT attacks). Requests from a non-interactive source prior to 4769 may indicate ticket replay or Pass-the-Ticket staging.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Potential AS-REP Roasting via Kerberos TGT Requests source medium: Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
- PetitPotam Suspicious Kerberos TGT Request source high: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
- Kerberos AS-REP Roasting ticket request detected source high: Detects scenarios where an attacker abuse an account with UAC settings set to "Accounts Does not Require Pre-Authentication" in order to perform offline TGT brutforce. May also be triggered by an attacker performing some Kerberos user enumration with tools like "Kerbrute".
Show 2 more (5 total)
- Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287) source high: Detects scenarios where an attacker attempts to request a proxiable ticket. This action may trigger while attempting to identify a vulnerable target or using some offsensive Kerberos tools like Kerbrute, Impacket...
- Kerberos TGS ticket request related to a potential Golden ticket source high: Detects scenarios where an attacker request a potential Golden ticket. Findings returned by this rule may not confirm at 100% that a Golden ticket was generated and further investigations would be required to confirm it. Another indicator (in case of a lazy Golden ticket) to check would be to check if the TargetUserName refers to an existing user in the domain.
Splunk # view in coverage
- Kerberos TGT Request Using RC4 Encryption source: The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack.…
- Kerberos User Enumeration source: The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical…
- PetitPotam Suspicious Kerberos TGT Request source: The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate…
Show 6 more (9 total)
- Windows Computer Account Requesting Kerberos Ticket source: The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to…
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos source: The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code
0x12,… - Windows Multiple Invalid Users Fail To Authenticate Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the…
- Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos…
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos…
- Suspicious Certificate Authentication (Windows Event Log) source: Adversaries may steal an AD CA’s root certificate, and forge a certificate for any active user or computer. This use case looks for Kerberos ticket requests with certificate thumbprints.
Kusto # view in coverage
- Certified Pre-Owned - TGTs requested with certificate authentication source medium: This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
- Suspicious TGT Request with a DC Account source: Below query detects TGT requests from a DC account with an IP that doesn't belong to a DC. It detect PetitPotam and any other attacks that uses a stolen DC certificate/account to perform operations.
If you make it a detection rule, take ingestion delay into account.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4768.yml
- RFC 4120 §5.4.1 KDC-REQ KDCOptions bitmask https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
- RFC 4120 §7.5.9 Kerberos error codes https://datatracker.ietf.org/doc/html/rfc4120#section-7.5.9
- RFC 4556 §6 PKINIT error codes https://datatracker.ietf.org/doc/html/rfc4556#section-6
Event ID 4769: A Kerberos service ticket was requested.
#Description
This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request. This event generates only on domain controllers. If TGS issue fails then you will see Failure event with Failure Code field not equal to "0x0". You will typically see many Failure events with Failure Code "0x20", which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName | UPN of the account that requested the ticket. Computer accounts end with $ in the UPN. Typically user_account_name@FULL_DOMAIN_NAME. | 7 |
TargetDomainName | Kerberos realm of the requesting account. | |
ServiceName | Service to which access was requested. | 11 |
ServiceSid | SID of the account or computer for which the TGS ticket was requested. | 2 |
TicketOptions | Ticket flags as a hexadecimal bitmask. Bitmask flags
| 16 |
TicketEncryptionType | Encryption type used for the issued TGS. Known values
| 10 |
IpAddress | IP address of the computer from which the TGS request was received. | 3 |
IpPort | Source port of the client connection for the TGS request. | |
Status | Hexadecimal result code for the TGS issue operation. Known values
| 4 |
LogonGuid | GUID linking this event to Event ID 4624, 4648, and 4964 on the machine the TGS was issued for. | |
TransmittedServices | List of SPNs requested when Kerberos delegation was used. | 2 |
RequestTicketHash | ||
ResponseTicketHash | ||
AccountSupportedEncryptionTypes | ||
AccountAvailableKeys | ||
ServiceSupportedEncryptionTypes | ||
ServiceAvailableKeys | ||
DCSupportedEncryptionTypes | ||
DCAvailableKeys | ||
ClientAdvertizedEncryptionTypes | ||
SessionKeyEncryptionType |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4769,
"version": 0,
"level": 0,
"task": 14337,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:59:05.1606179+00:00",
"event_record_id": 1250635,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 2572
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "TELEMETRY-W11-D$@CELL-D.LUDUS.DOMAIN",
"TargetDomainName": "CELL-D.LUDUS.DOMAIN",
"ServiceName": "TELEMETRY-DC-D$",
"ServiceSid": "S-1-5-21-1006758700-2167138679-1475694448-1001",
"TicketOptions": "0x40810000",
"TicketEncryptionType": "0x12",
"IpAddress": "::ffff:10.1.50.21",
"IpPort": "62954",
"Status": "0x0",
"LogonGuid": "{09286334-9759-4259-0b88-eaea3f1dda62}",
"TransmittedServices": "-"
},
"message": "A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tTELEMETRY-W11-D$@CELL-D.LUDUS.DOMAIN\r\n\tAccount Domain:\t\tCELL-D.LUDUS.DOMAIN\r\n\tLogon GUID:\t\t{09286334-9759-4259-0b88-eaea3f1dda62}\r\n\r\nService Information:\r\n\tService Name:\t\tTELEMETRY-DC-D$\r\n\tService ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1001\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.1.50.21\r\n\tClient Port:\t\t62954\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120."
}
Detection Patterns #
Credential Access: Exploitation for Credential Access
1 rule
Lateral Movement: Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TicketEncryptionType | eq | 0x17 | 6 rules | kusto, sigma, splunk |
TicketOptions | eq | 0x40810000 | 4 rules | kusto, sigma, splunk |
src_ip | eq | %domain_controllers_ips% | 3 rules | sigma |
ServiceSid | ends_with | -502 | 3 rules | sigma |
Status | eq | 0x0 | 3 rules | kusto, sigma |
ServiceName | ends_with | $ | 3 rules | sigma |
Status | eq | 0 | 2 rules | sigma |
ServiceName | ne | *$ | 2 rules | splunk |
ServiceName | eq | *$ | 2 rules | splunk |
TicketOptions | eq | 0x40800000 | 2 rules | splunk |
TicketOptions | eq | 0x40810010 | 2 rules | splunk |
TransmittedServices | contains | @ | 2 rules | sigma |
isOutlier | eq | 1 | 1 rule | splunk |
TargetUserName | ne | *$ | 1 rule | splunk |
AuthenticationPackageName | eq | Kerberos | 1 rule | elastic, kusto, sigma, splunk |
Community Notes #
Tickets for hosts that a user previously hasn't accessed may indicate Pass-the-Ticket or RDP/WMI pivoting. Confirm that the target server is also the host that is contacted, and unusual/vulnerable encryption types (may indicate S4U2Proxy) like RC4. Check for movement between services or SPNs, and unusual service names.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Kerberoasting Activity - Initial Query source medium: This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
- Suspicious Kerberos RC4 Ticket Encryption source medium: Detects service ticket requests using RC4 encryption type
- Rubeus Kerberos constrained delegation abuse (S4U2Proxy) source high: Detects scenarios where an attacker abuse Kerberos constrained delegation in order to escalate privileges.
Show 2 more (5 total)
- Kerberos key list attack for credential dumping source high: Detects scenarios where an attacker attempts to forge a special Kerberos service ticket in order to extract credentials from Read Only Domain Controllers (RODC).
- Rubeus Kerberos unconstrained delegation abuse source high: Detects scenarios where an attacker abuse Kerberos unconstrained delegation for domain persistence.
Splunk # view in coverage
- Kerberoasting spn request with RC4 encryption source: The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools.…
- Kerberos Service Ticket Request Using RC4 Encryption source: The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the…
- Suspicious Kerberos Service Ticket Request source: The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This…
Show 3 more (6 total)
- Unusual Number of Computer Service Tickets Requested source: The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service ticket was requested." It uses statistical analysis, including standard deviation…
- Unusual Number of Kerberos Service Tickets Requested source: The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma…
- Windows Large Number of Computer Service Tickets Requested source: The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested,…
Kusto # view in coverage
- Potential Kerberoasting source medium: A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.
- UnPAC the hash source: This query looks for an attack that allows an attacker with a valid TGT token for a certain account, to obtain the NTLM hash for that account. Such an account may either be a user account or a machine account. The TGT can, for example, be obtained by authenticating with a certificate instead of with username and password.
- Potentially Relayed NTLM Authentication - Microsoft Sentinel source: The below query detects Kerberos logons of computer accounts where there isn't any ticket request in the last 12h (10h is the default ticket expiration) coming from the same IpAddress with the same TargetUserName. The query can be enriched further if needed.↳ also matchesEvent ID 4624: An account was successfully logged on.
Show 1 more (4 total)
- T1558.003 - Kerberoasting source: Detects kerberoasting by using time-series analysis functions. Highly accurate in big environments. Step by step explanation is in the query to make it easy to understand.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4769.yml
- RFC 4120 §5.4.1 KDC-REQ KDCOptions bitmask https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
- RFC 6806 §3 Kerberos canonicalize bit https://datatracker.ietf.org/doc/html/rfc6806#section-3
Event ID 4770: A Kerberos service ticket was renewed.
#Description
This event generates for every Ticket Granting Service (TGS) ticket renewal. This event generates only on domain controllers.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | UPN of the account that requested ticket renewal. Computer accounts end with $ in the UPN. Typically user_account_name@FULL_DOMAIN_NAME. |
TargetDomainName UnicodeString | Kerberos realm of the requesting account. |
ServiceName UnicodeString | Name of the account or computer for which the TGS ticket was renewed. |
ServiceSid SID | SID of the account or computer for which the TGS ticket was renewed. |
TicketOptions HexInt32 | Ticket flags as a hexadecimal bitmask. Bitmask flags
|
TicketEncryptionType HexInt32 | Encryption type used for the renewed TGS. Known values
|
IpAddress UnicodeString | IP address of the computer from which the TGS renewal request was received. |
IpPort UnicodeString | Source port of the client connection for the TGS renewal request. |
RequestTicketHash UnicodeString | |
ResponseTicketHash UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4770,
"version": 0,
"level": 0,
"task": 14337,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-07T02:29:17.564406+00:00",
"event_record_id": 13430760,
"correlation": {},
"execution": {
"process_id": 916,
"thread_id": 2888
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "LAB-DC01$@LUDUS.DOMAIN",
"TargetDomainName": "LUDUS.DOMAIN",
"ServiceName": "krbtgt",
"ServiceSid": "S-1-5-21-1006758700-2167138679-1475694448-502",
"TicketOptions": "0x10002",
"TicketEncryptionType": "0x12",
"IpAddress": "::1",
"IpPort": "0"
},
"message": ""
}
Detection Patterns #
Lateral Movement: Remote Services
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4770
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4770
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4770.yml
- RFC 4120 §5.4.1 KDC-REQ KDCOptions bitmask https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
- RFC 6806 §3 Kerberos canonicalize bit https://datatracker.ietf.org/doc/html/rfc6806#section-3
Event ID 4771: Kerberos pre-authentication failed.
#Description
This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided. This event generates only on domain controllers. This event is not generated if "Do not require Kerberos preauthentication" option is set for the account.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName | Name of the account for which the TGT was requested. Computer accounts end with $. | 4 |
TargetSid | SID of the account for which the TGT was requested. | |
ServiceName | Service in the Kerberos realm to which the TGT request was sent. Typically krbtgt/DOMAIN_NETBIOS_NAME or krbtgt/DOMAIN_FULL_NAME. | |
TicketOptions | Ticket flags as a hexadecimal bitmask. If the ticket was malformed or damaged in transit, many fields may be absent. Bitmask flags
| |
Status | Hexadecimal failure code for the TGT issue operation. Known values
| 4 |
PreAuthType | Pre-authentication type used in the TGT request. Known values
| |
IpAddress | IP address of the computer from which the TGT request was received. | |
IpPort | Source port of the client connection for the TGT request. | |
CertIssuerName | Name of the CA that issued the smart card certificate. | |
CertSerialNumber | Serial number of the smart card certificate. | |
CertThumbprint | Thumbprint of the smart card certificate. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4771,
"version": 0,
"level": 0,
"task": 14339,
"opcode": 0,
"keywords": -9218868437227405312,
"time_created": "2026-06-13T13:53:55.6060729+00:00",
"event_record_id": 1247582,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 1028
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "TELEMETRY-W11-D$",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
"ServiceName": "krbtgt/CELL-D.LUDUS.DOMAIN",
"TicketOptions": "0x40810010",
"Status": "0x10",
"PreAuthType": "16",
"IpAddress": "::ffff:10.1.50.21",
"IpPort": "49683",
"CertIssuerName": "",
"CertSerialNumber": "",
"CertThumbprint": ""
},
"message": "Kerberos pre-authentication failed.\r\n\r\nAccount Information:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt/CELL-D.LUDUS.DOMAIN\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.1.50.21\r\n\tClient Port:\t\t49683\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tFailure Code:\t\t0x10\r\n\tPre-Authentication Type:\t16\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number: \t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\r\n\r\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present."
}
Detection Patterns #
Credential Access: Exploitation for Credential Access
1 rule
Lateral Movement: Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetUserName | ne | *$ | 2 rules | splunk |
Status | eq | 0x18 | 2 rules | splunk |
unique_accounts | gt | 30 | 1 rule | splunk |
Community Notes #
May indicate password spraying. Pivot on ClientAddress.
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Multiple Users Failed To Authenticate Using Kerberos source: The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these…
- Windows Unusual Count Of Users Failed To Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4771.yml
- RFC 4120 §5.4.1 KDC-REQ KDCOptions bitmask https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
- RFC 4120 §7.5.9 Kerberos error codes https://datatracker.ietf.org/doc/html/rfc4120#section-7.5.9
- RFC 4556 §6 PKINIT error codes https://datatracker.ietf.org/doc/html/rfc4556#section-6
Event ID 4772: A Kerberos authentication ticket request failed.
#Description
A Kerberos authentication ticket request failed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Supplied Realm Name |
ServiceName UnicodeString | [Service Information] Service Name |
TicketOptions UnicodeString | [Additional Information] Ticket Options Bitmask flags
|
FailureCode UnicodeString | [Additional Information] Failure Code NTSTATUS reference |
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4772
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4772
Event ID 4773: A Kerberos service ticket request failed.
#Description
A Kerberos service ticket request failed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Account Domain |
ServiceName UnicodeString | [Service Information] Service Name |
TicketOptions UnicodeString | [Additional Information] Ticket Options Bitmask flags
|
FailureCode UnicodeString | [Additional Information] Failure Code NTSTATUS reference |
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4773
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4773
Event ID 4774: An account was mapped for logon.
#Description
An account was mapped for logon.
Message #
Fields #
| Name | Description |
|---|---|
MappingBy UnicodeString | The name of Authentication Package which was used for credential validation. |
ClientUserName UnicodeString | The name of the account that had its credentials validated by the Authentication Package. Can be user name, computer account name or well-known security principal account name. |
MappedName UnicodeString | The name of the account logged on / mapped. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4774
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4774
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4774.yml
Event ID 4775: An account could not be mapped for logon.
#Description
An account could not be mapped for logon.
Message #
Fields #
| Name | Description |
|---|---|
ClientUserName UnicodeString | Authentication Package. |
MappingBy UnicodeString | Account Name. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4775
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4775
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4775.yml
Event ID 4776: The domain controller attempted to validate the credentials for an account.
#Description
This event generates every time that a credential validation occurs using NTLM authentication.This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
PackageName UnicodeString | Authentication package used. Always MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 for this event. | |
TargetUserName UnicodeString | Account whose credentials were validated. May be a user name, computer account, or well-known security principal. | 8 |
Workstation UnicodeString | The name of the computer from which the logon attempt originated. | |
Status HexInt32 | Error code for failed validations. 0x0 indicates success. NTSTATUS reference | 8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4776,
"version": 0,
"level": 0,
"task": 14336,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:49.4207598+00:00",
"event_record_id": 3213621,
"correlation": {},
"execution": {
"process_id": 896,
"thread_id": 580
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
"TargetUserName": "domainadmin",
"Workstation": "LUDUS",
"Status": "0x0"
},
"message": "The computer attempted to validate the credentials for an account.\r\n\r\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\nLogon Account:\tdomainadmin\r\nSource Workstation:\tLUDUS\r\nError Code:\t0x0"
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetUserName | ne | *$ | 4 rules | splunk |
LogonType | eq | Network | 2 rules | elastic, kusto, sigma, splunk |
isOutlier | eq | 1 | 2 rules | splunk |
AuthenticationPackageName | eq | NTLM | 2 rules | elastic, kusto, sigma, splunk |
unique_accounts | gt | 30 | 2 rules | splunk |
Status | eq | 0xC000006A | 2 rules | splunk |
Status | eq | 0xc0000064 | 2 rules | splunk |
SubjectUserSid | eq | S-1-0-0 | 1 rule | sigma |
Community Notes #
This may capture fall-back NTLM use. Note Workstation (does it list the client? If not, this may be NTLM coercion).
The Status field is an NTSTATUS code indicating the credential validation result:
| Code | Name | Description |
|---|---|---|
| 0x00000000 | STATUS_SUCCESS | Credentials validated successfully |
| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure (bad username or password) |
| 0xC0000064 | STATUS_NO_SUCH_USER | Non-existent account |
| 0xC000006A | STATUS_WRONG_PASSWORD | Incorrect password |
| 0xC0000234 | STATUS_ACCOUNT_LOCKED_OUT | Account locked out |
| 0xC0000072 | STATUS_ACCOUNT_DISABLED | Account disabled |
| 0xC0000193 | STATUS_ACCOUNT_EXPIRED | Account expired |
| 0xC0000071 | STATUS_PASSWORD_EXPIRED | Password expired |
| 0xC000006F | STATUS_INVALID_LOGON_HOURS | Outside allowed logon hours |
| 0xC0000070 | STATUS_INVALID_WORKSTATION | Not allowed from this workstation |
| 0xC0000224 | STATUS_PASSWORD_MUST_CHANGE | Password must change at next logon |
| 0xC000005E | STATUS_NO_LOGON_SERVERS | No logon servers available |
| 0xC00002DB | STATUS_NTLM_BLOCKED | NTLM blocked by policy |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Multiple Invalid Users Failed To Authenticate Using NTLM source: The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which…
- Windows Multiple Users Failed To Authenticate From Host Using NTLM source: The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which…
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM source: The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to…
Show 1 more (4 total)
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM source: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4776.yml
Event ID 4777: The domain controller failed to validate the credentials for an account.
#Description
Currently this event doesn't generate. It is a defined event, but it is never invoked by the operating system. 4776 failure event is generated instead.
Message #
Fields #
| Name | Description |
|---|---|
ClientUserName UnicodeString | Authentication Package. |
TargetUserName UnicodeString | Logon Account. |
Workstation UnicodeString | Source Workstation. |
Status UnicodeString | Error Code. NTSTATUS reference |
Community Notes #
Logged when NTLM credential validation fails. Pair with 4776 (which logs both successes and failures).
The Status field is an NTSTATUS code — see Event 4776 for the full code table.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4777
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4777.yml
Event ID 4778: A session was reconnected to a Window Station.
#Description
This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.
Message #
Fields #
| Name | Description |
|---|---|
AccountName | The name of the account for which the session was reconnected. |
AccountDomain | Subject's domain or computer name. |
LogonID | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
SessionName | The name of the session to which the user was reconnected. |
ClientName | Computer name from which the user was reconnected. Has "Unknown" value for console session. |
ClientAddress | IP address of the computer from which the user was reconnected. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4778,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-05-14T21:01:05.831748Z",
"event_record_id": 1829819,
"correlation": {
"#attributes": {
"ActivityID": "A67BE420-4636-0001-36E4-7BA63646D701"
}
},
"execution": {
"process_id": 576,
"thread_id": 4904
},
"channel": "Security",
"computer": "fs01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AccountName": "admmarsid",
"AccountDomain": "OFFSEC",
"LogonID": "0x6a423",
"SessionName": "RDP-Tcp#8",
"ClientName": "JUMP01",
"ClientAddress": "10.23.23.9"
}
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
prefix | eq | src_ | 1 rule | splunk |
Community Notes #
Useful for tracing session re-use.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4778
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-4778-session-reconnected.md
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4778.yml
Event ID 4779: A session was disconnected from a Window Station.
#Description
This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.
Message #
Fields #
| Name | Description |
|---|---|
AccountName | The name of the account for which the session was disconnected. |
AccountDomain | Subject's domain or computer name. |
LogonID | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
SessionName | The name of disconnected session. |
ClientName | Machine name from which the session was disconnected. Has "Unknown"value for console session. |
ClientAddress | IP address of the computer from which the session was disconnected. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4779,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-05-14T21:01:05.370030Z",
"event_record_id": 1829816,
"correlation": {
"#attributes": {
"ActivityID": "A67BE420-4636-0001-36E4-7BA63646D701"
}
},
"execution": {
"process_id": 576,
"thread_id": 628
},
"channel": "Security",
"computer": "fs01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AccountName": "admmig",
"AccountDomain": "OFFSEC",
"LogonID": "0x13b5e1e",
"SessionName": "RDP-Tcp#8",
"ClientName": "JUMP01",
"ClientAddress": "10.23.23.9"
}
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
prefix | eq | src_ | 1 rule | splunk |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Potential ngrok Tunnel - Windows (Windows Event Log) source: ngrok is a reverse proxy utility with the ability to establish tunnels on targets using reverse SSH, even if the target does not have ngrok installed. Attackers have been observed abusing ngrok to establish persistence and perform lateral…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4779
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4779.yml
Event ID 4780: The ACL was set on accounts which are members of administrators groups.
#Description
The ACL was set on accounts which are members of administrators groups.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TargetSid SID | [Target Account] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4780,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-14T00:17:46.607238+00:00",
"event_record_id": 16777470,
"correlation": {},
"execution": {
"process_id": 940,
"thread_id": 1056
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Domain Admins",
"TargetDomainName": "DC=ludus,DC=domain",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-512",
"SubjectUserSid": "S-1-5-7",
"SubjectUserName": "ANONYMOUS LOGON",
"SubjectDomainName": "NT AUTHORITY",
"SubjectLogonId": "0x3e6",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4780
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4780
Event ID 4781: The name of an account was changed.
#Description
This event generates every time a user or computer account name (sAMAccountName attribute) is changed. For user accounts, this event generates on domain controllers, member servers, and workstations. For computer accounts, this event generates only on domain controllers.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
OldTargetUserName UnicodeString | Old name of target account. | 11 |
NewTargetUserName UnicodeString | New name of target account. | 11 |
TargetDomainName UnicodeString | Target account's domain or computer name. | |
TargetSid SID | SID of account on which the name was changed. | 1 |
SubjectUserSid SID | SID of account that performed the "change account name" operation. | |
SubjectUserName UnicodeString | The name of the account that performed the "change account name" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
PrivilegeList UnicodeString | Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4781,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:37.340432+00:00",
"event_record_id": 2857,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"OldTargetUserName": "None",
"NewTargetUserName": "None",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-513",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
OldTargetUserName | ends_with | $ | 3 rules | elastic, sigma |
NewTargetUserName | ends_with | $ | 2 rules | sigma |
NewTargetUserName | match | $ | 2 rules | sigma |
NewTargetUserName | ne | *$ | 2 rules | splunk |
OldTargetUserName | eq | *$ | 2 rules | splunk |
TargetUserName | ne | *$ | 1 rule | splunk |
TargetUserName | ends_with | $ | 1 rule | kusto, sigma |
short_lived | eq | TRUE | 1 rule | splunk |
TargetUserName | eq | HomeGroupUser$ | 1 rule | sigma |
Community Notes #
Attackers may rename an existing, highly privileged account to blend in.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Computer account renamed without a trailing $ (CVE-2021-42278/42287) source high: Detects scenarios where an attacker attempts to spoof the SAM account name of a a domain controller in order to impersonate it. Vulnerability comes from that computer accounts should have a trailing $ in their name (i.e. sAMAccountName attribute) but no validation process existed until the patch was released. During the offensive phase, attacker will create and rename the sAMAccountName of a computer account to look like the one of a domain controller. Once the attack is done, attacker will rollback the sAMAccountName to its original name.
- Account renamed to admin (or likely) account to evade defense source high: Detects scenarios where an attacker rename a non admin account in order to evade SOC & operations vigilance
- Suspicious Computer Account Name Change CVE-2021-42287 source high: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
Elastic # view in coverage
- Potential Privileged Escalation via SamAccountName Spoofing source high: Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
Splunk # view in coverage
- Suspicious Computer Account Name Change source: The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4781.yml
Event ID 4782: The password hash an account was accessed.
#Description
This event generates on domain controllers during password migration of an account using Active Directory Migration Toolkit. Typically "Subject\Security ID" is the SYSTEM account.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | The name of the account for which the password hash was migrated. For example: ServiceDesk. |
TargetDomainName UnicodeString | Domain name of the account for which the password hash was migrated. |
SubjectUserSid SID | SID of account that requested hash migration operation. If the SID cannot be resolved, you will see the source data in the even. |
SubjectUserName UnicodeString | The name of the account that requested hash migration operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Community Notes #
May indicate Pass-the-Hash. Legitimate use occurs during AD password migration operations under SYSTEM or a dedicated migration account.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4782.yml
Event ID 4783: A basic application group was created.
#Description
A basic application group was created.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
Detection Patterns #
Persistence: Domain Account
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4783
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4783
Event ID 4784: A basic application group was changed.
#Description
A basic application group was changed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4784
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4784
Event ID 4785: A member was added to a basic application group.
#Description
A member was added to a basic application group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
MembershipExpirationTime FILETIME | Expiration time |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4785
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4785
Event ID 4786: A member was removed from a basic application group.
#Description
A member was removed from a basic application group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4786
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4786
Event ID 4787: A non-member was added to a basic application group.
#Description
A non-member was added to a basic application group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4787
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4787
Event ID 4788: A non-member was removed from a basic application group.
#Description
A non-member was removed from a basic application group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4788
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4788
Event ID 4789: A basic application group was deleted.
#Description
A basic application group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4789
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4789
Event ID 4790: An LDAP query group was created.
#Description
An LDAP query group was created.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
Detection Patterns #
Persistence: Domain Account
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4790
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4790
Event ID 4791: A basic application group was changed.
#Description
A basic application group was changed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4791
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4791
Event ID 4792: An LDAP query group was deleted.
#Description
An LDAP query group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4792
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4792
Event ID 4793: The Password Policy Checking API was called.
#Description
This event generates each time the Password Policy Checking API is called.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested Password Policy Checking API operation. |
SubjectUserName UnicodeString | The name of the account that requested Password Policy Checking API operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Workstation UnicodeString | Name of the computer from which the Password Policy Checking API was called. Typically, this is the same computer where this event was generated, for example, DC01. Computer name here does not contain $ symbol at the end. It also can be an IP address or the DNS name of the computer. |
TargetUserName UnicodeString | The name of account, which password was provided/requested for validation. This parameter might not be captured in the event, and in that case appears as "-". |
Status HexInt32 | Typically has "0x0" value. Status code is "0x0", no matter meets password domain Password Policy or not. NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4793.yml
Event ID 4794: An attempt was made to set the Directory Services Restore Mode administrator password.
#Description
This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed. This event generates only on domain controllers.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid | SID of account that made an attempt to set Directory Services Restore Mode administrator password. |
SubjectUserName | The name of the account that made an attempt to set Directory Services Restore Mode administrator password. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Workstation | The name of computer account from which Directory Services Restore Mode (DSRM) administrator password change request was received. For example: "DC01". If the change request was sent locally (from the same server) this field will have the same name as the computer account. |
Status | For Success events it has "0x0" value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4794,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2017-06-09T19:21:26.968669Z",
"event_record_id": 3139859,
"correlation": {
"#attributes": {
"ActivityID": "3B48C871-DFE6-0000-A5C8-483BE6DFD201"
}
},
"execution": {
"process_id": 792,
"thread_id": 1648
},
"channel": "Security",
"computer": "2016dc.hqcorp.local",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1913345275-1711810662-261465553-500",
"SubjectUserName": "administrator",
"SubjectDomainName": "HQCORP",
"SubjectLogonId": "0x2f336f",
"Workstation": "2016DC",
"Status": "0x0"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Password Change on Directory Service Restore Mode (DSRM) Account source high: Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
- DSRM password changed (native) source high: Detects scenarios where an attacker reset or synchronize with another domain account the DSRM (Directory Services Restore Mode) password in order to escalate privileges.
Splunk # view in coverage
- Windows AD DSRM Password Reset source: The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4794
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4794.yml
Event ID 4797: An attempt was made to query the existence of a blank password for an account.
#Description
An attempt was made to query the existence of a blank password for an account.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "enumerate usblank passwords" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "enumerate blank password" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Workstation UnicodeString | The name of computer account from which the password was queried from For example "DC01". If the change request was sent locally (from the same server) this field will have the same name as the computer account. |
TargetUserName UnicodeString | The name of the account whose groups were enumerated. |
TargetDomainName UnicodeString | Group's domain or computer name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4797,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T00:43:39.992357+00:00",
"event_record_id": 184918,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 1928
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"Workstation": "WINDEV2310EVAL",
"TargetUserName": "WDAGUtilityAccount",
"TargetDomainName": "WINDEV2310EVAL"
},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4797
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4797.yml
Event ID 4798: A user's local group membership was enumerated.
#Description
This event generates when a process enumerates a user's security-enabled local groups on a computer or device.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName UnicodeString | The name of the account whose groups were enumerated. | |
TargetDomainName UnicodeString | Group's domain or computer name. | |
TargetSid SID | SID of the account whose groups were enumerated. | |
SubjectUserSid SID | SID of account that requested the "enumerate user's security-enabled local groups" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "enumerate user's security-enabled local groups" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
CallerProcessId Pointer | Hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. | |
CallerProcessName UnicodeString | Full path and the name of the executable for the process. | 2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4798,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:35.014146+00:00",
"event_record_id": 2785,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "User",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"CallerProcessId": "0x57c",
"CallerProcessName": "C:\\Windows\\System32\\rundll32.exe"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Enumerate Users Local Group Using Telegram source: The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device.…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4798
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4798.yml
Event ID 4799: A security-enabled local group membership was enumerated.
#Description
This event generates when a process enumerates the members of a security-enabled local group on the computer or device. This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserName UnicodeString | The name of the group which members were enumerated. | 1 |
TargetDomainName UnicodeString | Group's domain or computer name. | |
TargetSid SID | SID of the group which members were enumerated. | 3 |
SubjectUserSid SID | SID of account that requested the "enumerate security-enabled local group members" operation. | 1 |
SubjectUserName UnicodeString | The name of the account that requested the "enumerate security-enabled local group members" operation. | 1 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
CallerProcessId Pointer | Hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, "4688: A new process has been created" Process Information\New Process ID. | |
CallerProcessName UnicodeString | Full path and the name of the executable for the process. | 3 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4799,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:45:34.3695998+00:00",
"event_record_id": 1898088,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 2704
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Server Operators",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-549",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"CallerProcessId": "0x6b8",
"CallerProcessName": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{A0BAEC76-A04A-4AF1-BF12-3AC51BC4A16B}\\EDGEMITMP_E2E83.tmp\\setup.exe"
},
"message": "A security-enabled local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-549\r\n\tGroup Name:\t\tServer Operators\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x6b8\r\n\tProcess Name:\t\tC:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{A0BAEC76-A04A-4AF1-BF12-3AC51BC4A16B}\\EDGEMITMP_E2E83.tmp\\setup.exe"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
SubjectUserSid | starts_with | S-1-5-21- | 1 rule | sigma |
TargetSid | eq | S-1-5-32-544 | 1 rule | kusto, sigma |
TargetUserName | starts_with | Administr | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Remote local admin group enumeration via SharpHound source medium: Detects scenarios where an attacker enumerates local administratos group on multiple hosts via SharpHound.
- Local group enumeration triggered by Azure Virtual machine recovery tool source high: Detects scenarios where an attacker having compromised a virtual machine via serial cable attempts to enumerate local groups.
- Operation Wocao Activity - Security source high: Detects activity mentioned in Operation Wocao report
Splunk # view in coverage
- SharpHound Enumeration (Windows Event Log) source: Sharphound can be used to collect Active Directory information in order to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Once collected information can be utilized by BloodHound to…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4799
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4799.yml
Event ID 4800: The workstation was locked.
#Description
This event is generated when a workstation was locked.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | SID of account that requested the "lock workstation" operation. |
TargetUserName UnicodeString | The name of the account that requested the "lock workstation" operation. |
TargetDomainName UnicodeString | Subject's domain or computer name. |
TargetLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID,. |
SessionId UInt32 | [Subject] Session ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4800,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T23:16:10.990860+00:00",
"event_record_id": 2684980,
"correlation": {
"ActivityID": "FA744C8F-80A0-4DBD-B165-8D96568C15CC"
},
"execution": {
"process_id": 720,
"thread_id": 3756
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserSid": "S-1-5-21-3407486967-1585450050-1838039599-1000",
"TargetUserName": "localuser",
"TargetDomainName": "LAB-WIN11",
"TargetLogonId": "0x1b1557",
"SessionId": 2
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Locked Workstation source informational: Detects locked workstation session events that occur automatically after a standard period of inactivity.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4800
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4800
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4800.yml
Event ID 4801: The workstation was unlocked.
#Description
This event is generated when workstation was unlocked.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | SID of account that requested the "unlock workstation" operation. |
TargetUserName UnicodeString | The name of the account that requested the "unlock workstation" operation. |
TargetDomainName UnicodeString | Subject's domain or computer name. |
TargetLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID,. |
SessionId UInt32 | [Subject] Session ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4801,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-12T02:56:05.225999+00:00",
"event_record_id": 2752626,
"correlation": {
"ActivityID": "A84A27DD-91F0-42B5-B4DA-0B267CDC42CF"
},
"execution": {
"process_id": 720,
"thread_id": 4416
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserSid": "S-1-5-21-3407486967-1585450050-1838039599-1000",
"TargetUserName": "localuser",
"TargetDomainName": "LAB-WIN11",
"TargetLogonId": "0x1b1557",
"SessionId": 2
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4801
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4801
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4801.yml
Event ID 4802: The screen saver was invoked.
#Description
This event is generated when screen saver was invoked.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | SID of account that requested the "invoke screensaver" operation. |
TargetUserName UnicodeString | The name of the account that requested the "invoke screensaver" operation. |
TargetDomainName UnicodeString | Subject's domain or computer name. |
TargetLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID,. |
SessionId UInt32 | Unique ID of a session for which screen saver was invoked. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4802
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4802
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4802.yml
Event ID 4803: The screen saver was dismissed.
#Description
This event is generated when screen saver was dismissed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | SID of account that requested the "dismiss screensaver" operation. |
TargetUserName UnicodeString | The name of the account that requested the "dismiss screensaver" operation. |
TargetDomainName UnicodeString | Subject's domain or computer name. |
TargetLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
SessionId UInt32 | Unique ID of a session for which screen saver was dismissed. You can see the list of current session IDs using "query session" command in command prompt. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4803
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4803
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4803.yml
Event ID 4816: RPC detected an integrity violation while decrypting an incoming message.
#Description
RPC detected an integrity violation while decrypting an incoming message.
Message #
Fields #
| Name | Description |
|---|---|
PeerName UnicodeString | Peer Name |
ProtocolSequence UnicodeString | Protocol Sequence |
SecurityError UInt32 | Security Error |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4816
Event ID 4817: Auditing settings on object were changed.
#Description
Auditing settings on object were changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made a change to Global Object Access Auditing policy. |
SubjectUserName UnicodeString | The name of the account that made a change to Global Object Access Auditing policy. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | The type of an object to which this event applies. Always "Global SACL" for this event. |
ObjectName UnicodeString | Key - if "Registry" Global Object Access Auditing policy was changed. File - if "File system" Global Object Access Auditing policy was changed. |
OldSd UnicodeString | The old Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy. |
NewSd UnicodeString | The new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy. |
Community Notes #
Attackers that wish to suppress object-access logging can clear/replace the global SACL.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4817
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4817
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4817.yml
Event ID 4818: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
#Description
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made an access request. |
SubjectUserName UnicodeString | The name of the account that made an access request. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectServer UnicodeString | Has "Security" value for this event. |
ObjectType UnicodeString | The type of an object that was accessed during the operation. Always "File" for this event. |
ObjectName UnicodeString | Full path and name of the file or folder for which access was requested. |
HandleId Pointer | Hexadecimal value of a handle to Object Name. |
ProcessId Pointer | Hexadecimal Process ID of the process through which the access was requested. |
ProcessName UnicodeString | Full path and the name of the executable for the process. |
AccessReason UnicodeString | [Current Central Access Policy results] Access Reasons. Known values
|
StagingReason UnicodeString | [Proposed Central Access Policy results that differ from the current Central Access Policy results] Access Reasons. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4818
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-central-access-policy-staging
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4818
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4818.yml
Event ID 4819: Central Access Policies on the machine have been changed.
#Description
Central Access Policies on the machine have been changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that changed the Central Access Policies on the machine. |
SubjectUserName UnicodeString | The name of the account that changed the Central Access Policies on the machine. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | The type of an object to which this event applies. Always "Central Access Policies" for this event. |
AddedCAPs UnicodeString | The list of added Central Access Policies. Empty if no Central Access Policies were added. |
DeletedCAPs UnicodeString | The list of deleted Central Access Policies. Empty if no Central Access Policies were deleted. |
ModifiedCAPs UnicodeString | The list of modified Central Access Policies. Empty if no Central Access Policies were modified. |
AsIsCAPs UnicodeString | The list of non-modified Central Access Policies. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4819
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4819
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4819.yml
Event ID 4820: A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.
#Description
A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Supplied Realm Name |
TargetSid SID | [Account Information] User ID |
DeviceName UnicodeString | [Device Information] Device Name |
ServiceName UnicodeString | [Service Information] Service Name |
ServiceSid SID | [Service Information] Service ID |
TicketOptions HexInt32 | [Additional Information] Ticket Options Bitmask flags
|
Status HexInt32 | [Additional Information] Result Code NTSTATUS reference |
TicketEncryptionType HexInt32 | [Additional Information] Ticket Encryption Type Known values
|
PreAuthType UnicodeString | [Additional Information] Pre-Authentication Type Known values
|
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
CertIssuerName UnicodeString | [Certificate Information] Certificate Issuer Name |
CertSerialNumber UnicodeString | [Certificate Information] Certificate Serial Number |
CertThumbprint UnicodeString | [Certificate Information] Certificate Thumbprint |
SiloName UnicodeString | [Authentication Policy Information] Silo Name |
PolicyName UnicodeString | [Authentication Policy Information] Policy Name |
TGTLifetime UInt32 | [Authentication Policy Information] TGT Lifetime |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4820
Event ID 4821: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.
#Description
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Account Domain |
DeviceName UnicodeString | [Device Information] Device Name |
ServiceName UnicodeString | [Service Information] Service Name |
ServiceSid SID | [Service Information] Service ID |
TicketOptions HexInt32 | [Additional Information] Ticket Options Bitmask flags
|
TicketEncryptionType HexInt32 | [Additional Information] Ticket Encryption Type Known values
|
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
Status HexInt32 | [Additional Information] Failure Code NTSTATUS reference |
LogonGuid GUID | [Account Information] Logon GUID |
TransitedServices UnicodeString | [Additional Information] Transited Services |
SiloName UnicodeString | [Authentication Policy Information] Silo Name |
PolicyName UnicodeString | [Authentication Policy Information] Policy Name |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4821
Event ID 4822: NTLM authentication failed because the account was a member of the Protected User group.
#Description
NTLM authentication failed because the account was a member of the Protected User group.
Message #
Fields #
| Name | Description |
|---|---|
AccountName UnicodeString | Account Name |
DeviceName UnicodeString | Device Name |
Status HexInt32 | Error Code NTSTATUS reference |
Community Notes #
NTLM authentication was blocked because the account is a member of the Protected Users group. Protected Users cannot authenticate via NTLM.
The Status field is an NTSTATUS code:
| Code | Name | Description |
|---|---|---|
| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure |
| 0xC000006E | STATUS_ACCOUNT_RESTRICTION | Protected User restriction prevented NTLM |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4822
Event ID 4823: NTLM authentication failed because access control restrictions are required.
#Description
NTLM authentication failed because access control restrictions are required.
Message #
Fields #
| Name | Description |
|---|---|
AccountName UnicodeString | Account Name |
DeviceName UnicodeString | Device Name |
Status HexInt32 | Error Code NTSTATUS reference |
SiloName UnicodeString | [Authentication Policy Information] Silo Name |
PolicyName UnicodeString | [Authentication Policy Information] PolicyName. |
Community Notes #
NTLM authentication was blocked by access control restrictions (authentication policy or silo).
The Status field is an NTSTATUS code:
| Code | Name | Description |
|---|---|---|
| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure |
| 0xC0000413 | STATUS_AUTHENTICATION_FIREWALL_FAILED | Blocked by authentication policy/silo |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4823
Event ID 4824: Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.
#Description
Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Account Information] Account Name |
TargetSid SID | [Account Information] Security ID |
ServiceName UnicodeString | [Service Information] Service Name |
TicketOptions HexInt32 | [Additional Information] Ticket Options Bitmask flags
|
Status HexInt32 | [Additional Information] Failure Code NTSTATUS reference |
PreAuthType UnicodeString | [Additional Information] Pre-Authentication Type Known values
|
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
CertIssuerName UnicodeString | [Certificate Information] Certificate Issuer Name |
CertSerialNumber UnicodeString | [Certificate Information] Certificate Serial Number |
CertThumbprint UnicodeString | [Certificate Information] Certificate Thumbprint |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4824
Event ID 4825: A user was denied the access to Remote Desktop.
#Description
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.
Message #
Fields #
| Name | Description |
|---|---|
AccountName | The name of the account that requested the "invoke screensaver" operation. |
AccountDomain | SID of account that requested the "invoke screensaver" operation. |
LogonID | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
ClientAddress | IP address of the computer from which the session was disconnected. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4825,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2020-07-12T05:27:05.579704Z",
"event_record_id": 1231498,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 992
},
"channel": "Security",
"computer": "fs02.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AccountName": "svc6test1",
"AccountDomain": "OFFSEC",
"LogonID": "0x3457272",
"ClientAddress": "10.23.23.9"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Denied Access To Remote Desktop source medium: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
- Denied RDP login with valid credentials source medium: Detects scenarios where an attacker tries to move laterally using RDP and access attempt is blocked due to restricted logon policies.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4825.yml
Event ID 4826: Boot Configuration Data loaded.
#Description
This event generates every time system starts and load current Boot Configuration Data.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that reported this event. |
SubjectUserName UnicodeString | The name of the account that reported this event. Always "-" for this event. |
SubjectDomainName UnicodeString | Subject's domain or computer name. Always "-" for this event. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
LoadOptions UnicodeString | There is no information about this field in this document. |
AdvancedOptions UnicodeString | Shows whether Windows is configured for system boot to the legacy menu (F8 menu) on the next boot (Yes or No). You can enable advanced boot using "bcdedit /set onetimeadvancedoptions yes" command. |
ConfigAccessPolicy UnicodeString | There is no information about this field in this document. |
RemoteEventLogging UnicodeString | There is no information about this field in this document. |
KernelDebug UnicodeString | Shows whether Windows kernel debugging is enabled or not (Yes or No). You can enable kernel debugging using "bcdedit /debug on" command. |
VsmLaunchType UnicodeString | There is no information about this field in this document. |
TestSigning UnicodeString | Shows whether Windows test signing is enabled or not (Yes or No). You can disable test signing using "bcdedit /set testsigning off" command. |
FlightSigning UnicodeString | Shows whether Windows flight signing (which allows flight-signed code signing certificates) is enabled or not (Yes or No). You can disable flight signing using "bcdedit /set flightsigning off" command. |
DisableIntegrityChecks UnicodeString | Shows whether Windows integrity check is disabled or not (Yes or No). You can disable integrity checks using "bcdedit /set nointegritychecks on" command. |
HypervisorLoadOptions UnicodeString | Shows hypervisor loadoptions. |
HypervisorLaunchType UnicodeString | Shows the hypervisor launch options (Off or Auto). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to Auto on the target computer. Known values
|
HypervisorDebug UnicodeString | Shows the hypervisor launch options (Off or Auto). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to Auto on the target computer. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4826,
"version": 0,
"level": 0,
"task": 13573,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:46.0531272+00:00",
"event_record_id": 1715899,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 176
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x3e7",
"LoadOptions": "-",
"AdvancedOptions": "%%1843",
"ConfigAccessPolicy": "%%1846",
"RemoteEventLogging": "%%1843",
"KernelDebug": "%%1843",
"VsmLaunchType": "%%1848",
"TestSigning": "%%1843",
"FlightSigning": "%%1843",
"DisableIntegrityChecks": "%%1843",
"HypervisorLoadOptions": "-",
"HypervisorLaunchType": "%%1848",
"HypervisorDebug": "%%1843"
},
"message": "Boot Configuration Data loaded.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGeneral Settings:\r\n\tLoad Options:\t\t-\r\n\tAdvanced Options:\t\tNo\r\n\tConfiguration Access Policy:\tDefault\r\n\tSystem Event Logging:\tNo\r\n\tKernel Debugging:\tNo\r\n\tVSM Launch Type:\tOff\r\n\r\nSignature Settings:\r\n\tTest Signing:\t\tNo\r\n\tFlight Signing:\t\tNo\r\n\tDisable Integrity Checks:\tNo\r\n\r\nHyperVisor Settings:\r\n\tHyperVisor Load Options:\t-\r\n\tHyperVisor Launch Type:\tOff\r\n\tHyperVisor Debugging:\tNo"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4826
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4826
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4826.yml
Event ID 4830: SID History was removed from an account.
#Description
SID History was removed from an account.
Message #
Fields #
| Name | Description |
|---|---|
SourceUserName UnicodeString | |
SourceSid SID | |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TargetSid SID | [Target Account] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SidList UnicodeString | [Additional Information] SID List |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4830
Event ID 4864: A namespace collision was detected.
#Description
A namespace collision was detected.
Message #
Fields #
| Name | Description |
|---|---|
CollisionTargetType UInt32 | Target Type |
CollisionTargetName UnicodeString | Target Name |
ForestRoot UnicodeString | Forest Root |
TopLevelName UnicodeString | Top Level Name |
DnsName UnicodeString | DNS Name |
NetbiosName UnicodeString | NetBIOS Name |
DomainSid SID | Security ID |
Flags UInt32 | New Flags |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4864
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4864
Event ID 4865: A trusted forest information entry was added.
#Description
This event generates when new trusted forest information entry was added.
Message #
Fields #
| Name | Description |
|---|---|
ForestRoot | The name of the Active Directory forest for which trusted forest information entry was added. |
ForestRootSid | The SID of the Active Directory forest for which trusted forest information entry was added. |
OperationId | Unique hexadecimal identifier of the operation. You can correlate this event with other events (4866(S): A trusted forest information entry was removed, 4867(S): A trusted forest information entry was modified.) using this field. |
EntryType | The type of added entry. Known values
|
Flags UInt32 | [Trust Information] Flags. |
TopLevelName | The name of the new trusted forest information entry. |
DnsName | DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-". |
NetbiosName | NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-". |
DomainSid | ID of the trust partner. This parameter might not be captured in the event, and in that case appears as "NULL SID". |
SubjectUserSid | ]: SID of account that requested the "add a trusted forest information entry" operation. |
SubjectUserName | The name of the account that requested the "add a trusted forest information entry" operation. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4865,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-06-22T14:02:41.749935Z",
"event_record_id": 3175613,
"correlation": {},
"execution": {
"process_id": 596,
"thread_id": 3360
},
"channel": "Security",
"computer": "CDCWTRDC01.mypartner.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"ForestRoot": "rootblue.lan",
"ForestRootSid": "S-1-5-21-392370121-190461309-2151315433",
"OperationId": "0xffadf358",
"EntryType": 0,
"Flags": 0,
"TopLevelName": "rootblue.lan",
"DnsName": "-",
"NetbiosName": "-",
"DomainSid": "S-1-0-0",
"SubjectUserSid": "S-1-5-21-1407145384-2259788832-4099636412-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "MYPARTNER",
"SubjectLogonId": "0xffad8559"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4865
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4865
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4865.yml
Event ID 4866: A trusted forest information entry was removed.
#Description
This event generates when the trusted forest information entry was removed.
Message #
Fields #
| Name | Description |
|---|---|
ForestRoot UnicodeString | The name of the Active Directory forest for which trusted forest information entry was removed. |
ForestRootSid SID | The SID of the Active Directory forest for which trusted forest information entry was removed. |
OperationId HexInt64 | Unique hexadecimal identifier of the operation. You can correlate this event with other events (4865(S): A trusted forest information entry was added, 4867(S): A trusted forest information entry was modified.) using this field. |
EntryType UInt32 | [Trust Information] Entry Type. Known values
|
Flags UInt32 | [Trust Information] Flags. |
TopLevelName UnicodeString | The name of the removed trusted forest information entry. |
DnsName UnicodeString | DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-". |
NetbiosName UnicodeString | NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-". |
DomainSid SID | SID of the trust partner. This parameter might not be captured in the event, and in that case appears as "NULL SID". |
SubjectUserSid SID | SID of account that requested the "remove a trusted forest information entry" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "remove a trusted forest information entry" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4866
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4866
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4866.yml
Event ID 4867: A trusted forest information entry was modified.
#Description
A trusted forest information entry was modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "modify/change a trusted forest information entry" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "modify/change a trusted forest information entry" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ForestRoot UnicodeString | The name of the Active Directory forest for which trusted forest information entry was modified. |
ForestRootSid SID | The SID of the Active Directory forest for which trusted forest information entry was modified. |
OperationId HexInt64 | Unique hexadecimal identifier of the operation. You can correlate this event with other events (4865(S): A trusted forest information entry was added, 4866(S): A trusted forest information entry was removed) using this field. |
EntryType UInt32 | [Trust Information] Entry Type. Known values
|
Flags UInt32 | [Trust Information] Flags. |
TopLevelName UnicodeString | The name of the modified trusted forest information entry. |
DnsName UnicodeString | DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-". |
NetbiosName UnicodeString | NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-". |
DomainSid SID | SID of the trust partner. This parameter might not be captured in the event, and in that case appears as "NULL SID". |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4867
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4867
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4867.yml
Event ID 4868: The certificate manager denied a pending certificate request.
#Description
The certificate manager denied a pending certificate request.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4868,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.594746+00:00",
"event_record_id": 16623084,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "25",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4868
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4868
Event ID 4869: Certificate Services received a resubmitted certificate request.
#Description
Certificate Services received a resubmitted certificate request.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4869,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.180321+00:00",
"event_record_id": 16623046,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "24",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4869
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4869
Event ID 4870: Certificate Services revoked a certificate.
#Description
Certificate Services revoked a certificate.
Message #
Fields #
| Name | Description |
|---|---|
CertificateSerialNumber UnicodeString | Serial Number |
RevocationReason UnicodeString | Reason |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4870,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:33:19.492410+00:00",
"event_record_id": 16716905,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10484
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"CertificateSerialNumber": "610000002bdea5d59e7a0734f300000000002b",
"RevocationReason": "1",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4870
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4870
Event ID 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
#Description
Certificate Services received a request to publish the certificate revocation list (CRL).
Message #
Fields #
| Name | Description |
|---|---|
NextUpdate UnicodeString | Next Update |
NextPublishForBaseCRL UnicodeString | Publish Base |
NextPublishForDeltaCRL UnicodeString | Publish Delta |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4871,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:22.125599+00:00",
"event_record_id": 16618007,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10928
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"NextUpdate": "0",
"NextPublishForBaseCRL": "Yes",
"NextPublishForDeltaCRL": "No",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4871
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4871
Event ID 4872: Certificate Services published the certificate revocation list (CRL).
#Description
Certificate Services published the certificate revocation list (CRL).
Message #
Fields #
| Name | Description |
|---|---|
IsBaseCRL UnicodeString | Base CRL |
CRLNumber UnicodeString | CRL Number |
KeyContainer UnicodeString | Key Container |
NextPublish UnicodeString | Next Publish |
PublishURLs UnicodeString | Publish URLs |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4872,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:22.155871+00:00",
"event_record_id": 16618025,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11144
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"IsBaseCRL": "Yes",
"CRLNumber": "12",
"KeyContainer": "EvtGen-Root-CA",
"NextPublish": "3/20/2026 11:06 PM 22.125s",
"PublishURLs": "C:\\Windows\\system32\\CertSrv\\CertEnroll\\EvtGen-Root-CA.crl; ldap:///CN=EvtGen-Root-CA,CN=LAB-DC01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain; http://crl.ludus.domain/crldist/EvtGen-Root-CA.crl; "
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4872
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4872
Event ID 4873: A certificate request extension changed.
#Description
A certificate request extension changed.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
ExtensionName UnicodeString | Name |
ExtensionDataType UnicodeString | Type |
ExtensionPolicyFlags UnicodeString | Flags |
ExtensionData UnicodeString | Data |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4873,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:33:40.140844+00:00",
"event_record_id": 16717578,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 13880
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "44",
"ExtensionName": "2.5.29.17",
"ExtensionDataType": "4",
"ExtensionPolicyFlags": "0",
"ExtensionData": "MwAwADIAMAA4ADIAMQAyADYAZAA2AGYANgA0ADYAOQA2ADYANgA5ADYANQA2ADQA\r\nMgBlADYAYwA3ADUANgA0ADcANQA3ADMAMgBlADYANAA2AGYANgBkADYAMQA2ADkA\r\nNgBlAAAA\r\n",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4873
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4873
Event ID 4874: One or more certificate request attributes changed.
#Description
One or more certificate request attributes changed.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Attributes UnicodeString | Attributes |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4874,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:33:40.086555+00:00",
"event_record_id": 16717575,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 13880
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "44",
"Attributes": "CertificateTemplate:WebServer\nSAN:dns=modified.ludus.domain",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4874
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4874
Event ID 4875: Certificate Services received a request to shut down.
#Description
Certificate Services received a request to shut down.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4875
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4875
Event ID 4876: Certificate Services backup started.
#Description
Certificate Services backup started.
Message #
Fields #
| Name | Description |
|---|---|
BackupType | |
SubjectUserSid | |
SubjectUserName | |
SubjectDomainName | |
SubjectLogonId |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4876,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-09-03T10:41:30.959534Z",
"event_record_id": 376329,
"correlation": {
"#attributes": {
"ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
}
},
"execution": {
"process_id": 640,
"thread_id": 4156
},
"channel": "Security",
"computer": "CDCWPKI01.rootblue.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"BackupType": "1",
"SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
"SubjectUserName": "domadm",
"SubjectDomainName": "ROOTBLUE",
"SubjectLogonId": "0x91861a6"
}
}
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Steal Authentication Certificates CS Backup source: The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4876
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4876
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4877: Certificate Services backup completed.
#Description
Certificate Services backup completed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4877,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-09-03T10:41:31.145540Z",
"event_record_id": 376330,
"correlation": {
"#attributes": {
"ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
}
},
"execution": {
"process_id": 640,
"thread_id": 4156
},
"channel": "Security",
"computer": "CDCWPKI01.rootblue.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
"SubjectUserName": "domadm",
"SubjectDomainName": "ROOTBLUE",
"SubjectLogonId": "0x91861a6"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4877
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4877
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4878: Certificate Services restore started.
#Description
Certificate Services restore started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4878,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:07:16.319460+00:00",
"event_record_id": 16620403,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4878
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4878
Event ID 4879: Certificate Services restore completed.
#Description
Certificate Services restore completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4879,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:07:16.488901+00:00",
"event_record_id": 16620407,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10556
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4879
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4879
Event ID 4880: Certificate Services started.
#Description
Certificate Services started.
Message #
Fields #
| Name | Description |
|---|---|
CertificateDatabaseHash UnicodeString | Certificate Database Hash |
PrivateKeyUsageCount UnicodeString | Private Key Usage Count |
CACertificateHash UnicodeString | CA Certificate Hash |
CAPublicKeyHash UnicodeString | CA Public Key Hash |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4880,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:16.234546+00:00",
"event_record_id": 16617450,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11176
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"CertificateDatabaseHash": "39 e5 71 24 c8 5b 7c 70 eb b5 fe f2 ad a7 5a 6e 86 f3 07 b7 31 99 8a b1 58 99 bd e2 05 c3 cf d8",
"PrivateKeyUsageCount": "0",
"CACertificateHash": "8e ae 36 d1 31 a0 5b f0 26 c6 a5 88 f9 49 6a 8a 61 7a f2 47",
"CAPublicKeyHash": "10 fd 42 f3 9a b3 ca e2 96 a8 46 58 af 42 91 9d 14 c5 0f 27"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4880
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4880
Event ID 4881: Certificate Services stopped.
#Description
Certificate Services stopped.
Message #
Fields #
| Name | Description |
|---|---|
CertificateDatabaseHash UnicodeString | Certificate Database Hash |
PrivateKeyUsageCount UnicodeString | Private Key Usage Count |
CACertificateHash UnicodeString | CA Certificate Hash |
CAPublicKeyHash UnicodeString | CA Public Key Hash |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4881,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:22.990852+00:00",
"event_record_id": 16618219,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"CertificateDatabaseHash": "a0 ab 10 37 23 dd ba cf 3c 7d 38 4e dd 3a 27 c3 10 39 c7 cb 54 17 10 36 45 3a 7c 3d 63 42 83 55",
"PrivateKeyUsageCount": "0",
"CACertificateHash": "8e ae 36 d1 31 a0 5b f0 26 c6 a5 88 f9 49 6a 8a 61 7a f2 47",
"CAPublicKeyHash": "10 fd 42 f3 9a b3 ca e2 96 a8 46 58 af 42 91 9d 14 c5 0f 27"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4881
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4881
Event ID 4882: The security permissions for Certificate Services changed.
#Description
The security permissions for Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
SecuritySettings UnicodeString | |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4882,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T16:00:42.1770142+00:00",
"event_record_id": 23699782,
"correlation": {
"ActivityID": "{00BC2CE4-52BD-4592-A8D2-A2D43DF20CC6}"
},
"execution": {
"process_id": 1124,
"thread_id": 1880
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SecuritySettings": "\nAllow(0x00000200)\tNT AUTHORITY\\Authenticated Users\n\tEnroll\nAllow(0x00000003)\tludus\\Domain Admins\n\tCA Administrator\n\tCertificate Manager\nAllow(0x00000200)\tludus\\domainuser\n\tEnroll\nAllow(0x00000003)\tludus\\Enterprise Admins\n\tCA Administrator\n\tCertificate Manager\nAllow(0x00000003)\tBUILTIN\\Administrators\n\tCA Administrator\n\tCertificate Manager\n",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x1637da"
},
"message": "The security permissions for Certificate Services changed.\r\n\t\r\n\nAllow(0x00000200)\tNT AUTHORITY\\Authenticated Users\n\tEnroll\nAllow(0x00000003)\tludus\\Domain Admins\n\tCA Administrator\n\tCertificate Manager\nAllow(0x00000200)\tludus\\domainuser\n\tEnroll\nAllow(0x00000003)\tludus\\Enterprise Admins\n\tCA Administrator\n\tCertificate Manager\nAllow(0x00000003)\tBUILTIN\\Administrators\n\tCA Administrator\n\tCertificate Manager\n"
}
Detection Patterns #
Defense Impairment: Modify Authentication Process
Community Notes #
Records changes to a CA ACL, may indicate privilege escalation via addition of rogue accounts. Critical for detecting AD CS abuse.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4882
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4882
Event ID 4883: Certificate Services retrieved an archived key.
#Description
Certificate Services retrieved an archived key.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4883
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4883
Event ID 4884: Certificate Services imported a certificate into its database.
#Description
Certificate Services imported a certificate into its database.
Message #
Fields #
| Name | Description |
|---|---|
Certificate UnicodeString | Certificate |
RequestId UnicodeString | Request ID |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4884
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4884
Event ID 4885: The audit filter for Certificate Services changed.
#Description
The audit filter for Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
AuditFilter | |
SubjectUserSid | |
SubjectUserName | |
SubjectDomainName | |
SubjectLogonId |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4885,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-09-03T10:42:09.373562Z",
"event_record_id": 376331,
"correlation": {
"#attributes": {
"ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
}
},
"execution": {
"process_id": 640,
"thread_id": 4156
},
"channel": "Security",
"computer": "CDCWPKI01.rootblue.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AuditFilter": "111",
"SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
"SubjectUserName": "domadm",
"SubjectDomainName": "ROOTBLUE",
"SubjectLogonId": "0x91861a6"
}
}
Community Notes #
May be a prelude to AD CS abuse, ie, ESC1/ESC5.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4885
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4885
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4886: Certificate Services received a certificate request.
#Description
Certificate Services received a certificate request.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
RequestId UnicodeString | Request ID | |
Requester UnicodeString | Requester | |
Attributes UnicodeString | Attributes | 4 |
Subject UnicodeString | ||
SubjectAlternativeName UnicodeString | ||
CertificateTemplate UnicodeString | ||
RequestOSVersion UnicodeString | ||
RequestCSPProvider UnicodeString | ||
RequestClientInfo UnicodeString | ||
AuthenticationService UnicodeString | ||
AuthenticationLevel UnicodeString | ||
DCOMorRPC UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4886,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.051496+00:00",
"event_record_id": 16623040,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10928
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "24",
"Requester": "ludus\\domainadmin",
"Attributes": "\nccm:LAB-DC01.ludus.domain"
},
"message": ""
}
Detection Patterns #
Credential Access: Steal or Forge Authentication Certificates
Credential Access: Steal or Forge Authentication Certificates
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
signature_id | contains | 4688 | 1 rule | splunk |
Attributes | contains | certificatetemplate: | 1 rule | splunk |
Attributes | eq | *SAN:*upn* | 1 rule | splunk |
CommandLine | match | (?i)request\s.+/ca:.+/(template|altname): | 1 rule | splunk |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Steal Authentication Certificates Certificate Request source: The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4886
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4886
Event ID 4887: Certificate Services approved a certificate request and issued a certificate.
#Description
Certificate Services approved a certificate request and issued a certificate.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Requester UnicodeString | Requester |
Attributes UnicodeString | Attributes |
Disposition UnicodeString | Disposition Known values
|
SubjectKeyIdentifier UnicodeString | SKI |
Subject UnicodeString | Subject |
SubjectAlternativeName UnicodeString | |
CertificateTemplate UnicodeString | |
SerialNumber UnicodeString | |
AuthenticationService UnicodeString | |
AuthenticationLevel UnicodeString | |
DCOMorRPC UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4887,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.177448+00:00",
"event_record_id": 16623045,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "24",
"Requester": "ludus\\domainadmin",
"Attributes": "",
"Disposition": "3",
"SubjectKeyIdentifier": "9d 2a 4f df 25 5d c3 a7 d9 77 60 94 ce 67 60 01 e3 b3 d2 5a",
"Subject": "CN=pending-test.ludus.domain"
},
"message": ""
}
Detection Patterns #
Credential Access: Steal or Forge Authentication Certificates
Credential Access: Steal or Forge Authentication Certificates
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Attributes | contains | certificatetemplate: | 2 rules | splunk |
Attributes | eq | *SAN:*upn* | 2 rules | splunk |
signature_id | contains | 4688 | 1 rule | splunk |
CommandLine | match | (?i)request\s.+/ca:.+/(template|altname): | 1 rule | splunk |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Steal Authentication Certificates Certificate Issued source: The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time.…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4887
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4887
Event ID 4888: Certificate Services denied a certificate request.
#Description
Certificate Services denied a certificate request.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Requester UnicodeString | Requester |
Attributes UnicodeString | Attributes |
Disposition UnicodeString | Disposition Known values
|
SubjectKeyIdentifier UnicodeString | SKI |
Subject UnicodeString | Subject |
AuthenticationService UnicodeString | |
AuthenticationLevel UnicodeString | |
DCOMorRPC UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4888,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T23:08:24.592652+00:00",
"event_record_id": 16623083,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "25",
"Requester": "ludus\\domainadmin",
"Attributes": "",
"Disposition": "2",
"SubjectKeyIdentifier": "4b ac 66 32 5d 08 03 7f ab f7 57 ef c3 3d 27 1f 3b e0 3b 01",
"Subject": ""
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4888
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4888
Event ID 4889: Certificate Services set the status of a certificate request to pending.
#Description
Certificate Services set the status of a certificate request to pending.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Requester UnicodeString | Requester |
Attributes UnicodeString | Attributes |
Disposition UnicodeString | Disposition Known values
|
SubjectKeyIdentifier UnicodeString | SKI |
Subject UnicodeString | Subject |
AuthenticationService UnicodeString | |
AuthenticationLevel UnicodeString | |
DCOMorRPC UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4889,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.070591+00:00",
"event_record_id": 16623042,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "24",
"Requester": "ludus\\domainadmin",
"Attributes": "\nccm:LAB-DC01.ludus.domain",
"Disposition": "5",
"SubjectKeyIdentifier": "9d 2a 4f df 25 5d c3 a7 d9 77 60 94 ce 67 60 01 e3 b3 d2 5a",
"Subject": ""
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4889
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4889
Event ID 4890: The certificate manager settings for Certificate Services changed.
#Description
The certificate manager settings for Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
EnableRestrictedPermissions UnicodeString | Enable |
RestrictedPermissions UnicodeString | |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4890,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T16:04:20.9093550+00:00",
"event_record_id": 23702099,
"correlation": {
"ActivityID": "{A4CD6459-8FBA-40FC-98BB-15444BA6A20A}"
},
"execution": {
"process_id": 1124,
"thread_id": 4540
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnableRestrictedPermissions": "No",
"RestrictedPermissions": "",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x1637da"
},
"message": "The certificate manager settings for Certificate Services changed.\r\n\t\r\nEnable:\tNo\r\n\r\n"
}
Detection Patterns #
Defense Impairment: Modify Authentication Process
Community Notes #
May indicate tampering with permissions to issue trusted certificates and impersonate any domain principal. Can detect AD CS abuse techniques, ie ESC1. Any Subject SID that is not NT AUTHORITY\SYSTEM or approved service identity indicates unauthorized privilege abuse.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4890
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4890
Event ID 4891: A configuration entry changed in Certificate Services.
#Description
A configuration entry changed in Certificate Services.
Message #
Fields #
| Name | Description |
|---|---|
Node UnicodeString | Node |
Entry UnicodeString | Entry |
Value UnicodeString | Value |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4891,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T14:37:37.9214890+00:00",
"event_record_id": 23602153,
"correlation": {
"ActivityID": "{B812EC37-88D7-4689-A630-9BB0D4B9C467}"
},
"execution": {
"process_id": 868,
"thread_id": 10552
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Node": "",
"Entry": "OfficerRights",
"Value": "0x01 0x00 0x04 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x14 0x00 0x00 0x00 0x02 0x00 0x08 0x00 0x00 0x00 0x00 0x00 ",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xb84b670"
},
"message": "A configuration entry changed in Certificate Services.\r\n\t\r\nNode:\t\r\nEntry:\tOfficerRights\r\nValue:\t0x01 0x00 0x04 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x14 0x00 0x00 0x00 0x02 0x00 0x08 0x00 0x00 0x00 0x00 0x00 "
}
Detection Patterns #
Defense Impairment: Modify Authentication Process
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4891
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4891
Event ID 4892: A property of Certificate Services changed.
#Description
A property of Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
PropertyName UnicodeString | Property |
PropertyIndex UnicodeString | Index |
PropertyType UnicodeString | Type |
PropertyValue UnicodeString | Value |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4892,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:17:14.657793+00:00",
"event_record_id": 16671442,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 13940
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"PropertyName": "29",
"PropertyIndex": "0",
"PropertyType": "4",
"PropertyValue": "EvtGen-CustomWebServer\n1.3.6.1.4.1.311.21.8.1810730.5534\nEvtGen-CustomUser\n1.3.6.1.4.1.311.21.8.7512348.7121\nDirectoryEmailReplication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.29\nDomainControllerAuthentication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.28\nKerberosAuthentication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.33\nEFSRecovery\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.8\nEFS\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.6\nDomainController\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.15\nWebServer\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.16\nMachine\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.14\nUser\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.1\nSubCA\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.18\nAdministrator\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.7\nCodeSigning\n\n",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
Detection Patterns #
Defense Impairment: Modify Authentication Process
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4892
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4892
Event ID 4893: Certificate Services archived a key.
#Description
Certificate Services archived a key.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Requester UnicodeString | Requester |
KRAHashes UnicodeString | KRA Hashes |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4893
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4893
Event ID 4894: Certificate Services imported and archived a key.
#Description
Certificate Services imported and archived a key.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4894
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4894
Event ID 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
#Description
Certificate Services published the CA certificate to Active Directory Domain Services.
Message #
Fields #
| Name | Description |
|---|---|
CertificateHash UnicodeString | Certificate Hash |
ValidFrom UnicodeString | Valid From |
ValidTo UnicodeString | Valid To |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4895
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4895
Event ID 4896: One or more rows have been deleted from the certificate database.
#Description
One or more rows have been deleted from the certificate database.
Message #
Fields #
| Name | Description |
|---|---|
TableId UnicodeString | Table ID |
Filter UnicodeString | Filter |
RowsDeleted UnicodeString | Rows Deleted |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4896,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:33:29.866256+00:00",
"event_record_id": 16717272,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11540
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TableId": "0",
"Filter": "2",
"RowsDeleted": "1",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4896
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4896
Event ID 4897: Role separation enabled: RoleSeparationEnabled.
#Description
Role separation enabled: RoleSeparationEnabled.
Message #
Fields #
| Name | Description |
|---|---|
RoleSeparationEnabled UnicodeString | Role separation enabled |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4897,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:16.234615+00:00",
"event_record_id": 16617451,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11176
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RoleSeparationEnabled": "No"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4897
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4897
Event ID 4898: Certificate Services loaded a template.
#Description
Certificate Services loaded a template.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TemplateInternalName UnicodeString | ||
TemplateVersion UnicodeString | v | |
TemplateSchemaVersion UnicodeString | (Schema V | |
TemplateOID UnicodeString | ||
TemplateDSObjectFQDN UnicodeString | ||
DCDNSName UnicodeString | [Additional Information] Domain Controller | |
TemplateContent UnicodeString | [Template Information] Template Content | 6 |
SecurityDescriptor UnicodeString | [Template Information] Security Descriptor |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4898,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.061177+00:00",
"event_record_id": 16623041,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10928
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TemplateInternalName": "WebServer",
"TemplateVersion": "4.1",
"TemplateSchemaVersion": "1",
"TemplateOID": " ",
"TemplateDSObjectFQDN": "CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain",
"DCDNSName": "LAB-DC01.ludus.domain",
"TemplateContent": "\nflags = 0x10241 (66113)\n CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1\n CT_FLAG_MACHINE_TYPE -- 0x40 (64)\n CT_FLAG_ADD_TEMPLATE_NAME -- 0x200 (512)\n CT_FLAG_IS_DEFAULT -- 0x10000 (65536)\n\nmsPKI-Private-Key-Flag = 0x0 (0)\n CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0x0\n TEMPLATE_SERVER_VER_NONE<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 0x0\n TEMPLATE_CLIENT_VER_NONE<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 0x0\n\nmsPKI-Certificate-Name-Flag = 0x1 (1)\n CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1\n\nmsPKI-Enrollment-Flag = 0x0 (0)\n\nmsPKI-Template-Schema-Version = 1\n\nrevision = 4\n\nmsPKI-Template-Minor-Revision = 1\n\npKIDefaultKeySpec = 1\n\npKIExpirationPeriod = 2 Years\n\npKIOverlapPeriod = 6 Weeks\n\ncn = WebServer\n\ndistinguishedName = WebServer\n\npKIKeyUsage = a0\n\ndisplayName = Web Server\n\ntemplateDescription = Computer\n\npKIExtendedKeyUsage =\n 1.3.6.1.5.5.7.3.1 Server Authentication\n\npKIDefaultCSPs =\n Microsoft RSA SChannel Cryptographic Provider\n Microsoft DH SChannel Cryptographic Provider\n\nmsPKI-Supersede-Templates =\n\nmsPKI-RA-Policies =\n\nmsPKI-RA-Application-Policies =\n\nmsPKI-Certificate-Policy =\n\nmsPKI-Certificate-Application-Policy =\n\npKICriticalExtensions =\n 2.5.29.15 Key Usage\n",
"SecurityDescriptor": "O:S-1-5-21-1006758700-2167138679-1475694448-519G:S-1-5-21-1006758700-2167138679-1475694448-519D:PAI(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1006758700-2167138679-1475694448-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1006758700-2167138679-1475694448-519)(A;;LCRPLORC;;;AU)\n\nAllow\tludus\\Domain Admins\n\tEnroll\nAllow\tludus\\Enterprise Admins\n\tEnroll\nAllow(0x000f00ff)\tludus\\Domain Admins\n\tFull Control\nAllow(0x000f00ff)\tludus\\Enterprise Admins\n\tFull Control\nAllow(0x00020094)\tNT AUTHORITY\\Authenticated Users\n\tRead\n"
},
"message": ""
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
NewTemplateContent | contains | ct_flag_enrollee_supplies_subject | 2 rules | sigma |
TemplateContent | contains | ct_flag_enrollee_supplies_subject | 2 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- ADCS Certificate Template Configuration Vulnerability source low: Detects certificate creation with template allowing risk permission subject↳ also matchesEvent ID 4899: A Certificate Services template was updated.
- ADCS Certificate Template Configuration Vulnerability with Risky EKU source high: Detects certificate creation with template allowing risk permission subject and risky EKU↳ also matchesEvent ID 4899: A Certificate Services template was updated.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4898
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4898
Event ID 4899: A Certificate Services template was updated.
#Description
A Certificate Services template was updated.
Message #
Fields #
| Name | Description |
|---|---|
TemplateInternalName UnicodeString | |
TemplateVersion UnicodeString | v |
TemplateSchemaVersion UnicodeString | (Schema V |
TemplateOID UnicodeString | |
TemplateDSObjectFQDN UnicodeString | |
DCDNSName UnicodeString | [Additional Information] Domain Controller |
NewTemplateContent UnicodeString | [Template Change Information] New Template Content |
OldTemplateContent UnicodeString | [Template Change Information] Old Template Content |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4899,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T16:57:55.5356434+00:00",
"event_record_id": 23774408,
"correlation": {
"ActivityID": "{A07E0872-018C-41A0-ABF7-11F21B9D21E5}"
},
"execution": {
"process_id": 1132,
"thread_id": 10236
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TemplateInternalName": "User",
"TemplateVersion": "4.3",
"TemplateSchemaVersion": "1",
"TemplateOID": "",
"TemplateDSObjectFQDN": "CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain",
"DCDNSName": "JD-DC01-2022.ludus.domain",
"NewTemplateContent": "\nmsPKI-Template-Minor-Revision = 3\n",
"OldTemplateContent": "\nmsPKI-Template-Minor-Revision = 2\n"
},
"message": "A Certificate Services template was updated.\r\n\r\nUser v4.3 (Schema V1)\r\n \r\nCN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain\r\n\r\nTemplate Change Information:\r\n\tOld Template Content:\t\nmsPKI-Template-Minor-Revision = 2\n\r\n\tNew Template Content:\t\t\nmsPKI-Template-Minor-Revision = 3\n\r\n\r\nAdditional Information:\r\n\tDomain Controller:\tJD-DC01-2022.ludus.domain"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
NewTemplateContent | contains | ct_flag_enrollee_supplies_subject | 2 rules | sigma |
TemplateContent | contains | ct_flag_enrollee_supplies_subject | 2 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- ADCS Certificate Template Configuration Vulnerability source low: Detects certificate creation with template allowing risk permission subject↳ also matchesEvent ID 4898: Certificate Services loaded a template.
- ADCS Certificate Template Configuration Vulnerability with Risky EKU source high: Detects certificate creation with template allowing risk permission subject and risky EKU↳ also matchesEvent ID 4898: Certificate Services loaded a template.
References #
Event ID 4900: Certificate Services template security was updated.
#Description
Certificate Services template security was updated.
Message #
Fields #
| Name | Description |
|---|---|
TemplateInternalName UnicodeString | |
TemplateVersion UnicodeString | v |
TemplateSchemaVersion UnicodeString | (Schema V |
TemplateOID UnicodeString | |
TemplateDSObjectFQDN UnicodeString | |
DCDNSName UnicodeString | [Additional Information] Domain Controller |
NewTemplateContent UnicodeString | [Template Change Information] New Template Content |
NewSecurityDescriptor UnicodeString | [Template Change Information] New Security Descriptor |
OldTemplateContent UnicodeString | [Template Change Information] Old Template Content |
OldSecurityDescriptor UnicodeString | [Template Change Information] Old Security Descriptor |
References #
Event ID 4902: The Per-user audit policy table was created.
#Description
This event generates during system startup if Per-user audit policy is defined on the computer.
Message #
Fields #
| Name | Description |
|---|---|
PuaCount UInt32 | Number of users for which Per-user policies were defined (number of unique users). |
PuaPolicyId HexInt64 | Unique per-User Audit Policy hexadecimal identifier. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4902,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:50.8061908+00:00",
"event_record_id": 1715934,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 876
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"PuaCount": "0",
"PuaPolicyId": "0xa7bd"
},
"message": "The Per-user audit policy table was created.\r\n\r\nNumber of Elements:\t0\r\nPolicy ID:\t0xA7BD"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4902
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4902
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4902.yml
Event ID 4904: An attempt was made to register a security event source.
#Description
An attempt was made to register a security event source.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that made an attempt to register a security event source. | |
SubjectUserName UnicodeString | The name of the account that made an attempt to register a security event source. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
AuditSourceName UnicodeString | The name of registered security event source. You can see all registered security event source names in this registry path: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security". | 1 |
EventSourceId HexInt64 | The unique hexadecimal identifier of registered security event source. | |
ProcessId Pointer | Hexadecimal Process ID of the process that attempted to register the security event source. | |
ProcessName UnicodeString | [Process] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4904,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T13:41:33.3658893+00:00",
"event_record_id": 1217147,
"correlation": {
"ActivityID": "{4CADC93F-FB3A-0001-A9C9-AD4C3AFBDC01}"
},
"execution": {
"process_id": 760,
"thread_id": 820
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x3e7",
"AuditSourceName": "FSRM Audit",
"EventSourceId": "0x38eb8",
"ProcessId": "0xec8",
"ProcessName": "C:\\Windows\\System32\\svchost.exe"
},
"message": "An attempt was made to register a security event source.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess:\r\n\tProcess ID:\t0xec8\r\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\r\n\r\nEvent Source:\r\n\tSource Name:\tFSRM Audit\r\n\tEvent Source ID:\t0x38EB8"
}
Detection Patterns #
Credential Access: Security Account Manager
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4904
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4904
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4904.yml
Event ID 4905: An attempt was made to unregister a security event source.
#Description
An attempt was made to unregister a security event source.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid | SID of account that made an attempt to unregister a security event source. |
SubjectUserName | The name of the account that made an attempt to unregister a security event source. |
SubjectDomainName | Subject's domain or computer name. |
SubjectLogonId | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
AuditSourceName | The name of unregistered security event source. You can see all registered security event source names in this registry path: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security". |
EventSourceId | The unique hexadecimal identifier of unregistered security event source. |
ProcessId | Hexadecimal Process ID of the process that attempted to unregister the security event source. |
ProcessName | Full path and the name of the executable for the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4905,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:17:53.2889637+00:00",
"event_record_id": 803955,
"correlation": {
"ActivityID": "{F06DF7AC-EF89-0002-BCF7-6DF089EFDC01}"
},
"execution": {
"process_id": 712,
"thread_id": 5924
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x3e7",
"AuditSourceName": "IIS-METABASE",
"EventSourceId": "0xf45b7c",
"ProcessId": "0x7ec",
"ProcessName": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe"
},
"message": "An attempt was made to unregister a security event source.\r\n\r\nSubject\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess:\r\n\tProcess ID:\t0x7ec\r\n\tProcess Name:\tC:\\Windows\\System32\\inetsrv\\inetinfo.exe\r\n\r\nEvent Source:\r\n\tSource Name:\tIIS-METABASE\r\n\tEvent Source ID:\t0xF45B7C"
}
Detection Patterns #
Credential Access: Security Account Manager
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4905
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4905
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4905.yml
Event ID 4906: The CrashOnAuditFail value has changed.
#Description
This event generates every time CrashOnAuditFail audit flag value was modified.
Message #
Fields #
| Name | Description |
|---|---|
CrashOnAuditFailValue UInt32 | Contains new value of CrashOnAuditFail flag. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4906
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4906.yml
Event ID 4907: Auditing settings on object were changed.
#Description
This event generates when a Security Descriptor (SD) on an object was changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made an attempt to create the hard link. |
SubjectUserName UnicodeString | The name of the account that made a change to object's auditing settings. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
ObjectServer UnicodeString | Has "Security" value for this event. |
ObjectType UnicodeString | The type of an object that was accessed during the operation. |
ObjectName UnicodeString | Full path and name of the object for which the SACL was modified. Depends on Object Type. |
HandleId Pointer | Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID. |
OldSd UnicodeString | The old Security Descriptor Definition Language (SDDL) value for the object. |
NewSd UnicodeString | The new Security Descriptor Definition Language (SDDL) value for the object. |
ProcessId Pointer | Hexadecimal Process ID of the process through which the object's SACL was changed. |
ProcessName UnicodeString | Full path and the name of the executable for the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4907,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:22:20.6577420+00:00",
"event_record_id": 2926190,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 7864
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "File",
"ObjectName": "C:\\Windows\\WinSxS\\Temp\\InFlight\\c8dec39bf4fadc01df0700009c05c402\\c8dec39bf4fadc01e00700009c05c402_catalog",
"HandleId": "0x12b8",
"OldSd": "S:AI(AU;SAFA;0x1f0116;;;WD)",
"NewSd": "",
"ProcessId": "0x59c",
"ProcessName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe"
},
"message": "Auditing settings on object were changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tFile\r\n\tObject Name:\tC:\\Windows\\WinSxS\\Temp\\InFlight\\c8dec39bf4fadc01df0700009c05c402\\c8dec39bf4fadc01e00700009c05c402_catalog\r\n\tHandle ID:\t0x12b8\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x59c\r\n\tProcess Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe\r\n\r\nAuditing Settings:\r\n\tOriginal Security Descriptor:\tS:AI(AU;SAFA;0x1f0116;;;WD)\r\n\tNew Security Descriptor:\t\t"
}
Community Notes #
Captures SACL changes to files, registry keys, and services.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4907
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4907
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4907.yml
Event ID 4908: Special Groups Logon table modified.
#Description
This event generates every time Special Groups logon table was modified.
Message #
Fields #
| Name | Description |
|---|---|
SidList | Contains current list of SIDs (groups or accounts) which are members of Special Groups. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4908,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-12T06:01:51.798027Z",
"event_record_id": 16088364,
"correlation": {},
"execution": {
"process_id": 528,
"thread_id": 548
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SidList": "-"
}
}
Community Notes #
Deleting privileged SIDs will prevent Event ID 4964 from firing. Also appears at every reboot, so IR can compare boot-time record against later changes.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4908
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4908
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4908.yml
Event ID 4909: The local policy settings for the TBS were changed.
#Description
The local policy settings for the TBS were changed.
Message #
Fields #
| Name | Description |
|---|---|
OldBlockedOrdinals UnicodeString | Old Blocked Ordinals |
NewBlockedOrdinals UnicodeString | New Blocked Ordinals |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4909
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4909
Event ID 4910: The group policy settings for the TBS were changed.
#Description
The group policy settings for the TBS were changed.
Message #
Fields #
| Name | Description |
|---|---|
OldIgnoreDefaultSettings UInt32 | Old Value |
NewIgnoreDefaultSettings UInt32 | New Value |
OldIgnoreLocalSettings UInt32 | Old Value |
NewIgnoreLocalSettings UInt32 | New Value |
OldBlockedOrdinals UnicodeString | Old Blocked Ordinals |
NewBlockedOrdinals UnicodeString | New Blocked Ordinals |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4910
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4910
Event ID 4911: Resource attributes of the object were changed.
#Description
This event generates when resource attributes of the file system object were changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that changed the resource attributes of the file system object. |
SubjectUserName UnicodeString | The name of the account that changed the resource attributes of the file system object. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectServer UnicodeString | Has "Security" value for this event. |
ObjectType UnicodeString | He type of an object that was accessed during the operation. Always "File" for this event. |
ObjectName UnicodeString | Full path and/or name of the object for which resource attributes were changed. |
HandleId Pointer | Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4663(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0". |
OldSd UnicodeString | The Security Descriptor Definition Language (SDDL) value for the old resource attributes. |
NewSd UnicodeString | The Security Descriptor Definition Language (SDDL) value for the new resource attributes. |
ProcessId Pointer | Hexadecimal Process ID of the process through which the resource attributes of the file system object were changed. |
ProcessName UnicodeString | Full path and the name of the executable for the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4911,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T11:13:10.4845956+00:00",
"event_record_id": 148286,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 1300
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0xb66c2",
"ObjectServer": "Security",
"ObjectType": "File",
"ObjectName": "C:\\Users\\domainadmin\\Downloads",
"HandleId": "0xa18",
"OldSd": "",
"NewSd": "S:ARAI(RA;OICIIO;;;;WD;(\"IMAGELOAD\",TU,0x0,1))",
"ProcessId": "0x1450",
"ProcessName": "C:\\Windows\\explorer.exe"
},
"message": "Resource attributes of the object were changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xB66C2\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tFile\r\n\tObject Name:\tC:\\Users\\domainadmin\\Downloads\r\n\tHandle ID:\t0xa18\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1450\r\n\tProcess Name:\tC:\\Windows\\explorer.exe\r\n\r\nResource Attributes:\r\n\tOriginal Security Descriptor:\t\r\n\tNew Security Descriptor:\t\tS:ARAI(RA;OICIIO;;;;WD;(\"IMAGELOAD\",TU,0x0,1))"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4911
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4911
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4911.yml
Event ID 4912: Per User Audit Policy was changed.
#Description
This event generates every time Per User Audit Policy was changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made a change to per-user audit policy. |
SubjectUserName UnicodeString | The name of the account that made a change to per-user audit policy. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
TargetUserSid SID | SID of account for which the Per User Audit Policy was changed. |
CategoryId UnicodeString | The name of auditing category which subcategory state was changed. Known values
|
SubcategoryId UnicodeString | The name of auditing subcategory which state was changed. Known values
|
SubcategoryGuid GUID | [Policy Change Details] Subcategory GUID. Known values
|
AuditPolicyChanges UnicodeString | [Policy Change Details] Changes. Known values
|
Community Notes #
If Changes is set to None or Failure include removed, this may be an attempt to hide activity. Pair with 4719, 4902, and 4624 to reconstruct a timeline.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4912
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4912
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4912.yml
Event ID 4913: Central Access Policy on the object was changed.
#Description
This event generates when a Central Access Policy on a file system object is changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that changed the Central Access Policy on the object. |
SubjectUserName UnicodeString | The name of the account that changed the Central Access Policy on the object. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectServer UnicodeString | Has "Security" value for this event. |
ObjectType UnicodeString | The type of an object that was accessed during the operation. Always "File" for this event. |
ObjectName UnicodeString | Full path and/or name of the object on which the Central Access Policy was changed. |
HandleId Pointer | Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4663(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0". |
OldSd UnicodeString | The Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object). |
NewSd UnicodeString | The Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). |
ProcessId Pointer | Hexadecimal Process ID of the process using which Central Access Policy was changed. |
ProcessName UnicodeString | Full path and the name of the executable for the process. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4913
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4913
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4913.yml
Event ID 4928: An Active Directory replica source naming context was established.
#Description
This event generates every time a new Active Directory replica source naming context is established.
Message #
Fields #
| Name | Description |
|---|---|
DestinationDRA UnicodeString | Destination directory replication agent distinguished name. |
SourceDRA UnicodeString | Source directory replication agent distinguished name. |
SourceAddr UnicodeString | DNS record of the server from which information or an update was received. |
NamingContext UnicodeString | Naming Context. |
Options UInt64 | Options. |
StatusCode UInt32 | If there are no issues or errors, the status code will be 0. NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4928
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4928.yml
Event ID 4929: An Active Directory replica source naming context was removed.
#Description
An Active Directory replica source naming context was removed.
Message #
Fields #
| Name | Description |
|---|---|
DestinationDRA | Destination directory replication agent distinguished name. |
SourceDRA | Source directory replication agent distinguished name. |
SourceAddr | DNS record of the server from which the "remove" request was received. |
NamingContext | Naming context which was removed. |
Options UInt64 | Options. |
StatusCode | If there are no issues or errors, the status code will be 0. NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4929,
"version": 1,
"level": 0,
"task": 14083,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2021-04-27T11:04:45.557748Z",
"event_record_id": 138520244,
"correlation": {
"#attributes": {
"ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
}
},
"execution": {
"process_id": 548,
"thread_id": 5276
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"DestinationDRA": "CN=NTDS Settings,CN=ROOTDC1,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan",
"SourceDRA": "-",
"SourceAddr": "jump01.offsec.lan",
"NamingContext": "DC=offsec,DC=lan",
"Options": 16,
"StatusCode": 8452
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4929
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4929
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4929.yml
Event ID 4930: An Active Directory replica source naming context was modified.
#Description
An Active Directory replica source naming context was modified.
Message #
Fields #
| Name | Description |
|---|---|
DestinationDRA UnicodeString | Destination directory replication agent distinguished name. |
SourceDRA UnicodeString | Source directory replication agent distinguished name. Typically equals "-" for this event. |
SourceAddr UnicodeString | DNS record of computer from which the modification request was received. |
NamingContext UnicodeString | Naming context which was modified. |
Options UInt64 | Options. |
StatusCode UInt32 | If there are no issues or errors, the status code will be 0. NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4930
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4930
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4930_v1.yml
Event ID 4931: An Active Directory replica destination naming context was modified.
#Description
An Active Directory replica destination naming context was modified.
Message #
Fields #
| Name | Description |
|---|---|
DestinationDRA UnicodeString | Destination directory replication agent distinguished name. |
SourceDRA UnicodeString | Source directory replication agent distinguished name. |
SourceAddr UnicodeString | DNS record of computer to which the modification request was sent. |
NamingContext UnicodeString | Naming context which was modified. |
Options UInt64 | Options. |
StatusCode UInt32 | If there are no issues or errors, the status code will be 0. NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4931
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4931
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4931_v1.yml
Event ID 4932: Synchronization of a replica of an Active Directory naming context has begun.
#Description
Synchronization of a replica of an Active Directory naming context has begun.
Message #
Fields #
| Name | Description |
|---|---|
DestinationDRA UnicodeString | Destination directory replication agent distinguished name. |
SourceDRA UnicodeString | Source directory replication agent distinguished name. |
NamingContext UnicodeString | Naming Context. |
Options UInt64 | Options. |
SessionID UInt32 | Unique identifier of replication session. Using this field you can find "4932: Synchronization of a replica of an Active Directory naming context has begun." and "4933: Synchronization of a replica of an Active Directory naming context has ended." events for the same session. |
StartUSN UnicodeString | Naming Context's USN number before replication begins. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4932
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4932
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4932.yml
Event ID 4933: Synchronization of a replica of an Active Directory naming context has ended.
#Description
This event generates every time synchronization of a replica of an Active Directory naming context has ended. Failure event occurs when synchronization of a replica of an Active Directory naming context failed.
Message #
Fields #
| Name | Description |
|---|---|
DestinationDRA UnicodeString | Destination directory replication agent distinguished name. |
SourceDRA UnicodeString | Source directory replication agent distinguished name. |
NamingContext UnicodeString | Naming Context. |
Options UInt64 | Options. |
SessionID UInt32 | Unique identifier of replication session. Using this field you can find "4932: Synchronization of a replica of an Active Directory naming context has begun." and "4933: Synchronization of a replica of an Active Directory naming context has ended." events for the same session. |
EndUSN UnicodeString | Naming Context's USN number after replication ends. |
StatusCode UInt32 | If there are no issues or errors, the status code will be "0". If an error happened, you will receive Failure event and Status Code will not be equal to "0". NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4933
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4933
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4933.yml
Event ID 4934: Attributes of an Active Directory object were replicated.
#Description
Attributes of an Active Directory object were replicated.
Message #
Fields #
| Name | Description |
|---|---|
SessionID UInt32 | Session ID |
Object UnicodeString | Object |
Attribute UnicodeString | Attribute |
TypeOfChange UInt32 | Type of change |
NewValue UnicodeString | New Value |
USN UnicodeString | USN |
StatusCode UInt32 | Status Code NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4934
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4934
Event ID 4935: Replication failure begins.
#Description
This event generates when Active Directory replication failure begins.
Message #
Fields #
| Name | Description |
|---|---|
ReplicationEvent | There is no detailed information about this field in this document. |
AuditStatusCode | There is no detailed information about this field in this document. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4935,
"version": 0,
"level": 0,
"task": 14083,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2021-04-27T11:04:03.510255Z",
"event_record_id": 138520219,
"correlation": {
"#attributes": {
"ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
}
},
"execution": {
"process_id": 548,
"thread_id": 5276
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"ReplicationEvent": 1,
"AuditStatusCode": 8419
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4935
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4935
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4935.yml
Event ID 4936: Replication failure ends.
#Description
Replication failure ends.
Message #
Fields #
| Name | Description |
|---|---|
ReplicationEvent | |
AuditStatusCode | |
ReplicationStatusCode |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4936,
"version": 0,
"level": 0,
"task": 14083,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2021-04-27T11:04:45.556800Z",
"event_record_id": 138520242,
"correlation": {
"#attributes": {
"ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
}
},
"execution": {
"process_id": 548,
"thread_id": 5276
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"ReplicationEvent": 1,
"AuditStatusCode": 8419,
"ReplicationStatusCode": 1722
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4936
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4936
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4937: A lingering object was removed from a replica.
#Description
A lingering object was removed from a replica.
Message #
Fields #
| Name | Description |
|---|---|
DestinationDRA UnicodeString | Destination DRA |
SourceDRA UnicodeString | Source DRA |
Object UnicodeString | Object |
Options UInt64 | Options |
StatusCode UInt32 | Status Code NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4937
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4937
Event ID 4944: The following policy was active when the Windows Firewall started.
#Description
The following policy was active when the Windows Firewall started.
Message #
Fields #
| Name | Description |
|---|---|
GroupPolicyApplied UnicodeString | It always has "No" value for this event. This field should show information about: was Group Policy applied for Windows Firewall when it starts or not. |
Profile UnicodeString | Shows the active profile name for the moment Windows Firewall service starts. |
OperationMode UnicodeString | On - if "Firewall state:" setting was set to "On" for "Public" profile. Off - if "Firewall state:" setting was set to "Off" for "Public" profile. |
RemoteAdminEnabled UnicodeString | Looks like this setting is connected to "Windows Firewall: Allow remote administration exception" Group Policy setting, but it is always Disabled, no matter which option is set for "Windows Firewall: Allow remote administration exception" Group Policy. |
MulticastFlowsEnabled UnicodeString | Enabled - if "Allow unicast response:" Settings configuration was set to "Yes" for "Public" profile. Disabled - if "Allow unicast response:" Settings configuration was set to "No" for "Public" profile. |
LogDroppedPacketsEnabled UnicodeString | Enabled - if "Log dropped packets:" Logging configuration was set to "Yes" for "Public" profile. Disabled - if "Log dropped packets:" Logging configuration was set to "No" for "Public" profile. |
LogSuccessfulConnectionsEnabled UnicodeString | Enabled - if "Log successful connections:" Logging configuration was set to "Yes" for "Public" profile. Disabled - if "Log dropped packets:" Logging configuration was set to "No" for "Public" profile. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4944,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:57.9251088+00:00",
"event_record_id": 1717305,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 872
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"GroupPolicyApplied": "No",
"Profile": "(null)",
"OperationMode": "On",
"RemoteAdminEnabled": "Disabled",
"MulticastFlowsEnabled": "Enabled",
"LogDroppedPacketsEnabled": "Disabled",
"LogSuccessfulConnectionsEnabled": "Disabled"
},
"message": "The following policy was active when the Windows Firewall started.\r\n\r\nGroup Policy Applied:\tNo\r\nProfile Used:\t(null)\r\nOperational mode:\tOn\r\nAllow Remote Administration:\tDisabled\r\nAllow Unicast Responses to Multicast/Broadcast Traffic:\tEnabled\r\nSecurity Logging:\r\n\tLog Dropped Packets:\tDisabled\r\n\tLog Successful Connections:\tDisabled"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4944
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4944
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4944.yml
Event ID 4945: A rule was listed when the Windows Firewall started.
#Description
A rule was listed when the Windows Firewall started.
Message #
Fields #
| Name | Description |
|---|---|
ProfileUsed UnicodeString | The name of the profile that the rule belongs to. It always has value "Public", because this event shows rules only for "Public" profile. |
RuleId UnicodeString | The unique firewall rule identifier. |
RuleName UnicodeString | The name of the rule which was listed when the Windows Firewall started. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4945,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:57.9315957+00:00",
"event_record_id": 1717470,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 872
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileUsed": "(null)",
"RuleId": "{FF8303C2-8C97-48FB-9B70-CEF9F3C8209C}",
"RuleName": "Microsoft Edge (mDNS-In)"
},
"message": "A rule was listed when the Windows Firewall started.\r\n\t\r\nProfile used:\t(null)\r\n\r\nRule:\r\n\tRule ID:\t{FF8303C2-8C97-48FB-9B70-CEF9F3C8209C}\r\n\tRule Name:\tMicrosoft Edge (mDNS-In)"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4945
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4945
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4945.yml
Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added.
#Description
A change was made to the Windows Firewall exception list. A rule was added.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | The list of profiles to which new rule was applied. Known values
|
RuleId UnicodeString | The unique new firewall rule identifier. |
RuleName UnicodeString | The name of the rule which was added. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4946,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T19:32:55.589972+00:00",
"event_record_id": 2601879,
"correlation": {
"ActivityID": "83C0A038-97BF-4A37-B9EE-DBA4C42967DF"
},
"execution": {
"process_id": 720,
"thread_id": 1048
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "(null),(null)",
"RuleId": "{DC92C56C-4138-4D46-B25D-97D3C349B695}",
"RuleName": "@{Microsoft.DesktopAppInstaller_1.28.220.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}"
},
"message": ""
}
Community Notes #
Logs rules that open ports or disable filtering. Attackers may add rules to enable implants to communicate with external servers.
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Firewall Rule Added source: This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4946
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4946.yml
Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified.
#Description
A change was made to the Windows Firewall exception list. A rule was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | The list of profiles to which changed rule is applied. Known values
|
RuleId UnicodeString | The unique identifier for modified firewall rule. |
RuleName UnicodeString | The name of the rule which was modified. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4947,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:32:02.846637+00:00",
"event_record_id": 2461332,
"correlation": {
"ActivityID": "25EC58BA-8E8B-49D4-8250-F380547FF3D0"
},
"execution": {
"process_id": 720,
"thread_id": 1048
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"RuleId": "WSLCore-SharedAccess-Allow-Rule",
"RuleName": "WSLCore SharedAccess Allow Rule"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Firewall Rule Modification source: This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or…
References #
Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted.
#Description
A change was made to the Windows Firewall exception list. A rule was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | The list of profiles to which deleted rule was applied. Known values
|
RuleId UnicodeString | The unique identifier for deleted firewall rule. |
RuleName UnicodeString | The name of the rule which was deleted. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4948,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T19:32:55.554379+00:00",
"event_record_id": 2601866,
"correlation": {
"ActivityID": "426D61B7-B34A-40F7-B81E-D2D13DCDAEDA"
},
"execution": {
"process_id": 720,
"thread_id": 1048
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "(null),(null),(null)",
"RuleId": "{760971F9-D380-483D-AEA7-31795C69819A}",
"RuleName": "@{Microsoft.DesktopAppInstaller_1.27.470.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Firewall Rule Deletion source: This detection identifies instances where a Windows Firewall rule has been deleted, potentially exposing the system to security risks. Unauthorized removal of firewall rules can indicate an attacker attempting to bypass security controls…
References #
Event ID 4949: Windows Firewall settings were restored to the default values.
#Description
Windows Firewall settings were restored to the default values.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4949,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:28:37.812998+00:00",
"event_record_id": 16710980,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10484
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Event ID 4950: A Windows Firewall setting has changed.
#Description
This event generates when Windows Firewall local setting was changed.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | The name of profile in which setting was changed. Known values
|
SettingType UnicodeString | The name of the setting which was modified. |
SettingValue UnicodeString | [New Setting] Value. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4950,
"version": "0",
"level": "0",
"task": "13571",
"opcode": "0",
"keywords": 9232379236109516800,
"time_created": "2021-06-03T19:39:52.893115500Z",
"event_record_id": "1974770",
"correlation": {
"#attributes": {
"ActivityID": "{38068009-512D-0000-1D80-06382D51D701}"
}
},
"execution": {
"process_id": "556",
"thread_id": "2532"
},
"channel": "Security",
"computer": "fs01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "Domain",
"SettingType": "Enable Windows Firewall",
"SettingValue": "Yes"
}
}
Detection Patterns #
Community Notes #
Tracks changes to core settings such as disabling a profile (domain, private, public), or default block/allow behavior.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4950
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4950.yml
Event ID 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.
#Description
When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule.
Message #
Fields #
| Name | Description |
|---|---|
Profile UnicodeString | The name of the profile of the ignored rule. |
RuleId UnicodeString | The unique identifier for ignored firewall rule. |
RuleName UnicodeString | The unique identifier for ignored firewall rule. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4951
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4951.yml
Event ID 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
#Description
Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.
Message #
Fields #
| Name | Description |
|---|---|
Profile UnicodeString | Profile |
RuleId UnicodeString | [Partially Ignored Rule] ID |
RuleName UnicodeString | [Partially Ignored Rule] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Event ID 4953: A rule has been ignored by Windows Firewall because it could not parse the rule.
#Description
This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason.
Message #
Fields #
| Name | Description |
|---|---|
Profile UnicodeString | The name of the profile of the ignored rule. |
ReasonForRejection UnicodeString | The reason, why the rule was ignored. |
RuleId UnicodeString | The unique identifier for ignored firewall rule. |
RuleName UnicodeString | The name of the rule which was ignored. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4953,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": -9218868437227405312,
"time_created": "2026-05-29T16:32:57.5827365+00:00",
"event_record_id": 1716312,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 968
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Profile": "All",
"ReasonForRejection": "An error occurred.",
"RuleId": "MDEServer-1",
"RuleName": "-"
},
"message": "Windows Firewall ignored a rule because it could not be parsed.\r\n\t\r\nProfile:\tAll\r\n\r\nReason for Rejection:\tAn error occurred.\r\n\r\nRule:\r\n\tID:\tMDEServer-1\r\n\tName:\t-"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4953
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4953
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4953.yml
Event ID 4954: Windows Firewall Group Policy settings has changed.
#Description
Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4954,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-09T00:56:52.595949+00:00",
"event_record_id": 1628305,
"correlation": {
"ActivityID": "96A9D96E-AF5F-0001-F1D9-A9965FAFDC01"
},
"execution": {
"process_id": 828,
"thread_id": 844
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Event ID 4956: Windows Firewall has changed the active profile.
#Description
This event generates when Windows Firewall has changed the active profile.
Message #
Fields #
| Name | Description |
|---|---|
ActiveProfile UnicodeString | The name of the new active profile. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4956,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:27:32.278889+00:00",
"event_record_id": 2454199,
"correlation": {
"ActivityID": "164E10E5-B120-0003-FC10-4E1620B1DC01"
},
"execution": {
"process_id": 720,
"thread_id": 6464
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ActiveProfile": "(null)"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4956
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4956.yml
Event ID 4957: Windows Firewall did not apply the following rule.
#Description
This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason.
Message #
Fields #
| Name | Description |
|---|---|
RuleId UnicodeString | The unique identifier for not applied firewall rule. |
RuleName UnicodeString | The name of the rule which was not applied. |
RuleAttr UnicodeString | The reason why the rule was not applied. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4957,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": -9218868437227405312,
"time_created": "2026-05-29T23:47:58.2985815+00:00",
"event_record_id": 1780243,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 2452
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RuleId": "Microsoft.Win32WebViewHost_cw5n1h2txyewy_S-1-5-21-1006758700-2167138679-1475694448-1105_Out_notRemoteName_Wi-Fi",
"RuleName": "Microsoft.Win32WebViewHost_cw5n1h2txyewy_S-1-5-21-1006758700-2167138679-1475694448-1105_Out_notRemoteName_Wi-Fi",
"RuleAttr": "Interfaces"
},
"message": "Windows Firewall did not apply the following rule:\r\n\r\nRule Information:\r\n\tID:\tMicrosoft.Win32WebViewHost_cw5n1h2txyewy_S-1-5-21-1006758700-2167138679-1475694448-1105_Out_notRemoteName_Wi-Fi\r\n\tName:\tMicrosoft.Win32WebViewHost_cw5n1h2txyewy_S-1-5-21-1006758700-2167138679-1475694448-1105_Out_notRemoteName_Wi-Fi\r\n\r\nError Information:\r\n\tReason:\tInterfaces resolved to an empty set."
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4957
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4957
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4957.yml
Event ID 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
#Description
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
Message #
Fields #
| Name | Description |
|---|---|
RuleId UnicodeString | [Rule Information] ID |
RuleName UnicodeString | [Rule Information] Name |
Error UnicodeString | [Error Information] Error |
Reason UnicodeString | [Error Information] Reason |
References #
Event ID 4960: IPsec dropped an inbound packet that failed an integrity check.
#Description
IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. Remote Network Address: RemoteAddress Inbound SA SPI: SPI
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
References #
Event ID 4961: IPsec dropped an inbound packet that failed a replay check.
#Description
IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 4962: IPsec dropped an inbound packet that failed a replay check.
#Description
IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 4963: IPsec dropped an inbound clear text packet that should have been secured.
#Description
IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected. This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. Remote Network Address: RemoteAddress Inbound SA SPI: SPI
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4963,
"version": 0,
"level": 0,
"task": 12291,
"opcode": 0,
"keywords": -9218868437227405312,
"time_created": "2026-05-30T02:02:50.4866299+00:00",
"event_record_id": 22244714,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 10592
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RemoteAddress": "192.0.2.254",
"SPI": "0"
},
"message": "IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected. This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.\r\n\r\nRemote Network Address:\t192.0.2.254\r\nInbound SA SPI:\t\t0"
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 4964: Special groups have been assigned to a new logon.
#Description
This event occurs when an account that is a member of any defined Special Group logs in.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested logon for New Logon account. |
SubjectUserName UnicodeString | The name of the account that requested logon for New Logon account. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID,. |
LogonGuid GUID | A GUID that can help you correlate this event with another event that can contain the same Logon GUID, "4769(S, F): A Kerberos service ticket was requested event on a domain controller. |
TargetUserSid SID | SID of account that performed the logon. |
TargetUserName UnicodeString | The name of the account that performed the logon. |
TargetDomainName UnicodeString | [New Logon] Account Domain. |
TargetLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
TargetLogonGuid GUID | A GUID that can help you correlate this event with another event that can contain the same Logon GUID, "4769(S, F): A Kerberos service ticket was requested event on a domain controller. |
SidList UnicodeString | The list of special group SIDs, which New Logon\Security ID is a member of. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4964,
"version": 0,
"level": 0,
"task": 12548,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-04-22T08:51:04.686763Z",
"event_record_id": 435111,
"correlation": {},
"execution": {
"process_id": 480,
"thread_id": 2416
},
"channel": "Security",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "FS03VULN$",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x3e7",
"LogonGuid": "00000000-0000-0000-0000-000000000000",
"TargetUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"TargetUserName": "admmig",
"TargetDomainName": "OFFSEC",
"TargetLogonId": "0x74872",
"TargetLogonGuid": "00000000-0000-0000-0000-000000000000",
"SidList": "\r\n\t\t%{S-1-5-21-4230534742-2542757381-3142984815-1613}"
}
}
Community Notes #
Detects Domain Admins or other high-value SIDs logging onto non-DC hosts.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Lateral movement detection (based on "special groups" feature) source medium: Detects scenarios where a user of a predefined set of group(s) logs on a target machine.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4964
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4964.yml
Event ID 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).
#Description
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. Remote Network Address: RemoteAddress Inbound SA SPI: SPI
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet.
#Description
During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | Local Network Address |
RemoteAddress UnicodeString | Remote Network Address |
KeyModName UnicodeString | Keying Module Name |
References #
Event ID 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet.
#Description
During quick mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | Local Network Address |
RemoteAddress UnicodeString | Remote Network Address |
KeyModName UnicodeString | Keying Module Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode
Event ID 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet.
#Description
During extended mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | Local Network Address |
RemoteAddress UnicodeString | Remote Network Address |
KeyModName UnicodeString | Keying Module Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode
Event ID 4979: IPsec Main Mode and Extended Mode security associations were established.
#Description
IPsec main mode and extended mode security associations were established.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Main Mode Local Endpoint] Principal Name |
RemoteMMPrincipalName UnicodeString | [Main Mode Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Main Mode Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Main Mode Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Main Mode Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Main Mode Remote Endpoint] Keying Module Port |
MMAuthMethod UnicodeString | [Main Mode Additional Information] Authentication Method |
MMCipherAlg UnicodeString | [Main Mode Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Main Mode Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Main Mode Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Main Mode Security Association] Lifetime (minutes) |
QMLimit UInt32 | [Main Mode Security Association] Quick Mode Limit |
Role UnicodeString | [Main Mode Additional Information] Role |
MMImpersonationState UnicodeString | [Main Mode Additional Information] Impersonation State |
MMFilterID UInt64 | [Main Mode Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Main Mode Security Association] Main Mode SA ID |
LocalEMPrincipalName UnicodeString | [Extended Mode Information] Local Principal Name |
RemoteEMPrincipalName UnicodeString | [Extended Mode Information] Remote Principal Name |
EMAuthMethod UnicodeString | [Extended Mode Information] Authentication Method |
EMImpersonationState UnicodeString | [Extended Mode Information] Impersonation State |
QMFilterID UInt64 | [Extended Mode Information] Quick Mode Filter ID |
References #
Event ID 4980: IPsec Main Mode and Extended Mode security associations were established.
#Description
IPsec main mode and extended mode security associations were established.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Main Mode Local Endpoint] Principal Name |
RemoteMMPrincipalName UnicodeString | [Main Mode Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Main Mode Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Main Mode Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Main Mode Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Main Mode Remote Endpoint] Keying Module Port |
MMAuthMethod UnicodeString | [Main Mode Additional Information] Authentication Method |
MMCipherAlg UnicodeString | [Main Mode Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Main Mode Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Main Mode Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Main Mode Security Association] Lifetime (minutes) |
QMLimit UInt32 | [Main Mode Security Association] Quick Mode Limit |
Role UnicodeString | [Main Mode Additional Information] Role |
MMImpersonationState UnicodeString | [Main Mode Additional Information] Impersonation State |
MMFilterID UInt64 | [Main Mode Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Main Mode Security Association] Main Mode SA ID |
LocalEMPrincipalName UnicodeString | [Extended Mode Local Endpoint] Principal Name |
LocalEMCertHash UnicodeString | [Extended Mode Local Endpoint] Certificate SHA Thumbprint |
LocalEMIssuingCA UnicodeString | [Extended Mode Local Endpoint] Certificate Issuing CA |
LocalEMRootCA UnicodeString | [Extended Mode Local Endpoint] Certificate Root CA |
RemoteEMPrincipalName UnicodeString | [Extended Mode Remote Endpoint] Principal Name |
RemoteEMCertHash UnicodeString | [Extended Mode Remote Endpoint] Certificate SHA Thumbprint |
RemoteEMIssuingCA UnicodeString | [Extended Mode Remote Endpoint] Certificate Issuing CA |
RemoteEMRootCA UnicodeString | [Extended Mode Remote Endpoint] Certificate Root CA |
EMImpersonationState UnicodeString | [Extended Mode Additional Information] Impersonation State |
QMFilterID UInt64 | [Extended Mode Additional Information] Quick Mode Filter ID |
References #
Event ID 4981: IPsec Main Mode and Extended Mode security associations were established.
#Description
IPsec main mode and extended mode security associations were established.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalMMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalMMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalMMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteMMCertHash UnicodeString | [Remote Certificate] SHA Thumbprint |
RemoteMMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteMMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
MMCipherAlg UnicodeString | [Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Security Association Information] Lifetime (minutes) |
QMLimit UInt32 | [Security Association Information] Quick Mode Limit |
Role UnicodeString | [Additional Information] Role |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Security Association Information] Main Mode SA ID |
LocalEMPrincipalName UnicodeString | [Extended Mode Information] Local Principal Name |
RemoteEMPrincipalName UnicodeString | [Extended Mode Information] Remote Principal Name |
EMAuthMethod UnicodeString | [Extended Mode Information] Authentication Method |
EMImpersonationState UnicodeString | [Extended Mode Information] Impersonation State |
QMFilterID UInt64 | [Extended Mode Information] Quick Mode Filter ID |
References #
Event ID 4982: IPsec Main Mode and Extended Mode security associations were established.
#Description
IPsec main mode and extended mode security associations were established.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalMMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalMMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalMMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteMMCertHash UnicodeString | [Remote Certificate] SHA Thumbprint |
RemoteMMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteMMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalKeyModPort UInt32 | [Network Address] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
MMCipherAlg UnicodeString | [Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Security Association Information] Lifetime (minutes) |
QMLimit UInt32 | [Security Association Information] Quick Mode Limit |
Role UnicodeString | [Additional Information] Role |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Security Association Information] Main Mode SA ID |
LocalEMPrincipalName UnicodeString | [Extended Mode Local Endpoint] Principal Name |
LocalEMCertHash UnicodeString | [Extended Mode Local Endpoint] Certificate SHA Thumbprint |
LocalEMIssuingCA UnicodeString | [Extended Mode Local Endpoint] Certificate Issuing CA |
LocalEMRootCA UnicodeString | [Extended Mode Local Endpoint] Certificate Root CA |
RemoteEMPrincipalName UnicodeString | [Extended Mode Remote Endpoint] Principal Name |
RemoteEMCertHash UnicodeString | [Extended Mode Remote Endpoint] Certificate SHA Thumbprint |
RemoteEMIssuingCA UnicodeString | [Extended Mode Remote Endpoint] Certificate Issuing CA |
RemoteEMRootCA UnicodeString | [Extended Mode Remote Endpoint] Certificate Root CA |
EMImpersonationState UnicodeString | [Extended Mode Additional Information] Impersonation State |
QMFilterID UInt64 | [Extended Mode Additional Information] Quick Mode Filter ID |
References #
Event ID 4983: An IPsec Extended Mode negotiation failed.
#Description
An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.
Message #
Fields #
| Name | Description |
|---|---|
LocalEMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalEMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalEMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalEMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteEMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteEMCertHash UnicodeString | [Remote Certificate] SHA Thumbprint |
RemoteEMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteEMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
State UnicodeString | [Failure Information] State |
Role UnicodeString | [Additional Information] Role |
EMImpersonationState UnicodeString | [Additional Information] Impersonation State |
QMFilterID UInt64 | [Additional Information] Quick Mode Filter ID |
References #
Event ID 4984: An IPsec Extended Mode negotiation failed.
#Description
An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.
Message #
Fields #
| Name | Description |
|---|---|
LocalEMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
RemoteEMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
EMAuthMethod UnicodeString | [Additional Information] Authentication Method |
State UnicodeString | [Failure Information] State |
Role UnicodeString | [Additional Information] Role |
EMImpersonationState UnicodeString | [Additional Information] Impersonation State |
QMFilterID UInt64 | [Additional Information] Quick Mode Filter ID |
References #
Event ID 4985: The state of a transaction has changed.
#Description
This is an informational event from file system Transaction Manager.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account through which the state of the transaction was changed. |
SubjectUserName UnicodeString | The name of the account that changed the state of the transaction. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
TransactionId GUID | Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID, such as "4656(S, F): A handle to an object was requested." |
NewState UInt32 | [Transaction Information] New State. |
ResourceManager GUID | Unique GUID-Identifier of the Resource Manager which associated with this transaction. |
ProcessId Pointer | Hexadecimal Process ID of the process through which the state of the transaction was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
ProcessName UnicodeString | Full path and the name of the executable for the process. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4985,
"version": 0,
"level": 0,
"task": 12800,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:22:20.7831555+00:00",
"event_record_id": 2926202,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 180
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x3e7",
"TransactionId": "{93f34f5e-5b7d-11f1-965a-9db39466505c}",
"NewState": "52",
"ResourceManager": "{f140d9bc-e67e-11f0-809e-ad7f23ecb1e8}",
"ProcessId": "0x59c",
"ProcessName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe"
},
"message": "The state of a transaction has changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTransaction Information:\r\n\tRM Transaction ID:\t{93f34f5e-5b7d-11f1-965a-9db39466505c}\r\n\tNew State:\t\t52\r\n\tResource Manager:\t{f140d9bc-e67e-11f0-809e-ad7f23ecb1e8}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x59c\r\n\tProcess Name:\t\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4985
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4985.yml
Event ID 5024: The Windows Firewall Service has started successfully.
#Description
The Windows Firewall service started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5024,
"version": 0,
"level": 0,
"task": 12292,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:57.9399842+00:00",
"event_record_id": 1717500,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 968
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "The Windows Firewall service started successfully."
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5024
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5024
Event ID 5025: The Windows Firewall Service has been stopped.
#Description
The Windows Firewall service was stopped.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5027: The Windows Firewall Service was unable to retrieve the security policy from the local storage.
#Description
The Windows Firewall service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5027
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5027.yml
Event ID 5028: The Windows Firewall Service was unable to parse the new security policy.
#Event ID 5029: The Windows Firewall Service failed to initialize the driver.
#Description
The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5030: The Windows Firewall Service failed to start.
#Description
The Windows Firewall service failed to start.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network.
#Description
This event generates when an application was blocked from accepting incoming connections on the network by Windows Filtering Platform. If you don't have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from Windows Filtering Platform layer, because by default this layer is denying any incoming connections.
Message #
Fields #
| Name | Description |
|---|---|
Profiles UnicodeString | Network profile using which application was blocked. Bitmask flags
|
Application UnicodeString | Full path and file name of executable file for blocked application. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5031,
"version": 0,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T22:02:00.253205+00:00",
"event_record_id": 16477825,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 5688
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Profiles": "(null)",
"Application": "C:\\windows\\system32\\wbem\\wmiprvse.exe"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5031
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5031.yml
Event ID 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
#Description
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5033: The Windows Firewall Driver has started successfully.
#Description
The Windows Firewall Driver started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5033,
"version": 0,
"level": 0,
"task": 12292,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:57.3173818+00:00",
"event_record_id": 1716242,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 1048
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "The Windows Firewall Driver started successfully."
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5033
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5033
Event ID 5034: The Windows Firewall Driver has been stopped.
#Description
The Windows Firewall Driver was stopped.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5035: The Windows Firewall Driver failed to start.
#Description
The Windows Firewall Driver failed to start.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5037: The Windows Firewall Driver detected critical runtime error.
#Description
The Windows Firewall Driver detected a critical runtime error, terminating.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5038: Code integrity determined that the image hash of a file is not valid.
#Description
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
param1 | 5 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5038,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-08T23:22:33.111223+00:00",
"event_record_id": 1559738,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4964
},
"channel": "Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\145.0.3800.97\\prefs_enclave_x64.dll"
},
"message": ""
}
Detection Patterns #
Community Notes #
May indicate that malware attempted to load an unsigned or tampered driver/system file.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Event ID 5039: A registry key was virtualized.
#Description
A registry key was virtualized.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectPath UnicodeString | [Object] Key Name |
ObjectVirtualPath UnicodeString | [Object] Virtual Key Name |
ProcessId Pointer | [Process Information] Process ID |
ProcessName UnicodeString | [Process Information] Process Name |
References #
Event ID 5040: A change has been made to IPsec settings. An Authentication Set was added.
#Description
A change was made to IPsec settings. An authentication set was added.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
AuthenticationSetId UnicodeString | [Added Authentication Set] ID |
AuthenticationSetName UnicodeString | [Added Authentication Set] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5040,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T02:02:49.7431736+00:00",
"event_record_id": 22244663,
"correlation": {
"ActivityID": "{4EF7F6F1-F070-4190-A66F-D8BD2C190922}"
},
"execution": {
"process_id": 1000,
"thread_id": 12780
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"AuthenticationSetId": "{013759fa-9005-463f-958c-4cb70474217f}",
"AuthenticationSetName": "WFPCAT-P1Auth"
},
"message": "A change was made to IPsec settings. An authentication set was added.\r\n\t\r\nProfile Changed:\t\tAll\r\n\r\nAdded Authentication Set:\r\n\tID:\t\t\t{013759fa-9005-463f-958c-4cb70474217f}\r\n\tName:\t\t\tWFPCAT-P1Auth"
}
References #
Event ID 5041: A change has been made to IPsec settings. An Authentication Set was modified.
#Description
A change was made to IPsec settings. An authentication set was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
AuthenticationSetId UnicodeString | [Modified Authentication Set] ID |
AuthenticationSetName UnicodeString | [Modified Authentication Set] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5042: A change has been made to IPsec settings. An Authentication Set was deleted.
#Description
A change was made to IPsec settings. An authentication set was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
AuthenticationSetId UnicodeString | [Deleted Authentication Set] ID |
AuthenticationSetName UnicodeString | [Deleted Authentication Set] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5042,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T02:02:52.9127084+00:00",
"event_record_id": 22245177,
"correlation": {
"ActivityID": "{E3860C49-4A17-4CCD-BFBE-7C55FD0600FA}"
},
"execution": {
"process_id": 1000,
"thread_id": 12548
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"AuthenticationSetId": "{013759fa-9005-463f-958c-4cb70474217f}",
"AuthenticationSetName": "WFPCAT-P1Auth"
},
"message": "A change was made to IPsec settings. An authentication set was deleted.\r\n\t\r\nProfile Changed:\t\tAll\r\n\r\nDeleted Authentication Set:\r\n\tID:\t\t\t{013759fa-9005-463f-958c-4cb70474217f}\r\n\tName:\t\t\tWFPCAT-P1Auth"
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5043: A change has been made to IPsec settings. A Connection Security Rule was added.
#Description
A change was made to IPsec settings. A connection security rule was added.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
ConnectionSecurityRuleId UnicodeString | [Added Connection Security Rule] ID |
ConnectionSecurityRuleName UnicodeString | [Added Connection Security Rule] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5043,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:50.849068+00:00",
"event_record_id": 16258903,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 8880
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"ConnectionSecurityRuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
"ConnectionSecurityRuleName": "EvtGen-IPsec-Test"
},
"message": ""
}
References #
Event ID 5044: A change has been made to IPsec settings. A Connection Security Rule was modified.
#Description
A change was made to IPsec settings. A connection security rule was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
ConnectionSecurityRuleId UnicodeString | [Modified Connection Security Rule] ID |
ConnectionSecurityRuleName UnicodeString | [Modified Connection Security Rule] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5044,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T02:02:49.6831207+00:00",
"event_record_id": 22244187,
"correlation": {
"ActivityID": "{093FEE7B-3CD4-4D42-AC5D-E3AB9B23E8EF}"
},
"execution": {
"process_id": 1000,
"thread_id": 12780
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"ConnectionSecurityRuleId": "{e88185b9-b2ad-4073-83c9-6e4038b99ccc}",
"ConnectionSecurityRuleName": "WFPCAT-ConnSec-Transport"
},
"message": "A change was made to IPsec settings. A connection security rule was modified.\r\n\t\r\nProfile Changed:\tAll\r\n\r\nModified Connection Security Rule:\r\n\tID:\t\t\t{e88185b9-b2ad-4073-83c9-6e4038b99ccc}\r\n\tName:\t\t\tWFPCAT-ConnSec-Transport"
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5045: A change has been made to IPsec settings. A Connection Security Rule was deleted.
#Description
A change was made to IPsec settings. A connection security rule was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
ConnectionSecurityRuleId UnicodeString | [Deleted Connection Security Rule] ID |
ConnectionSecurityRuleName UnicodeString | [Deleted Connection Security Rule] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5045,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:19:58.877712+00:00",
"event_record_id": 16285930,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 1100
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"ConnectionSecurityRuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
"ConnectionSecurityRuleName": "EvtGen-IPsec-Test"
},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5046: A change has been made to IPsec settings. A Crypto Set was added.
#Description
A change was made to IPsec settings. A crypto set was added.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
CryptographicSetId UnicodeString | [Added Crypto Set] ID |
CryptographicSetName UnicodeString | [Added Crypto Set] Name |
References #
Event ID 5047: A change has been made to IPsec settings. A Crypto Set was modified.
#Description
A change was made to IPsec settings. A crypto set was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
CryptographicSetId UnicodeString | [Modified Crypto Set] ID |
CryptographicSetName UnicodeString | [Modified Crypto Set] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5048: A change has been made to IPsec settings. A Crypto Set was deleted.
#Description
A change was made to IPsec settings. A crypto set was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
CryptographicSetId UnicodeString | [Deleted Crypto Set] ID |
CryptographicSetName UnicodeString | [Deleted Crypto Set] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5049: An IPsec Security Association was deleted.
#Description
An IPsec security association was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
IpSecSecurityAssociationId UnicodeString | [Deleted SA] ID |
IpSecSecurityAssociationName UnicodeString | [Deleted SA] Name |
References #
Event ID 5050: An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected.
#Description
An attempt to programmatically disable Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected because this API is not supported on this version of Windows. This is most likely due to a program that is incompatible with this version of Windows. Please contact the program's manufacturer to make sure you have a compatible program version. Error Code: E_NOTIMPL Caller Process Name: CallerProcessName Process Id: ProcessId Publisher: Publisher
Message #
Fields #
| Name | Description |
|---|---|
CallerProcessName UnicodeString | Caller Process Name |
ProcessId UInt32 | Process Id |
Publisher UnicodeString | Publisher |
References #
Event ID 5051: A file was virtualized.
#Description
This event should be generated when file was virtualized using LUAFV. This event occurs very rarely during standard LUAFV file virtualization. There is no example of this event in this document.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that performed the operation. |
SubjectUserName UnicodeString | The name of the account that performed the operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, 4624 An account was successfully logged on. |
FileName UnicodeString | The name of a file or folder that the virtualized file name refers to. |
VirtualFileName UnicodeString | Full path name with virtualized file name. |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5051
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5051.yml
Event ID 5056: A cryptographic self test was performed.
#Description
A cryptographic self test was performed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Module UnicodeString | Module |
ReturnCode HexInt32 | Return Code |
References #
Event ID 5057: A cryptographic primitive operation failed.
#Description
A cryptographic primitive operation failed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name |
AlgorithmName UnicodeString | [Cryptographic Parameters] Algorithm Name |
Reason UnicodeString | [Failure Information] Reason |
ReturnCode HexInt32 | [Failure Information] Return Code |
References #
Event ID 5058: Key file operation.
#Description
This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a Key Storage Provider.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested key file operation. | |
SubjectUserName UnicodeString | The name of the account that requested key file operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
ClientProcessId UInt32 | [Process Information] Process ID. | |
ClientCreationTime FILETIME | [Process Information] Process Creation Time. | |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name. | |
AlgorithmName UnicodeString | The name of cryptographic algorithm through which the key was used or accessed. | |
KeyName UnicodeString | The name of the key (key container) with which operation was performed. | 1 |
KeyType UnicodeString | Can have one of the following values: "User key." - user's cryptographic key. "Machine key." - machine's cryptographic key. Known values
| |
KeyFilePath UnicodeString | Full path and filename of the key file on which the operation was performed. | |
Operation UnicodeString | [Key File Operation Information] Operation. Known values
| 2 |
ReturnCode HexInt32 | [Key File Operation Information] Return Code. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5058,
"version": 1,
"level": 0,
"task": 12292,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:33:58.4413971+00:00",
"event_record_id": 1724258,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 3340
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-19",
"SubjectUserName": "LOCAL SERVICE",
"SubjectDomainName": "NT AUTHORITY",
"SubjectLogonId": "0x3e5",
"ClientProcessId": "3608",
"ClientCreationTime": "2026-05-29T16:33:58.2219741Z",
"ProviderName": "Microsoft Software Key Storage Provider",
"AlgorithmName": "UNKNOWN",
"KeyName": "Microsoft Connected Devices Platform device certificate",
"KeyType": "%%2500",
"KeyFilePath": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_8a99384c-f40f-46dc-9dc2-13adf38045d6",
"Operation": "%%2458",
"ReturnCode": "0x0"
},
"message": "Key file operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t3608\r\n\tProcess Creation Time:\t2026-05-29T16:33:58.221974100Z\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tUNKNOWN\r\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\r\n\tKey Type:\tUser key.\r\n\r\nKey File Operation Information:\r\n\tFile Path:\tC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_8a99384c-f40f-46dc-9dc2-13adf38045d6\r\n\tOperation:\tRead persisted key from file.\r\n\tReturn Code:\t0x0"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
@Name | eq | KeyName | 1 rule | kusto |
@Name | eq | SubjectUserName | 1 rule | kusto |
Computer | contains | <your ca machine name> | 1 rule | kusto |
EventData | contains | %%2499 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Certified Pre-Owned - backup of CA private key - rule 1 source medium: This query identifies someone that performs a read operation of they CA key from the file.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5058
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5058
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5058.yml
Event ID 5059: Key migration operation.
#Description
This event generates when a cryptographic key is exported or imported using a Key Storage Provider.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested key migration operation. |
SubjectUserName UnicodeString | The name of the account that requested key migration operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ClientProcessId UInt32 | [Process Information] Process ID. |
ClientCreationTime FILETIME | [Process Information] Process Creation Time. |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name. |
AlgorithmName UnicodeString | The name of cryptographic algorithm through which the key was used or accessed. |
KeyName UnicodeString | The name of the key (key container) with which operation was performed. |
KeyType UnicodeString | Can have one of the following values: "User key." - user's cryptographic key. "Machine key." - machine's cryptographic key. Known values
|
Operation UnicodeString | [Additional Information] Operation. Known values
|
ReturnCode HexInt32 | [Additional Information] Return Code. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5059,
"version": 1,
"level": 0,
"task": 12292,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:33:58.4424696+00:00",
"event_record_id": 1724260,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 3340
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-19",
"SubjectUserName": "LOCAL SERVICE",
"SubjectDomainName": "NT AUTHORITY",
"SubjectLogonId": "0x3e5",
"ClientProcessId": "3608",
"ClientCreationTime": "2026-05-29T16:33:58.2219741Z",
"ProviderName": "Microsoft Software Key Storage Provider",
"AlgorithmName": "ECDSA_P256",
"KeyName": "Microsoft Connected Devices Platform device certificate",
"KeyType": "%%2500",
"Operation": "%%2464",
"ReturnCode": "0x0"
},
"message": "Key migration operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t3608\r\n\tProcess Creation Time:\t2026-05-29T16:33:58.221974100Z\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tECDSA_P256\r\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\r\n\tKey Type:\tUser key.\r\n\r\nAdditional Information:\r\n\tOperation:\tExport of persistent cryptographic key.\r\n\tReturn Code:\t0x0"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
@Name | eq | KeyName | 1 rule | kusto |
@Name | eq | SubjectUserName | 1 rule | kusto |
Computer | contains | <your ca machine name> | 1 rule | kusto |
EventData | contains | %%2499 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →
Kusto # view in coverage
- Certified Pre-Owned - backup of CA private key - rule 2 source medium: This query identifies someone that performs a backup of they CA key.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5059
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5059
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5059.yml
Event ID 5060: Verification operation failed.
#Description
Verification operation failed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name |
AlgorithmName UnicodeString | [Cryptographic Parameters] Algorithm Name |
KeyName UnicodeString | [Cryptographic Parameters] Key Name |
KeyType UnicodeString | [Cryptographic Parameters] Key Type Known values
|
Reason UnicodeString | [Failure Information] Reason |
ReturnCode HexInt32 | [Failure Information] Return Code |
References #
Event ID 5061: Cryptographic operation.
#Description
This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a Key Storage Provider.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested specific cryptographic operation. |
SubjectUserName UnicodeString | The name of the account that requested specific cryptographic operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name. |
AlgorithmName UnicodeString | The name of cryptographic algorithm through which the key was used or accessed. |
KeyName UnicodeString | The name of the key (key container) with which operation was performed. |
KeyType UnicodeString | Can have one of the following values: "User key." - user's cryptographic key. "Machine key." - machine's cryptographic key. Known values
|
Operation UnicodeString | [Cryptographic Operation] Operation. Known values
|
ReturnCode HexInt32 | [Cryptographic Operation] Return Code. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5061,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:49.1906527+00:00",
"event_record_id": 2148882,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 6396
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"ProviderName": "Microsoft Software Key Storage Provider",
"AlgorithmName": "RSA",
"KeyName": "tp-22ce7e87-6a77-4441-ba6b-fd53228e1f4d",
"KeyType": "%%2499",
"Operation": "%%2480",
"ReturnCode": "0x0"
},
"message": "Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\ttp-22ce7e87-6a77-4441-ba6b-fd53228e1f4d\r\n\tKey Type:\tMachine key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5061
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5061.yml
Event ID 5062: A kernel-mode cryptographic self test was performed.
#Event ID 5063: A cryptographic provider operation was attempted.
#Description
A cryptographic provider operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
ProviderName UnicodeString | [Cryptographic Provider] Name |
ModuleName UnicodeString | [Cryptographic Provider] Module |
Operation UnicodeString | Operation Known values
|
ReturnCode UInt32 | Return Code |
References #
Event ID 5064: A cryptographic context operation was attempted.
#Description
A cryptographic context operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
Operation UnicodeString | Operation Known values
|
ReturnCode UInt32 | Return Code |
References #
Event ID 5065: A cryptographic context modification was attempted.
#Description
A cryptographic context modification was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
OldValue UInt32 | [Change Information] Old Value |
NewValue UInt32 | [Change Information] New Value |
ReturnCode UInt32 | Return Code |
References #
Event ID 5066: A cryptographic function operation was attempted.
#Description
A cryptographic function operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
Position UInt32 | [Configuration Parameters] Position |
Operation UnicodeString | Operation Known values
|
ReturnCode UInt32 | Return Code |
References #
Event ID 5067: A cryptographic function modification was attempted.
#Description
A cryptographic function modification was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
OldValue UInt32 | [Change Information] Old Value |
NewValue UInt32 | [Change Information] New Value |
ReturnCode UInt32 | Return Code |
References #
Event ID 5068: A cryptographic function provider operation was attempted.
#Description
A cryptographic function provider operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
ProviderName UnicodeString | [Configuration Parameters] Provider |
Position UInt32 | [Configuration Parameters] Position |
Operation UnicodeString | Operation Known values
|
ReturnCode UInt32 | Return Code |
References #
Event ID 5069: A cryptographic function property operation was attempted.
#Description
A cryptographic function property operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
PropertyName UnicodeString | [Configuration Parameters] Property |
Operation UnicodeString | Operation Known values
|
Value UnicodeString | Value |
ReturnCode UInt32 | Return Code |
References #
Event ID 5070: A cryptographic function property modification was attempted.
#Description
A cryptographic function property modification was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
PropertyName UnicodeString | [Configuration Parameters] Property |
OldValue UnicodeString | [Change Information] Old Value |
NewValue UnicodeString | [Change Information] New Value |
ReturnCode UInt32 | Return Code |
References #
Event ID 5071: Key access denied by Microsoft key distribution service.
#Description
Key access denied by Microsoft key distribution service.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
SecurityDescriptor UnicodeString | Security Descriptor |
Event ID 5120: OCSP Responder Service Started.
#Description
OCSP Responder Service Started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5120,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T09:20:46.158376Z",
"event_record_id": 1207920,
"correlation": {
"#attributes": {
"ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
}
},
"execution": {
"process_id": 576,
"thread_id": 3212
},
"channel": "Security",
"computer": "pki01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5121: OCSP Responder Service Stopped.
#Description
OCSP Responder Service Stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5121,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T09:20:43.401378Z",
"event_record_id": 1207901,
"correlation": {
"#attributes": {
"ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
}
},
"execution": {
"process_id": 576,
"thread_id": 3212
},
"channel": "Security",
"computer": "pki01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5122: A Configuration entry changed in the OCSP Responder Service.
#Description
A Configuration entry changed in the OCSP Responder Service.
Message #
Fields #
| Name | Description |
|---|---|
CAConfigurationId UnicodeString | CA Configuration ID |
NewValue UnicodeString | New Value |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
References #
Event ID 5123: A configuration entry changed in the OCSP Responder Service.
#Description
A configuration entry changed in the OCSP Responder Service.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
PropertyName UnicodeString | Property Name | 1 |
NewValue UnicodeString | New Value | |
SubjectUserSid SID | SID of the account that performed the operation. | |
SubjectUserName UnicodeString | Account name of the subject. | |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. | |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5123,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T09:21:24.702958Z",
"event_record_id": 1207931,
"correlation": {
"#attributes": {
"ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
}
},
"execution": {
"process_id": 576,
"thread_id": 3544
},
"channel": "Security",
"computer": "pki01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"PropertyName": "MaxNumOfCacheEntries",
"NewValue": "5000",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x477ac56"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- OCSP responder auditing settings changed or disabled source high: Detects scenarios where an attacker would attempt to alter or disable OCSP responder auditing settings to evade detection and perform further escalation via ADCS vulnerabilities.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5123
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5124: A security setting was updated on OCSP Responder Service.
#Description
A security setting was updated on OCSP Responder Service.
Message #
Fields #
| Name | Description |
|---|---|
NewSecuritySettings UnicodeString | New Value |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5124,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T09:21:50.109681Z",
"event_record_id": 1207947,
"correlation": {
"#attributes": {
"ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
}
},
"execution": {
"process_id": 576,
"thread_id": 3544
},
"channel": "Security",
"computer": "pki01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"NewSecuritySettings": "\nAllow(0x00000101)\tBUILTIN\\Administrators\n\tOCSP Administrator\n\tRead\nAllow(0x00000300)\tIIS APPPOOL\\OCSPISAPIAppPool\n\tRead\n\tOCSP Requestor\n",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x477ac56"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- OCSP responder security settings changed source high: Detects scenarios where an attacker would attempt to escalate privileges by changing the security settings of the responder.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5124
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5125: A request was submitted to OCSP Responder Service.
#Description
A request was submitted to OCSP Responder Service.
Message #
Fields #
| Name | Description |
|---|---|
SerialNumber UnicodeString | Certificate Serial Number |
CAName UnicodeString | Issuer CA Name |
Status UnicodeString | Revocation Status NTSTATUS reference |
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
Event ID 5126: Signing Certificate was automatically updated by the OCSP Responder Service.
#Event ID 5127: The OCSP Revocation Provider successfully updated the revocation information.
#Description
The OCSP Revocation Provider successfully updated the revocation information.
Message #
Fields #
| Name | Description |
|---|---|
CAConfigurationId UnicodeString | CA Configuration ID |
BaseCRLNumber UnicodeString | Base CRL Number |
BaseCRLThisUpdate UnicodeString | Base CRL This Update |
BaseCRLHash UnicodeString | Base CRL Hash |
DeltaCRLNumber UnicodeString | Delta CRL Number |
DeltaCRLIndicator UnicodeString | Delta CRL Indicator |
DeltaCRLThisUpdate UnicodeString | Delta CRL This Update |
DeltaCRLHash UnicodeString | Delta CRL Hash |
References #
Event ID 5136: A directory service object was modified.
#Description
This event generates every time an Active Directory object is modified.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
OpCorrelationID GUID | Multiple modifications are often executed as one operation via LDAP. | |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID. | |
SubjectUserSid SID | SID of account that requested the "modify object" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "modify object" operation. | 8 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
DSName UnicodeString | The name of the Active Directory domain where the modified object is located. | |
DSType UnicodeString | Has "Active Directory Domain Services" value for this event. Known values
| 1 |
ObjectDN UnicodeString | Distinguished name of the object that was modified. | 10 |
ObjectGUID GUID | Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. | 4 |
ObjectClass UnicodeString | Class of the object that was modified. | 39 |
AttributeLDAPDisplayName UnicodeString | [Attribute] LDAP Display Name. | 46 |
AttributeSyntaxOID UnicodeString | The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. | |
AttributeValue UnicodeString | The value which was added or deleted, depending on the Operation\Type field. | 27 |
OperationType UnicodeString | [Operation] Type. Known values
| 43 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5136,
"version": 0,
"level": 0,
"task": 14081,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-25T10:33:56.457629Z",
"event_record_id": 198238043,
"correlation": {},
"execution": {
"process_id": 444,
"thread_id": 3488
},
"channel": "Security",
"computer": "DC1.insecurebank.local",
"security": {
"user_id": ""
}
},
"event_data": {
"OpCorrelationID": "780EA6E1-6307-48D6-8B0D-8C45CC7534AE",
"AppCorrelationID": "-",
"SubjectUserSid": "S-1-5-21-738609754-2819869699-4189121830-1108",
"SubjectUserName": "bob",
"SubjectDomainName": "insecurebank",
"SubjectLogonId": "0x8d7099",
"DSName": "insecurebank.local",
"DSType": "%%14676",
"ObjectDN": "CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=INSECUREBANK,DC=LOCAL",
"ObjectGUID": "6CDECDB5-7515-4511-8141-C34A7C3D4A0A",
"ObjectClass": "groupPolicyContainer",
"AttributeLDAPDisplayName": "versionNumber",
"AttributeSyntaxOID": "2.5.5.9",
"AttributeValue": "5",
"OperationType": "%%14675"
}
}
Detection Patterns #
Execution At Scale
Kerberos Coercion
Persistence: Account Manipulation
Group Policy
Defense Impairment: Rogue Domain Controller
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
OperationType | eq | %%14674 | 17 rules | elastic, sigma, splunk |
AttributeLDAPDisplayName | eq | serviceprincipalname | 9 rules | elastic, kusto, sigma, splunk |
AttributeLDAPDisplayName | eq | gpcmachineextensionnames | 7 rules | elastic, sigma, splunk |
AttributeLDAPDisplayName | eq | ntsecuritydescriptor | 7 rules | elastic, sigma |
ObjectClass | eq | groupPolicyContainer | 6 rules | sigma, splunk |
ObjectClass | eq | user | 6 rules | elastic, kusto, sigma, splunk |
AccessList | contains | %%4417 | 4 rules | elastic, sigma, splunk |
ObjectClass | eq | dnsNode | 4 rules | elastic, sigma, splunk |
AttributeLDAPDisplayName | eq | gpcuserextensionnames | 4 rules | elastic, sigma |
ObjectClass | eq | domainDNS | 4 rules | splunk |
aceAccessRights | in | Full control | 4 rules | splunk |
SubjectUserName | ends_with | $ | 3 rules | sigma |
AttributeLDAPDisplayName | eq | msds-allowedtoactonbehalfofotheridentity | 3 rules | kusto, sigma |
aceAccessRights | in | All extended rights | 3 rules | splunk |
aceAccessRights | in | All validated writes | 3 rules | splunk |
Community Notes #
May indicate high-impact changes in AD, like adding SID history or malicious GPOs. Attribute change to msDS-AllowedToActOnBehalfOfOtherIdentity is usually suspicious and indicates a Kerberos relay attack.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Powerview Add-DomainObjectAcl DCSync AD Extend Right source high: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
- Windows Default Domain GPO Modification source medium: Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
- Group Policy Abuse for Privilege Addition source medium: Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Show 12 more (15 total)
- Suspicious LDAP-Attributes Used source high: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
- Possible Shadow Credentials Added source high: Detects possible addition of shadow credentials to an active directory object.
- Permissions changed on a Group Policy (GPO) source medium: Detects scenarios where an attacker will attempt to take control over a group policy.
- Suspicious modification of a sensitive Group Policy (GPO) source medium: Detects scenarios where an attacker will attempt to take control over a group policy.
- AdminSDHolder permissions changed for persistence source high: Detects scenarios where an attacker changes permissions on the AdminSDHolder container to establish persistence.
- Computer account modifying Active Directory permissions source high: Detects scenarios where an attacker compromise a server with high privileges to perform permissions changes. Note that a dedicated rule for Exchange exists.
- Computer account manipulation for delegation (RBCD) source high: Detects scenarios where an attacker manipulate a computer object and updates its attribute 'msDS-AllowedToActOnBehalfOfOtherIdentity' to enable a resource to impersonate and authenticate any domain user.
- Extended rights backdoor obfuscation (via localizationDisplayId attribute) source high: Detects scenarios where an attacker modifies the "configuration" partition in order to obfuscate sneaky changes that will allow him to introduce a stealthy AdminSDholder backdoor.
- Replication privileges granted to perform DCSync attack source high: Detects scenarios where an attacker grants replication privilege to an account to exflitrate Active Directory credentials
- Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services) source high: Detects scenarios where an attacker update the Service Principal Name (SPN) of a computer account in order to perform "Kerberos redirection" and escalate privileges.
- Suspicious modification of a user account SPN to enable Kerberoast attack source high: Detects scenarios where an attacker update the Service Principal Name (SPN) of a user account in order to enable Kerberoast attack and crack its password.
- Computer account modifying Active Directory permissions (PrivExchange) source high: Detects scenarios where an attacker compromise a server with high privileges to perform permissions changes. PrivExchange attack can be detected using this rule.
Elastic # view in coverage
- Potential Active Directory Replication Account Backdoor source medium: Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
- Potential Shadow Credentials added to AD Object source high: Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.
- User account exposed to Kerberoasting source medium: Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.
Show 4 more (7 total)
- AdminSDHolder Backdoor source high: Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.
- AdminSDHolder SDProp Exclusion Added source high: Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.
- Delegated Managed Service Account Modification by an Unusual User source high: Detects modifications to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account by an unusual subject account. Attackers can abuse this attribute to inherit a target account's permissions and further elevate privileges.
- Modification of the msPKIAccountCredentials source medium: Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.
Splunk # view in coverage
- Windows AD AdminSDHolder ACL Modified source: The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on…
- Windows AD Dangerous Deny ACL Modification source: This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.
- Windows AD Dangerous Group ACL Modification source: This detection monitors the addition of the following ACLs to an Active Directory group object: "Full control", "All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree",…
Show 15 more (18 total)
- Windows AD Dangerous User ACL Modification source: This detection monitors the addition of the following ACLs to an Active Directory user object: "Full control","All extended rights","All validated writes", "Create all child objects","Delete all child objects","Delete…
- Windows AD DCShadow Privileges ACL Addition source: This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack.
- Windows AD Domain Replication ACL Addition source: The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136…
- Windows AD Domain Root ACL Deletion source: ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device…
- Windows AD Domain Root ACL Modification source: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source…
- Windows AD GPO Deleted source: This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console.
- Windows AD GPO Disabled source: This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console.
- Windows AD GPO New CSE Addition source: This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console.
- Windows AD Hidden OU Creation source: This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators.
- Windows AD Object Owner Updated source: AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object.
- Windows AD Self DACL Assignment source: Detect when a user creates a new DACL in AD for their own AD object.
- Windows AD ServicePrincipalName Added To Domain Account source: The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may…
- Windows AD Short Lived Domain Account ServicePrincipalName source: The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to…
- Windows AD SID History Attribute Modified source: The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the
wineventlog_securitydata source to identify changes to the sIDHistory… - Windows Default Group Policy Object Modified source: The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the
Default Domain Controllers PolicyandDefault Domain Policy, which are critical for enforcing security…
Kusto # view in coverage
- AdminSDHolder Modifications source high: This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory. This query searches for the event id 5136 where the Object DN is AdminSDHolder. Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/
- Possible Resource-Based Constrained Delegation Abuse source medium: This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object Class field is "computer" and the LDAP Display Name is "msDS-AllowedToActOnBehalfOfOtherIdentity" which is an indicator of Resource-based constrained delegation. Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
- Service Principal Name (SPN) Assigned to User Account source medium: This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName". Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
Show 2 more (5 total)
- Exchange OAB Virtual Directory Attribute Containing Potential Webshell source high: This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.
- Shadow Credentials Added to Account source: This query searches for modifications to the 'msDS-KeyCredentialLink' property in Active Directory, introduced in Windows Server 2016. There are two different events which contain information to detect such changes 5136 and 4662. This detection uses the 5136, which is the preferred event to use.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5136.yml
Event ID 5137: A directory service object was created.
#Description
This event generates every time an Active Directory object is created.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
OpCorrelationID GUID | Multiple modifications are often executed as one operation via LDAP. | |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID. | |
SubjectUserSid SID | SID of account that requested the "create object" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "create object" operation. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
DSName UnicodeString | The name of an Active Directory domain, where new object is created. | |
DSType UnicodeString | Has "Active Directory Domain Services" value for this event. Known values
| |
ObjectDN UnicodeString | Distinguished name of the object that was created. | 2 |
ObjectGUID GUID | Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. | |
ObjectClass UnicodeString | Class of the object that was created. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5137,
"version": 0,
"level": 0,
"task": 14081,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-04-27T11:04:13.291038Z",
"event_record_id": 138520223,
"correlation": {
"#attributes": {
"ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
}
},
"execution": {
"process_id": 548,
"thread_id": 4324
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"OpCorrelationID": "B960A203-A3DF-4586-A2ED-740024D6C42A",
"AppCorrelationID": "-",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x31a24611",
"DSName": "offsec.lan",
"DSType": "%%14676",
"ObjectDN": "CN=JUMP01,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan",
"ObjectGUID": "590B1EF4-6143-4C18-B554-1EE0A59BB7F8",
"ObjectClass": "server"
}
}
Detection Patterns #
Kerberos Coercion Via DNS
Kerberos Coercion Via DNS
Group Policy
Defense Impairment: Rogue Domain Controller
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ObjectClass | eq | dnsNode | 4 rules | elastic, sigma, splunk |
ObjectClass | eq | groupPolicyContainer | 1 rule | sigma, splunk |
short_lived | eq | TRUE | 1 rule | splunk |
Community Notes #
May indicate high-impact changes in AD.
Detection Rules #
View all rules referencing this event →
Elastic # view in coverage
- Potential ADIDNS Poisoning via Wildcard Record Creation source high: Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic for names that do not explicitly match records in the zone, positioning themselves as an adversary-in-the-middle and enabling credential interception or relay through ADIDNS manipulation similar in outcome to LLMNR/NBNS spoofing.
- Potential WPAD Spoofing via DNS Record Creation source medium: Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.
- Creation of a DNS-Named Record source low: Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.
Show 1 more (4 total)
- dMSA Account Creation by an Unusual User source high: Detects creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse weak child-object or msDS-DelegatedManagedServiceAccount rights during account migration to elevate privileges.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5137
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5137.yml
Event ID 5138: A directory service object was undeleted.
#Description
This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the Active Directory Recycle Bin.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | Multiple modifications are often executed as one operation via LDAP. |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID. |
SubjectUserSid SID | SID of account that requested that the object be undeleted or restored. |
SubjectUserName UnicodeString | Name of account that requested that the object be undeleted or restored. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
DSName UnicodeString | The name of an Active Directory domain, where the object was undeleted. |
DSType UnicodeString | Has "Active Directory Domain Services" value for this event. Known values
|
OldObjectDN UnicodeString | Old distinguished name of undeleted object. |
NewObjectDN UnicodeString | New distinguished name of undeleted object. |
ObjectGUID GUID | Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. |
ObjectClass UnicodeString | Class of the object that was undeleted. |
Detection Patterns #
Defense Impairment: Group Policy Modification
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5138
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5138.yml
Event ID 5139: A directory service object was moved.
#Description
This event generates every time an Active Directory object is moved.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | Multiple modifications are often executed as one operation via LDAP. |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID. |
SubjectUserSid SID | SID of account that requested the "move object" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "move object" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
DSName UnicodeString | The name of an Active Directory domain, where the object was moved. |
DSType UnicodeString | Has "Active Directory Domain Services" value for this event. Known values
|
OldObjectDN UnicodeString | Old distinguished name of moved object. |
NewObjectDN UnicodeString | New distinguished name of moved object. |
ObjectGUID GUID | Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but. |
ObjectClass UnicodeString | Class of the object that was moved. |
Detection Patterns #
Defense Impairment: Group Policy Modification
1 rule
Community Notes #
May indicate high-impact changes in AD.
References #
Event ID 5140: A network share object was accessed.
#Description
This event generates every time network share object was accessed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested access to network share object. | 2 |
SubjectUserName UnicodeString | The name of the account that requested access to network share object. | 8 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ObjectType UnicodeString | The type of an object that was accessed during the operation. Always "File" for this event. | |
IpAddress UnicodeString | [Network Information] Source Address. | 2 |
IpPort UnicodeString | Source TCP or UDP port which was used from remote or local machine to request the access. | |
ShareName UnicodeString | [Share Information] Share Name. | 12 |
ShareLocalPath UnicodeString | The full system (NTFS) path for accessed share. The format is: \??\PATH. | 1 |
AccessMask HexInt32 | The sum of hexadecimal values of requested access rights. See "Table 13. File access codes." Access mask reference | 2 |
AccessList UnicodeString | The list of access rights which were requested by Subject\Security ID. These access rights depend on Object Type. Has always "ReadData (or ListDirectory)" value for this event. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5140,
"version": 1,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:05:55.4512375+00:00",
"event_record_id": 3212141,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 7924
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x292ab9d",
"ObjectType": "File",
"IpAddress": "::1",
"IpPort": "57857",
"ShareName": "\\\\*\\SYSVOL",
"ShareLocalPath": "\\??\\C:\\Windows\\SYSVOL\\sysvol",
"AccessMask": "0x1",
"AccessList": "%%4416\n\t\t\t\t"
},
"message": "A network share object was accessed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x292AB9D\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t::1\r\n\tSource Port:\t\t57857\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x1\r\n\tAccesses:\t\tReadData (or ListDirectory)\r\n\t\t\t\t\r\n"
}
Detection Patterns #
Event Log
8 rules
Sigma
Share Access Windows Event
6 rules
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
LogonType | eq | Network | 1 rule | elastic, kusto, sigma, splunk |
SubjectUserName | ends_with | $ | 1 rule | sigma |
ShareName | wildcard | \\*\ADMIN$ | 1 rule | sigma |
src_ip | eq | %vulnerability_scanners% | 1 rule | sigma |
unique_targets | gt | 30 | 1 rule | splunk |
ShareName | in | \\\\*\\C$ | 1 rule | splunk |
AccessMask | eq | 0x1 | 1 rule | sigma, splunk |
RelativeTargetName | ends_with | \cmd.exe | 1 rule | sigma |
RelativeTargetName | ends_with | \powershell.exe | 1 rule | sigma |
RelativeTargetName | ends_with | \pwsh.exe | 1 rule | sigma |
prefix | eq | geo | 1 rule | splunk |
signature_id | eq | 4625 | 1 rule | splunk |
src_ip | eq | %admin_netork_administration% | 1 rule | sigma |
Community Notes #
Tracks who is accessing shared folders on the network. Very noisy.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Access To ADMIN$ Network Share source low: Detects access to ADMIN$ network share
- Potential CVE-2023-36884 Exploitation - Share Access source high: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
Splunk # view in coverage
- Network Share Discovery Via Dir Command source: The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5140
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5140_v1.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
Event ID 5141: A directory service object was deleted.
#Description
This event generates every time an Active Directory object is deleted.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | Multiple modifications are often executed as one operation via LDAP. |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID. |
SubjectUserSid SID | SID of account that requested the "delete object" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete object" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
DSName UnicodeString | The name of an Active Directory domain, where the object was deleted. |
DSType UnicodeString | Has "Active Directory Domain Services" value for this event. Known values
|
ObjectDN UnicodeString | Distinguished name of the object that was deleted. |
ObjectGUID GUID | Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. |
ObjectClass UnicodeString | Class of the object that was deleted. |
TreeDelete UnicodeString | Yes - "Delete Subtree" operation was performed. It happens, for example, if "Use Delete Subtree server control" check box was checked during delete operation using Active Directory Users and Computers management console. No - delete operation was performed without "Delete Subtree" server control. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5141,
"version": 0,
"level": 0,
"task": 14081,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:09:16.430494+00:00",
"event_record_id": 16632112,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 724
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"OpCorrelationID": "B2C1C1B5-B65D-4E48-B5C7-AD55815CDF5D",
"AppCorrelationID": "-",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec",
"DSName": "ludus.domain",
"DSType": "%%14676",
"ObjectDN": "CN=testaudit2,CN=Users,DC=ludus,DC=domain",
"ObjectGUID": "E352E021-AD2D-40D3-B617-37AEF7687FFD",
"ObjectClass": "user",
"TreeDelete": "%%14679"
},
"message": ""
}
Detection Patterns #
Defense Impairment: Rogue Domain Controller
1 rule
Defense Impairment: Group Policy Modification
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
short_lived | eq | TRUE | 1 rule | splunk |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5141
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5141.yml
Event ID 5142: A network share object was added.
#Description
This event generates every time network share object was accessed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested the "add network share object" operation. | |
SubjectUserName UnicodeString | The name of the account that requested the "add network share object" operation. | 1 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ShareName UnicodeString | The name of the added share object. The format is: *\SHARE_NAME. | 2 |
ShareLocalPath UnicodeString | The full system (NTFS) path for the added share object. The format is: \??\PATH. | 1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5142,
"version": 0,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:33:03.1890042+00:00",
"event_record_id": 1719451,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 176
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"ShareName": "\\\\*\\Public",
"ShareLocalPath": "C:\\Public"
},
"message": "A network share object was added.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nShare Information:\t\r\n\tShare Name:\t\t\\\\*\\Public\r\n\tShare Path:\t\tC:\\Public"
}
Detection Patterns #
Lateral Movement: SMB/Windows Admin Shares
Community Notes #
May be a prelude to data exfiltration. Includes named pipes and IPC$ (confirm if the client address is external/unexpected). May indicate share enumeration and directory walking prior to exfiltration. The RelativeTargetName field may show the original file name and path on the attacker's machine.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- New network file share created source medium: Detects scenarios when a new file share is created.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5142
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5142.yml
Event ID 5143: A network share object was modified.
#Description
This event generates every time network share object was modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "modify network share object" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "modify network share object" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
ObjectType UnicodeString | The type of an object that was modified. Always "Directory" for this event. |
ShareName UnicodeString | The name of the modified share object. The format is: *\SHARE_NAME. |
ShareLocalPath UnicodeString | The full system (NTFS) path for the added share object. |
OldRemark UnicodeString | The old value of network share "Comments:" field. Has "N/A" value if it is not set. |
NewRemark UnicodeString | The new value of network share "Comments:" field. Has "N/A" value if it is not set. |
OldMaxUsers HexInt32 | Old hexadecimal value of "Limit the number of simultaneous user to:" field. Has "0xFFFFFFFF" value if the number of connections is unlimited. |
NewMaxUsers HexInt32 | New hexadecimal value of "Limit the number of simultaneous user to:" field. Has "0xFFFFFFFF" value if the number of connections is unlimited. |
OldShareFlags HexInt32 | Old hexadecimal value of "Offline Settings" caching settings window flags. |
NewShareFlags HexInt32 | New hexadecimal value of "Offline Settings" caching settings window flags. |
OldSD UnicodeString | The old Security Descriptor Definition Language (SDDL) value for network share security descriptor. |
NewSD UnicodeString | The new Security Descriptor Definition Language (SDDL) value for network share security descriptor. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5143,
"version": 0,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T17:17:32.128132Z",
"event_record_id": 1228290,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 472
},
"channel": "Security",
"computer": "fs02.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x202dac8",
"ObjectType": "Directory",
"ShareName": "\\\\*\\hidden-share$",
"ShareLocalPath": "C:\\TOOLS\\hidden-share$",
"OldRemark": "N/A",
"NewRemark": "N/A",
"OldMaxUsers": "0xffffffff",
"NewMaxUsers": "0xffffffff",
"OldShareFlags": "0x0",
"NewShareFlags": "0x0",
"OldSD": "O:BAG:DUD:(A;;0x1200a9;;;WD)",
"NewSD": "O:BAG:DUD:(A;;FA;;;S-1-5-21-4230534742-2542757381-3142984815-1107)(A;;0x1301bf;;;WD)"
}
}
Detection Patterns #
Lateral Movement: SMB/Windows Admin Shares
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Suspicious permissions modification on a network share source medium: Detects scenarios where an attacker modifies network share permissions in order to facilitate lateral movement and avoid detection by creating new network shares
Kusto # view in coverage
- Excessive share permissions source medium: The query searches for event 5143, which is triggered when a share is created or changed and includes de share permissions. First it checks to see if this is a whitelisted share for the system (e.g. domaincontroller netlogon, printserver print$ etc.). The share permissions are then checked against 'allow' rule (A) for a number of well known overly permissive groups, like all users, guests, authenticated users etc. If these are found, an alert is raised so the share creation may be audited. Note: this rule only checks for changed permissions, to prevent repeat alerts if for example a comment is changed, but the permissions are not altered.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5143
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5143.yml
Event ID 5144: A network share object was deleted.
#Description
This event generates every time a network share object is deleted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "delete network share object" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete network share object" operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
ShareName UnicodeString | The name of the deleted share object. The format is: *\SHARE_NAME. |
ShareLocalPath UnicodeString | The full system (NTFS) path for the deleted share object. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5144,
"version": 0,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:20.582403+00:00",
"event_record_id": 16257540,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 2396
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"ShareName": "\\\\*\\EvtGenShare",
"ShareLocalPath": "C:\\EvtGenFileTest\\Shared"
},
"message": ""
}
References #
Event ID 5145: A network share object was checked to see whether client can be granted desired access.
#Description
A network share object was checked to see whether client can be granted desired access.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that requested access to network share object. | |
SubjectUserName UnicodeString | Name of the account that requested access to the network share object. | 9 |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
ObjectType UnicodeString | Type of the accessed object. Always "File" for this event. | 6 |
IpAddress UnicodeString | Source IP address of the client. | 5 |
IpPort UnicodeString | Source TCP or UDP port which was used from remote or local machine to request the access. | |
ShareName UnicodeString | Name of the network share. | 41 |
ShareLocalPath UnicodeString | Full NTFS path of the network share. Formatted as \??\PATH. | |
RelativeTargetName UnicodeString | Path of the accessed file or folder relative to the share root. "\" if the share itself was the target. | 139 |
AccessMask HexInt32 | Hexadecimal access mask for the requested access rights. Access mask reference | 8 |
AccessList UnicodeString | Access rights requested. | 14 |
AccessReason UnicodeString | The list of access check results. Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5145,
"version": 0,
"level": 0,
"task": 12811,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:05:55.4515712+00:00",
"event_record_id": 3212142,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 5936
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-C$",
"SubjectDomainName": "cell-c",
"SubjectLogonId": "0x292ab9d",
"ObjectType": "File",
"IpAddress": "::1",
"IpPort": "57857",
"ShareName": "\\\\*\\SYSVOL",
"ShareLocalPath": "\\??\\C:\\Windows\\SYSVOL\\sysvol",
"RelativeTargetName": "\\",
"AccessMask": "0x100080",
"AccessList": "%%1541\n\t\t\t\t%%4423\n\t\t\t\t",
"AccessReason": "%%1541:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t"
},
"message": "A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x292AB9D\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t::1\r\n\tSource Port:\t\t57857\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\r\n\tRelative Target Name:\t\\\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x100080\r\n\tAccesses:\t\tSYNCHRONIZE\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t\r\n"
}
Detection Patterns #
Event Log
8 rules
Sigma
Share Access Windows Event
6 rules
Execution At Scale
Event Log
Relay Attack Against
Event Log
Credential Access: Security Account Manager
2 rules
Sigma
Initial Access: Exploit Public-Facing Application
Persistence: Account Manipulation
Stealth: Process Injection
1 rule
Lateral Movement: Exploitation of Remote Services
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
ShareName | wildcard | \\*\IPC$ | 11 rules | sigma |
AccessList | contains | %%4417 | 9 rules | elastic, sigma, splunk |
RelativeTargetName | eq | svcctl | 7 rules | kusto, sigma |
ShareName | eq | \\\\\*\\IPC$ | 7 rules | sigma |
ShareName | wildcard | \\*\C$ | 7 rules | sigma |
SubjectUserName | ends_with | $ | 6 rules | sigma |
ShareName | wildcard | \\*\ADMIN$ | 6 rules | sigma |
LogonType | eq | Network | 5 rules | elastic, kusto, sigma, splunk |
RelativeTargetName | eq | atsvc | 5 rules | kusto, sigma |
src_ip | ne | ::1 | 4 rules | elastic, splunk |
src_ip | ne | 127.0.0.1 | 4 rules | elastic |
ObjectType | eq | File | 4 rules | sigma, splunk |
AttributeLDAPDisplayName | eq | gpcmachineextensionnames | 4 rules | elastic, sigma, splunk |
AttributeLDAPDisplayName | eq | gpcuserextensionnames | 4 rules | elastic, sigma |
RelativeTargetName | eq | lsarpc | 4 rules | sigma, splunk |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Remote Task Creation via ATSVC Named Pipe source medium: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
- DCERPC SMB Spoolss Named Pipe source medium: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security source high: Detects a threat actor creating a file named
iertutil.dllin theC:\Program Files\Internet Explorer\directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Show 17 more (35 total)
- Impacket PsExec Execution source high: Detects execution of Impacket's psexec.py.
- Possible Impacket SecretDump Remote Activity source high: Detect AD credential dumping using impacket secretdump HKTL
- First Time Seen Remote Named Pipe source high: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
- Windows Network Access Suspicious desktop.ini Action source medium: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
- Possible PetitPotam Coerce Authentication Attempt source high: Detect PetitPotam coerced authentication activity.
- Protected Storage Service Access source high: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
- SMB Create Remote File Admin Share source high: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
- Suspicious PsExec Execution source high: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
- Suspicious Access to Sensitive File Extensions source medium: Detects known sensitive file extensions accessed on a network share
- Remote Service Activity via SVCCTL Named Pipe source medium: Detects remote service activity via remote access to the svcctl named pipe
- Transferring Files with Credential Data via Network Shares source medium: Transferring files with well-known filenames (sensitive files with credential data) using network shares
- T1047 Wmiprvse Wbemcomn DLL Hijack source high: Detects a threat actor creating a file named
wbemcomn.dllin theC:\Windows\System32\wbem\directory over the network for a WMI DLL Hijack scenario. - Azure Active Directory Connect credentials dump via network share source high: Detects scenarios where an attacker attempt to dump Azure Active Directory Connect credentials via network share.
- User browser credentials dump via network share (DonPapi, Lazagne) source high: Detects scenarios where an attacker attempt to dump browser credentials (Firefox, Google Chrome, ...) via network share.
- LSASS credential dump with LSASSY (admin share) source high: Detects scenarios where an attacker remotely dump LSASS credentials using the LSASSY tool.
- PSexec execution over SMB share source medium: Detects scenarios where an attacker execute PSexec on a remote host via SMB
- Impacket WMIexec execution via SMB admin share source high: Detects scenarios where an attacker attempts to remotely execute WMIexec via SMB admin share in order to escalate privileges.
Elastic # view in coverage
- Potential Machine Account Relay Attack via SMB source high: Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate an SMB relay attack.
- Potential Network Share Discovery source low: Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.
Splunk # view in coverage
- Executable File Written in Administrative SMB Share source: The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is…
- High Frequency Copy Of Files In Network Share source: The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor…
- PetitPotam Network Share Access Request source: The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as…
Show 2 more (5 total)
- Windows Scheduled Task Created in a Group Policy Object source: When a scheduled task is created within a Group Policy, a characteristic file ScheduledTasks.xml with its definition is created in the respective subfolder of the SYSVOL share. This rule can hit on legitimate GPO scheduled task creation,…
- Windows Share Multiple File Access (Windows Event Log) source: SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. This use case looks…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-share
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5145.yml
- MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
Event ID 5146: The Windows Filtering Platform has blocked a packet.
#Description
The Windows Filtering Platform has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
DestAddress UnicodeString | [Network Information] Destination Address |
EtherType HexInt32 | [Network Information] EtherType |
VlanTag HexInt32 | [Network Information] VlanTag |
vSwitchID UnicodeString | [Network Information] vSwitchId |
SourcevSwitchPort UInt32 | [Network Information] Source vSwitch Port |
DestinationvSwitchPort UInt32 | [Network Information] Destination vSwitch Port |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Event ID 5147: A more restrictive Windows Filtering Platform filter has blocked a packet.
#Description
A more restrictive Windows Filtering Platform filter has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
DestAddress UnicodeString | [Network Information] Destination Address |
EtherType HexInt32 | [Network Information] EtherType |
VlanTag HexInt32 | [Network Information] VlanTag |
vSwitchID UnicodeString | [Network Information] vSwitchId |
SourcevSwitchPort UInt32 | [Network Information] Source vSwitch Port |
DestinationvSwitchPort UInt32 | [Network Information] Destination vSwitch Port |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Event ID 5148: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.
#Event ID 5149: The DoS attack has subsided and normal processing is being resumed.
#Event ID 5150: The Windows Filtering Platform has blocked a packet.
#Description
The Windows Filtering Platform has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
DestAddress UnicodeString | [Network Information] Destination Address |
EtherType HexInt32 | [Network Information] EtherType |
MediaType UInt32 | [Network Information] MediaType |
InterfaceType UInt32 | [Network Information] InterfaceType |
VlanTag HexInt32 | [Network Information] VlanTag |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
References #
Event ID 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.
#Description
A more restrictive Windows Filtering Platform filter has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
DestAddress UnicodeString | [Network Information] Destination Address |
EtherType HexInt32 | [Network Information] EtherType |
MediaType UInt32 | [Network Information] MediaType |
InterfaceType UInt32 | [Network Information] InterfaceType |
VlanTag HexInt32 | [Network Information] VlanTag |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
Event ID 5152: The Windows Filtering Platform blocked a packet.
#Description
The Windows Filtering Platform has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | Hexadecimal Process ID of the process to which blocked network packet was sent. |
Application UnicodeString | [Application Information] Application Name. |
Direction UnicodeString | Full path and the name of the executable for the process. Known values
|
SourceAddress UnicodeString | Local IP address on which application received the packet. |
SourcePort UnicodeString | Port number on which application received the packet. |
DestAddress UnicodeString | [Network Information] Destination Address. |
DestPort UnicodeString | Port number which was used from remote machine to send the packet. |
Protocol UInt32 | [Network Information] Protocol. Known values
|
FilterOrigin UnicodeString | [Filter Information] Filter Origin. |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID. |
LayerName UnicodeString | [Filter Information] Layer Name. Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5152,
"version": 1,
"level": 0,
"task": 12809,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T20:18:50.483625+00:00",
"event_record_id": 16258577,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3152
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 0,
"Application": "-",
"Direction": "%%14592",
"SourceAddress": "10.2.10.21",
"SourcePort": "5355",
"DestAddress": "10.2.10.11",
"DestPort": "53173",
"Protocol": 17,
"FilterOrigin": "Stealth",
"FilterRTID": 70356,
"LayerName": "%%14597",
"LayerRTID": 13
},
"message": ""
}
Detection Patterns #
Asim Network Session Schema
8 rules
Asim Network Session Schema
Command & Control: Application Layer Protocol
Stealth: Disable or Modify System Firewall
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
IsActive | eq | true | 2 rules | kusto |
ObservableValue | is_not_null | | 2 rules | kusto |
dest_ip | is_not_null | | 2 rules | kusto |
ObservableKey | eq | ipv4-addr:value | 2 rules | kusto |
src_ip | ne | DstIpAddr | 2 rules | kusto |
src_ip | cidr_match | 127.0.0.0/8 | 1 rule | elastic, kusto, sigma |
src_ip | cidr_match | 169.254.0.0/16 | 1 rule | kusto, sigma |
src_ip | cidr_match | 10.0.0.0/8 | 1 rule | kusto, sigma |
src_ip | cidr_match | 172.16.0.0/12 | 1 rule | kusto, sigma |
src_ip | cidr_match | 192.168.0.0/16 | 1 rule | kusto, sigma |
SourceSystem | eq | Google Threat Intelligence | 1 rule | kusto |
ValidUntil | is_null | | 1 rule | kusto |
description | starts_with | Recorded Future - Threat Hunt | 1 rule | kusto |
process_name | eq | elastic-endpoint.exe | 1 rule | elastic |
process_name | eq | esensor.exe | 1 rule | elastic |
Community Notes #
Prefer 5157 when both are available as it is per-connection.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5152
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5152.yml
Event ID 5153: A more restrictive Windows Filtering Platform filter has blocked a packet.
#Description
A more restrictive Windows Filtering Platform filter has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
DestAddress UnicodeString | [Network Information] Destination Address |
DestPort UnicodeString | [Network Information] Destination Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterOrigin UnicodeString | [Filter Information] Filter Origin |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop
Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
#Description
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | Hexadecimal Process ID of the process which was permitted to listen on the port. |
Application UnicodeString | [Application Information] Application Name. |
SourceAddress UnicodeString | Local IP address on which application requested to listen on the port. |
SourcePort UnicodeString | Source TCP\UDP port number which was requested for listening by application. |
Protocol UInt32 | [Network Information] Protocol. Known values
|
FilterRTID UInt64 | Unique filter ID which allows application to listen on the specific port. |
LayerName UnicodeString | [Filter Information] Layer Name. Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5154,
"version": 0,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-12T01:42:03.150814+00:00",
"event_record_id": 2727618,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8992
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 764,
"Application": "\\device\\harddiskvolume4\\users\\localuser\\appdata\\local\\microsoft\\onedrive\\26.026.0209.0004\\onedrive.sync.service.exe",
"SourceAddress": "::1",
"SourcePort": "42050",
"Protocol": 6,
"FilterRTID": 0,
"LayerName": "%%14609",
"LayerRTID": 42
},
"message": ""
}
Detection Patterns #
Asim Network Session Schema
Command & Control: Application Layer Protocol
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
IsActive | eq | true | 2 rules | kusto |
ObservableValue | is_not_null | | 2 rules | kusto |
dest_ip | is_not_null | | 2 rules | kusto |
ObservableKey | eq | ipv4-addr:value | 2 rules | kusto |
src_ip | ne | DstIpAddr | 2 rules | kusto |
src_ip | cidr_match | 127.0.0.0/8 | 1 rule | elastic, kusto, sigma |
src_ip | cidr_match | 169.254.0.0/16 | 1 rule | kusto, sigma |
src_ip | cidr_match | 10.0.0.0/8 | 1 rule | kusto, sigma |
src_ip | cidr_match | 172.16.0.0/12 | 1 rule | kusto, sigma |
src_ip | cidr_match | 192.168.0.0/16 | 1 rule | kusto, sigma |
SourceSystem | eq | Google Threat Intelligence | 1 rule | kusto |
ValidUntil | is_null | | 1 rule | kusto |
description | starts_with | Recorded Future - Threat Hunt | 1 rule | kusto |
Community Notes #
Detects unexpected services binding, often precedes C2 beaconing.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5154
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5154.yml
Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
#Description
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | Hexadecimal Process ID (PID) of the process which was permitted to bind to the local port. |
Application UnicodeString | [Application Information] Application Name. |
SourceAddress UnicodeString | The local IP address of the computer running the application. |
SourcePort UnicodeString | [Network Information] Source Port. |
Protocol UInt32 | [Network Information] Protocol. Known values
|
FilterRTID UInt64 | A unique filter ID which blocks the application from binding to the port. |
LayerName UnicodeString | [Filter Information] Layer Name. Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID. |
Detection Patterns #
Asim Network Session Schema
Command & Control: Application Layer Protocol
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
IsActive | eq | true | 2 rules | kusto |
ObservableValue | is_not_null | | 2 rules | kusto |
dest_ip | is_not_null | | 2 rules | kusto |
ObservableKey | eq | ipv4-addr:value | 2 rules | kusto |
src_ip | ne | DstIpAddr | 2 rules | kusto |
src_ip | cidr_match | 127.0.0.0/8 | 1 rule | elastic, kusto, sigma |
src_ip | cidr_match | 169.254.0.0/16 | 1 rule | kusto, sigma |
src_ip | cidr_match | 10.0.0.0/8 | 1 rule | kusto, sigma |
src_ip | cidr_match | 172.16.0.0/12 | 1 rule | kusto, sigma |
src_ip | cidr_match | 192.168.0.0/16 | 1 rule | kusto, sigma |
SourceSystem | eq | Google Threat Intelligence | 1 rule | kusto |
ValidUntil | is_null | | 1 rule | kusto |
description | starts_with | Recorded Future - Threat Hunt | 1 rule | kusto |
References #
Event ID 5156: The Windows Filtering Platform has permitted a connection.
#Description
The Windows Filtering Platform has permitted a connection.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ProcessID UInt64 | Hexadecimal Process ID of the process which received the connection. | |
Application UnicodeString | [Application Information] Application Name. | 15 |
Direction UnicodeString | [Network Information] Direction. Known values
| 1 |
SourceAddress UnicodeString | [Network Information] Source Address. | 2 |
SourcePort UnicodeString | Port number from which the connection was initiated. | 1 |
DestAddress UnicodeString | [Network Information] Destination Address. | 2 |
DestPort UnicodeString | [Network Information] Destination Port. | 4 |
Protocol UInt32 | [Network Information] Protocol. Known values
| |
InterfaceIndex | ||
FilterOrigin | 1 | |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID. | |
LayerName UnicodeString | [Filter Information] Layer Name. Known values
| |
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID. | 1 |
RemoteUserID SID | [Filter Information] Remote User ID. | |
RemoteMachineID SID | [Filter Information] Remote Machine ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5156,
"version": 1,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:49.4177045+00:00",
"event_record_id": 3213620,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4672
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": "896",
"Application": "\\device\\harddiskvolume1\\windows\\system32\\lsass.exe",
"Direction": "%%14592",
"SourceAddress": "10.1.40.21",
"SourcePort": "53695",
"DestAddress": "10.1.40.11",
"DestPort": "49668",
"Protocol": "6",
"InterfaceIndex": "3",
"FilterOrigin": "Unknown",
"FilterRTID": "68110",
"LayerName": "%%14610",
"LayerRTID": "44",
"RemoteUserID": "S-1-0-0",
"RemoteMachineID": "S-1-0-0"
},
"message": "The Windows Filtering Platform has permitted a connection.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t896\r\n\tApplication Name:\t\\device\\harddiskvolume1\\windows\\system32\\lsass.exe\r\n\r\nNetwork Information:\r\n\tDirection:\t\tInbound\r\n\tSource Address:\t\t10.1.40.21\r\n\tSource Port:\t\t53695\r\n\tDestination Address:\t10.1.40.11\r\n\tDestination Port:\t\t49668\r\n\tProtocol:\t\t6\r\n\tInterface Index:\t\t3\r\n\r\nFilter Information:\r\n\tFilter Origin:\t\tUnknown\r\n\tFilter Run-Time ID:\t68110\r\n\tLayer Name:\t\tReceive/Accept\r\n\tLayer Run-Time ID:\t44\r\n\tRemote User ID:\t\tS-1-0-0\r\n\tRemote Machine ID:\tS-1-0-0"
}
Detection Patterns #
Asim Network Session Schema
9 rules
Asim Network Session Schema
Adws Connection
Lateral Movement: Distributed Component Object Model
Command & Control: Application Layer Protocol
1 rule
1 rule
Execution: Exploitation for Client Execution
Lateral Movement: SMB/Windows Admin Shares
1 rule
Lateral Movement: Exploitation of Remote Services
Collection: Data from Local System
1 rule
Exfiltration: Exfiltration Over Alternative Protocol
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | ConnectionSuccess | 5 rules | kusto |
dest_ip | is_not_null | | 3 rules | kusto |
EventType | eq | ProcessCreated | 2 rules | kusto |
DestinationPort | eq | 9389 | 2 rules | elastic, kusto, sigma, splunk |
DestinationPort | eq | 5985 | 2 rules | chronicle, sigma |
DestinationPort | eq | 5986 | 2 rules | chronicle, sigma |
ObservableKey | eq | ipv4-addr:value | 2 rules | kusto |
src_ip | ne | DstIpAddr | 2 rules | kusto |
src_ip | eq | ::1 | 1 rule | elastic, sigma |
DestinationPort | eq | 80 | 1 rule | kusto, sigma |
parent_process_name | eq | svchost.exe | 1 rule | elastic, kusto, splunk |
Image | ends_with | \thor.exe | 1 rule | sigma |
Image | eq | system | 1 rule | kusto, sigma |
Image | ends_with | \thor64.exe | 1 rule | sigma |
parent_process_name | eq | services.exe | 1 rule | elastic, kusto, splunk |
Community Notes #
Indicates what process (application path) on the local machine made an outbound connection to a specific destination IP and port. Helpful for reviewing connections made by a suspect process.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- RDP over Reverse SSH Tunnel WFP source high: Detects svchost hosting RDP termsvcs communicating with the loopback address
- Remote PowerShell Sessions Network Connections (WinRM) source high: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
- Uncommon Outbound Kerberos Connection - Security source medium: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Splunk # view in coverage
- Command and Control Detection (Windows Event Log) source: Detects malicious (like Github repositories or known suspicious IPs) sources based on a list of IPs and domains
- Network Connection with Suspicious Folder (Windows Event Log) source: Detects potential downloads to suspicious file locations like temp, appdata, and downloads
- Potential CVE-2024-21413: Outbound SMB from Outlook (Windows Event Log) source: A critical vulnerability CVE-2024-21413 in Microsoft Outlook, discovered by Check Point, enables remote code execution from merely opening an email containing malicious links, bypassing Outlook's Protected View. This flaw, exploitable…
Show 5 more (8 total)
- Process Connection to Mega - Windows (Windows Event Log) source: Mega is a cloud storage service used by many threat actors due to its use of end-to-end encryption and semi-anonymous payment options. The client application MEGAsync.exe and command-line interface utility MegaCMD allow threat actors to…
- RDP Connection (Windows Event Log) source: This use case looks for when an RDP network connection has been established
- Script Connected to External Destination - Windows (Windows Event Log) source: Adversaries may use scripts to connect to external locations for C2 communications, downloading and executing payloads, data exfiltration, or redirection. This use case detects when a Windows script interpreter (wscript, cscript, mshta,…
- Unexpected Network Connection from System Process (Windows Event Log) source: Threat actors may abuse legitimate system processes that typically lack network functionality to perform malicious network activity, helping evade detection and blend in with normal system behavior. This technique is often associated with…
- wuauclt.exe Network Connection (Windows Event Log) source: wuauclt.exe is the Windows Update client. It can be abused to proxy execution of malicious code as documented in the LOLBAS project. This use case detects network connection events with wuauclt.exe. Connections to Microsoft-owned IPs are…
Kusto # view in coverage
- Zinc Actor IOCs files - October 2022 source high: Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/↳ also matchesEvent ID 4688: A new process has been created.
- Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.↳ also matchesEvent ID 4663: An attempt was made to access an object., Event ID 4688: A new process has been created.
- RITA Beacon Analyzer for Windows Firewall Events source: Below queries analyze Windows Firewall logs and applies RITA beacon analyzer algorithm for C2 beaconing detection.
Show 5 more (8 total)
- Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents Aggregated Reports telemetry. Use it as a starting point and refine further as it may generate too many results.
- Suspicious Network Beacons - Microsoft Defender(MDE/M365D) source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents data.
- Suspicious Network Connections - Supply Chain Attack source: Below query detects unusual network conenctions from servers that have 3rd party software installed.
You can further improve the query by using a list of servers that have privileges across the whole domain. - Server Network Connection Anomalies source: Servers have a specific baseline. This makes it easy to create a baseline and detect anomalies.
Below queries analyze the network connections made by the specified servers and detects the rare/anomalous ones.
You can add process info to the analysis, but it will probably generate more results(different processes for the same IP). - Potential Kerberos Relaying Activity - MDE source: The below query detects potential Kerberos relaying event chain generated by KrbRelay.↳ also matchesEvent ID 4688: A new process has been created.
YARA-L # view in coverage
- Potential Remote PowerShell Session Initiated source: Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5156
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-5156-wfp-permitted.md
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5156_v1.yml
Event ID 5157: The Windows Filtering Platform has blocked a connection.
#Description
The Windows Filtering Platform has blocked a connection.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ProcessID UInt64 | Hexadecimal Process ID of the process that attempted to create the connection. | |
Application UnicodeString | [Application Information] Application Name. | 69 |
Direction UnicodeString | [Network Information] Direction. Known values
| |
SourceAddress UnicodeString | Local IP address on which application received the connection. | |
SourcePort UnicodeString | Port number on which application received the connection. | |
DestAddress UnicodeString | [Network Information] Destination Address. | |
DestPort UnicodeString | Port number which was used from remote machine to initiate connection. | |
Protocol UInt32 | [Network Information] Protocol. Known values
| |
InterfaceIndex UInt32 | [Network Information] Interface Index. | |
FilterOrigin UnicodeString | [Filter Information] Filter Origin. | |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID. | |
LayerName UnicodeString | [Filter Information] Layer Name. Known values
| |
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID. | |
RemoteUserID SID | [Filter Information] Remote User ID. | |
RemoteMachineID SID | [Filter Information] Remote Machine ID. | |
OriginalProfile UnicodeString | [Filter Information] Original Profile. | |
CurrentProfile UnicodeString | [Filter Information] Current Profile. | |
IsLoopback UnicodeString | [Filter Information] Is Loopback. | |
HasRemoteDynamicKeywordAddress UnicodeString | [Filter Information] Has Remote Dynamic Keyword Address. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5157,
"version": 3,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-11T06:32:07.887002+00:00",
"event_record_id": 2461636,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 352
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": 6872,
"Application": "\\device\\harddiskvolume4\\windows\\system32\\svchost.exe",
"Direction": "%%14592",
"SourceAddress": "172.18.253.78",
"SourcePort": "37359",
"DestAddress": "172.18.240.1",
"DestPort": "53",
"Protocol": 17,
"InterfaceIndex": 12,
"FilterOrigin": "Quarantine Default",
"FilterRTID": 66241,
"LayerName": "%%14610",
"LayerRTID": 44,
"RemoteUserID": "S-1-0-0",
"RemoteMachineID": "S-1-0-0",
"OriginalProfile": "%%14643",
"CurrentProfile": "%%14643",
"IsLoopback": "%%1826",
"HasRemoteDynamicKeywordAddress": "%%1826"
},
"message": ""
}
Detection Patterns #
Asim Network Session Schema
Command & Control: Application Layer Protocol
Stealth: Disable or Modify System Firewall
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
dest_ip | is_not_null | | 2 rules | kusto |
ObservableKey | eq | ipv4-addr:value | 2 rules | kusto |
src_ip | ne | DstIpAddr | 2 rules | kusto |
src_ip | cidr_match | 169.254.0.0/16 | 1 rule | kusto, sigma |
Image | ends_with | \mssense.exe | 1 rule | sigma |
src_ip | cidr_match | 10.0.0.0/8 | 1 rule | kusto, sigma |
src_ip | cidr_match | 172.16.0.0/12 | 1 rule | kusto, sigma |
src_ip | cidr_match | 192.168.0.0/16 | 1 rule | kusto, sigma |
process_name | eq | elastic-endpoint.exe | 1 rule | elastic |
process_name | eq | esensor.exe | 1 rule | elastic |
process_name | eq | msmpeng.exe | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Windows Filtering Platform Blocked Connection From EDR Agent Binary source high: Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
Splunk # view in coverage
- WFP Blocked Connection from EDR Agent (Windows Event Log) source: Threat actors may abuse WFP filters to prevent EDR agents from reporting security events, as observed with tools like EDRSilencer or EDRNoisemaker. This use case detects when the Windows Filtering Platform blocks a connective event…
References #
Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.
#Description
This event generates every time Windows Filtering Platform permits an application or service to bind to a local port.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | Hexadecimal Process ID of the process which was permitted to bind to the local port. |
Application UnicodeString | [Application Information] Application Name. |
SourceAddress UnicodeString | Local IP address on which application was bind the port. |
SourcePort UnicodeString | [Network Information] Source Port. |
Protocol UInt32 | [Network Information] Protocol. Known values
|
FilterRTID UInt64 | Unique filter ID which allows application to bind the port. |
LayerName UnicodeString | [Filter Information] Layer Name. Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5158,
"version": 0,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T14:08:44.1796221+00:00",
"event_record_id": 3213525,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 2064
},
"channel": "Security",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": "3932",
"Application": "\\device\\harddiskvolume1\\windows\\adws\\microsoft.activedirectory.webservices.exe",
"SourceAddress": "0.0.0.0",
"SourcePort": "57865",
"Protocol": "6",
"FilterRTID": "0",
"LayerName": "%%14608",
"LayerRTID": "36"
},
"message": "The Windows Filtering Platform has permitted a bind to a local port.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t3932\r\n\tApplication Name:\t\\device\\harddiskvolume1\\windows\\adws\\microsoft.activedirectory.webservices.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t0.0.0.0\r\n\tSource Port:\t\t57865\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t0\r\n\tLayer Name:\t\tResource Assignment\r\n\tLayer Run-Time ID:\t36"
}
Detection Patterns #
Asim Network Session Schema
Command & Control: Application Layer Protocol
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
dest_ip | is_not_null | | 2 rules | kusto |
ObservableKey | eq | ipv4-addr:value | 2 rules | kusto |
src_ip | ne | DstIpAddr | 2 rules | kusto |
src_ip | cidr_match | 10.0.0.0/8 | 1 rule | kusto, sigma |
src_ip | cidr_match | 172.16.0.0/12 | 1 rule | kusto, sigma |
src_ip | cidr_match | 192.168.0.0/16 | 1 rule | kusto, sigma |
Community Notes #
Unexpected binds on high ports may be a prelude to data exfiltration.
References #
Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.
#Description
The Windows Filtering Platform has blocked a bind to a local port.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | Hexadecimal Process ID of the process which was permitted to bind to the local port. |
Application UnicodeString | [Application Information] Application Name. |
SourceAddress UnicodeString | The local IP address of the computer running the application. |
SourcePort UnicodeString | [Network Information] Source Port. |
Protocol UInt32 | [Network Information] Protocol. Known values
|
FilterRTID UInt64 | Unique filter ID which blocks the application from binding to the port. |
LayerName UnicodeString | [Filter Information] Layer Name. Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5159,
"version": 0,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": -9218868437227405312,
"time_created": "2026-05-30T14:09:50.4393548+00:00",
"event_record_id": 23555454,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 10140
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": "11692",
"Application": "\\device\\harddiskvolume1\\windows\\system32\\wsmprovhost.exe",
"SourceAddress": "127.0.0.1",
"SourcePort": "53999",
"Protocol": "6",
"FilterRTID": "79026",
"LayerName": "%%14608",
"LayerRTID": "36"
},
"message": "The Windows Filtering Platform has blocked a bind to a local port.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t11692\r\n\tApplication Name:\t\\device\\harddiskvolume1\\windows\\system32\\wsmprovhost.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t127.0.0.1\r\n\tSource Port:\t\t53999\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t79026\r\n\tLayer Name:\t\tResource Assignment\r\n\tLayer Run-Time ID:\t36"
}
Detection Patterns #
Asim Network Session Schema
Command & Control: Application Layer Protocol
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
dest_ip | is_not_null | | 2 rules | kusto |
ObservableKey | eq | ipv4-addr:value | 2 rules | kusto |
src_ip | ne | DstIpAddr | 2 rules | kusto |
References #
Event ID 5160: The Windows Filtering Platform Audit Mode has allowed a connection or packet that would have been blocked.
#Description
The Windows Filtering Platform Audit Mode has allowed a connection or packet that would have been blocked.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt64 | |
Application UnicodeString | |
Direction UnicodeString | Known values
|
SourceAddress UnicodeString | |
SourcePort UnicodeString | |
DestAddress UnicodeString | |
DestPort UnicodeString | |
Protocol UInt32 | Known values
|
InterfaceIndex UInt32 | |
FilterOrigin UnicodeString | |
FilterRTID UInt64 | |
LayerName UnicodeString | Known values
|
LayerRTID UInt64 | |
RemoteUserID SID | |
RemoteMachineID SID | |
OriginalProfile UnicodeString | |
CurrentProfile UnicodeString | |
IsLoopback UnicodeString | |
HasRemoteDynamicKeywordAddress UnicodeString | |
FirewallPolicyStore UnicodeString | |
Modifiable UnicodeString | |
CalloutInvolved UnicodeString | |
CalloutID UInt32 |
Event ID 5168: SPN check for SMB/SMB2 fails.
#Description
Spn check for SMB/SMB2 fails.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account for which SPN check operation was failed. |
SubjectUserName UnicodeString | The name of the account for which SPN check operation was failed. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
SpnName UnicodeString | SPN which was used to access the server. |
ErrorCode HexInt32 | Hexadecimal error code, for example "0xC0000022" = STATUS_ACCESS_DENIED. |
ServerNames UnicodeString | Information about possible server names to use to access the target server (NETBIOS, DNS, localhost, etc.). |
ConfiguredNames UnicodeString | Information about the names which were provided for validation. |
IpAddresses UnicodeString | Information about possible IP addresses to use to access the target server (IPv4, IPv6). |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5168
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5168.yml
Event ID 5169: A directory service object was modified.
#Description
A directory service object was modified.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
ObjectDN UnicodeString | [Object] DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
AttributeLDAPDisplayName UnicodeString | [Attribute] LDAP Display Name |
AttributeSyntaxOID UnicodeString | [Attribute] Syntax (OID) |
AttributeValue UnicodeString | [Attribute] Value |
ExpirationTime FILETIME | [Attribute] Expiration Time |
OperationType UnicodeString | [Operation] Type Known values
|
Event ID 5170: A directory service object was modified during a background cleanup task.
#Description
A directory service object was modified during a background cleanup task.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
ObjectDN UnicodeString | [Object] DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
AttributeLDAPDisplayName UnicodeString | [Attribute] LDAP Display Name |
AttributeSyntaxOID UnicodeString | [Attribute] Syntax (OID) |
AttributeValue UnicodeString | [Attribute] Value |
ExpirationTime FILETIME | [Attribute] Expiration Time |
OperationType UnicodeString | [Operation] Type Known values
|
Event ID 5376: Credential Manager credentials were backed up.
#Description
This event generates every time the user (Subject) successfully backs up the credential manager database.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that performed the restore operation. |
SubjectUserName UnicodeString | The name of the account that performed the restore operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
BackupFileName UnicodeString | [Subject] BackupFileName. |
ProcessCreationTime FILETIME | |
ClientProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5376,
"version": 1,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-09-24T19:57:32.266266+00:00",
"event_record_id": 150002,
"correlation": {
"ActivityID": "B2946CF1-CF76-0001-5C6D-94B276CFD801"
},
"execution": {
"process_id": 804,
"thread_id": 5832
},
"channel": "Security",
"computer": "GUAPOS-PC",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-3960598978-2723104146-531989891-1001",
"SubjectUserName": "FOXTWO",
"SubjectDomainName": "GUAPOS-PC",
"SubjectLogonId": 894283,
"BackupFileName": "C:\\Windows\\TEMP\\CRD46C3.tmp",
"ProcessCreationTime": 1664049447.1706607,
"ClientProcessId": 5400
},
"message": "Credential Manager credentials were backed up.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3960598978-2723104146-531989891-1001\n\tAccount Name:\t\tFOXTWO\n\tAccount Domain:\t\tGUAPOS-PC\n\tLogon ID:\t\t894283\n\tBackupFileName:\t\tC:\\Windows\\TEMP\\CRD46C3.tmp\n\nThis event occurs when a user backs up their own Credential Manager credentials. A user (even an Administrator) cannot back up the credentials of an account other than his own."
}
Community Notes #
Backup of Credential Manager vault, shows a user exporting stored passwords and keys. Often precedes lateral movement or exfiltration.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5376.yml
Event ID 5377: Credential Manager credentials were restored from a backup.
#Description
This event generates every time the user (Subject) successfully restores the credential manager database.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that performed the restore operation. |
SubjectUserName UnicodeString | The name of the account that performed the restore operation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
BackupFileName UnicodeString | [Subject] BackupFileName. |
ProcessCreationTime FILETIME | |
ClientProcessId UInt32 |
Community Notes #
Credential Manager credentials were restored from a backup, may indicate import of stolen vaults from another host.
References #
Event ID 5378: The requested credentials delegation was disallowed by policy.
#Description
The requested credentials delegation was disallowed by policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested credentials delegation. |
SubjectUserName UnicodeString | The name of the account that requested credentials delegation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
Package UnicodeString | [Credential Delegation Information] Security Package. |
UserUPN UnicodeString | [Credential Delegation Information] User's UPN. |
TargetServer UnicodeString | [Credential Delegation Information] Target Server. |
CredType UnicodeString | [Credential Delegation Information] Credential Type. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5378
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5378.yml
Event ID 5379: Credential Manager credentials were read.
#Description
This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that performed a read operation on stored credentials in CM. | |
SubjectUserName UnicodeString | The name of the account that performed a read operation on stored credentials in CM. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. | |
TargetName UnicodeString | Stored credentials that were read. | 13 |
Type UInt32 | ||
CountOfCredentialsReturned UInt32 | ||
ReadOperation UnicodeString | [Subject] Read Operation. Known values
| |
ReturnCode UInt32 | ||
ProcessCreationTime FILETIME | ||
ClientProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5379,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:14:51.1394534+00:00",
"event_record_id": 2627764,
"correlation": {
"ActivityID": "{5FF94DC5-EF8A-0001-304E-F95F8AEFDC01}"
},
"execution": {
"process_id": 816,
"thread_id": 7608
},
"channel": "Security",
"computer": "telemetry-DC-b.cell-b.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-B$",
"SubjectDomainName": "cell-b",
"SubjectLogonId": "0x3e7",
"TargetName": "MicrosoftAccount:user=02sjgunjlchdgook",
"Type": "0",
"CountOfCredentialsReturned": "0",
"ReadOperation": "%%8100",
"ReturnCode": "3221226021",
"ProcessCreationTime": "2026-06-13T05:14:50.6021504Z",
"ClientProcessId": "2828"
},
"message": "Credential Manager credentials were read.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-B$\r\n\tAccount Domain:\t\tcell-b\r\n\tLogon ID:\t\t0x3E7\r\n\tRead Operation:\t\tEnumerate Credentials\r\n\r\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager."
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetName | contains | microsoft_windows_shell_zipfolder:filename | 3 rules | sigma |
TargetName | contains | \temporary internet files\content.outlook | 2 rules | sigma |
Community Notes #
Credential Manager credentials were read. Large numbers of reads may indicate automated credential theft.
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Password Protected ZIP File Opened source medium: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
- Password Protected ZIP File Opened (Suspicious Filenames) source high: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
- Password Protected ZIP File Opened (Email Attachment) source high: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5379.yml
Event ID 5380: Vault Find Credential.
#Description
Vault Find Credential.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
SearchString UnicodeString | |
SchemaFriendlyName UnicodeString | |
Schema GUID | |
CountOfCredentialsReturned UInt32 | |
ProcessCreationTime FILETIME | |
ClientProcessId UInt32 |
Event ID 5381: Vault credentials were read.
#Description
Vault credentials were read.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Flags UInt32 | |
CountOfCredentialsReturned UInt32 | |
ProcessCreationTime FILETIME | |
ClientProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5381,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-09-24T20:05:50.571779+00:00",
"event_record_id": 150026,
"correlation": {},
"execution": {
"process_id": 804,
"thread_id": 5636
},
"channel": "Security",
"computer": "GUAPOS-PC",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-3960598978-2723104146-531989891-1001",
"SubjectUserName": "FOXTWO",
"SubjectDomainName": "GUAPOS-PC",
"SubjectLogonId": 894283,
"Flags": 0,
"CountOfCredentialsReturned": 1,
"ProcessCreationTime": 1664049942.3177185,
"ClientProcessId": 10620
},
"message": "Vault credentials were read.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3960598978-2723104146-531989891-1001\n\tAccount Name:\t\tFOXTWO\n\tAccount Domain:\t\tGUAPOS-PC\n\tLogon ID:\t\t894283\n\nThis event occurs when a user enumerates stored vault credentials."
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5382: Vault credentials were read.
#Description
Vault credentials were read.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | [Subject] Security ID | |
SubjectUserName UnicodeString | [Subject] Account Name | |
SubjectDomainName UnicodeString | [Subject] Account Domain | |
SubjectLogonId HexInt64 | [Subject] Logon ID | |
SchemaFriendlyName UnicodeString | ||
Schema GUID | ||
Resource UnicodeString | 1 | |
Identity UnicodeString | 1 | |
PackageSid UnicodeString | ||
Flags UInt32 | ||
ReturnCode UInt32 | ||
ProcessCreationTime FILETIME | ||
ClientProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5382,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-28T12:08:16.9460514+00:00",
"event_record_id": 193082,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 5236
},
"channel": "Security",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-D$",
"SubjectDomainName": "cell-d",
"SubjectLogonId": "0x3e7",
"SchemaFriendlyName": "NGC Local Accoount Logon Vault Resource Schema",
"Schema": "{1d4350a3-330d-4af9-b3ff-a927a45998ac}",
"Resource": "NGC Local Accoount Logon Vault Resource",
"Identity": "0105000000000005150000002CEB013C77E92B81704FF55751040000",
"PackageSid": "",
"Flags": "0",
"ReturnCode": "1168",
"ProcessCreationTime": "2026-05-28T12:08:16.0370643Z",
"ClientProcessId": "6100"
},
"message": "Vault credentials were read.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nThis event occurs when a user reads a stored vault credential."
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Resource | starts_with | http | 2 rules | elastic, sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Vault credentials manager accessed source medium: Detects scenarios where an attacker attempts to access vault credentials
Elastic # view in coverage
- Multiple Vault Web Credentials Read source medium: Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382
Event ID 5440: The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | [Provider Information] ID |
ProviderName UnicodeString | [Provider Information] Name |
CalloutKey GUID | [Callout Information] ID |
CalloutName UnicodeString | [Callout Information] Name |
CalloutType UnicodeString | [Callout Information] Type |
CalloutId UInt32 | [Callout Information] Run-Time ID |
LayerKey GUID | [Layer Information] ID |
LayerName UnicodeString | [Layer Information] Name Known values
|
LayerId UInt32 | [Layer Information] Run-Time ID |
References #
Event ID 5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ProviderKey GUID | [Provider Information] ID | |
ProviderName UnicodeString | [Provider Information] Name | |
FilterKey GUID | [Filter Information] ID | |
FilterName UnicodeString | [Filter Information] Name | 1 |
FilterType UnicodeString | [Filter Information] Type | |
FilterId UInt64 | [Filter Information] Run-Time ID | |
LayerKey GUID | [Layer Information] ID | |
LayerName UnicodeString | [Layer Information] Name Known values
| |
LayerId UInt32 | [Layer Information] Run-Time ID | |
Weight UInt64 | [Layer Information] Weight | |
Conditions UnicodeString | [Additional Information] Conditions | |
Action UnicodeString | [Additional Information] Filter Action | |
CalloutKey GUID | [Additional Information] Callout ID | |
CalloutName UnicodeString | [Additional Information] Callout Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5441,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:54.4982531+00:00",
"event_record_id": 1716190,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 968
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderKey": "{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}",
"ProviderName": "Microsoft Corporation",
"FilterKey": "{b98b75dc-17c0-4e84-bd4e-2080527ca6a6}",
"FilterName": "AppContainerBoottimeFilter",
"FilterType": "%%16387",
"FilterId": "67416",
"LayerKey": "{a3b42c97-9f04-4672-b87e-cee9c483257f}",
"LayerName": "ALE Receive/Accept v6 Layer",
"LayerId": "46",
"Weight": "18446744073709551615",
"Conditions": "\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tAll flags set\n\tCondition value:\t0x00400000\n",
"Action": "%%16390",
"CalloutKey": "{00000000-0000-0000-0000-000000000000}",
"CalloutName": "-"
},
"message": "The following filter was present when the Windows Filtering Platform Base Filtering Engine started.\r\n\r\nProvider Information:\t\r\n\tID:\t\t{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}\r\n\tName:\t\tMicrosoft Corporation\r\n\r\nFilter Information:\r\n\tID:\t\t{b98b75dc-17c0-4e84-bd4e-2080527ca6a6}\r\n\tName:\t\tAppContainerBoottimeFilter\r\n\tType:\t\tPersistent\r\n\tRun-Time ID:\t67416\r\n\r\nLayer Information:\r\n\tID:\t\t{a3b42c97-9f04-4672-b87e-cee9c483257f}\r\n\tName:\t\tALE Receive/Accept v6 Layer\r\n\tRun-Time ID:\t46\r\n\tWeight:\t\t18446744073709551615\r\n\t\r\nAdditional Information:\r\n\tConditions:\t\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tAll flags set\n\tCondition value:\t0x00400000\n\r\n\tFilter Action:\tPermit\r\n\tCallout ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tCallout Name:\t-"
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5441
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5441
Event ID 5442: The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | Provider ID |
ProviderName UnicodeString | Provider Name |
ProviderType UnicodeString | Provider Type |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5442,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:54.5026697+00:00",
"event_record_id": 1716197,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 968
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderKey": "{17171717-1717-1717-1717-171717171717}",
"ProviderName": "RPCFW",
"ProviderType": "%%16387"
},
"message": "The following provider was present when the Windows Filtering Platform Base Filtering Engine started.\r\n\t\r\nProvider ID:\t{17171717-1717-1717-1717-171717171717}\r\nProvider Name:\tRPCFW\r\nProvider Type:\tPersistent"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5442
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5442
Event ID 5443: The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | Provider ID |
ProviderName UnicodeString | Provider Name |
ProviderContextKey GUID | Provider Context ID |
ProviderContextName UnicodeString | Provider Context Name |
ProviderContextType UnicodeString | Provider Context Type |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5443,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:54.4986713+00:00",
"event_record_id": 1716194,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 968
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderKey": "{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}",
"ProviderName": "Microsoft Corporation",
"ProviderContextKey": "{93132c36-6e06-4e6f-a10b-218787cd49cf}",
"ProviderContextName": "MPSSVC",
"ProviderContextType": "%%16387"
},
"message": "The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.\r\n\t\r\nProvider ID:\t{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}\r\nProvider Name:\tMicrosoft Corporation\r\nProvider Context ID:\t{93132c36-6e06-4e6f-a10b-218787cd49cf}\r\nProvider Context Name:\tMPSSVC\r\nProvider Context Type:\tPersistent"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5443
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5443
Event ID 5444: The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | Provider ID |
ProviderName UnicodeString | Provider Name |
SubLayerKey GUID | Sub-layer ID |
SubLayerName UnicodeString | Sub-layer Name |
SubLayerType UnicodeString | Sub-layer Type |
Weight UInt32 | Weight |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5444,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:32:54.4985884+00:00",
"event_record_id": 1716192,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 968
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderKey": "{17171717-1717-1717-1717-171717171717}",
"ProviderName": "RPCFW",
"SubLayerKey": "{77777777-1717-1717-1717-171717171717}",
"SubLayerName": "RPCFWSublayer",
"SubLayerType": "%%16387",
"Weight": "32769"
},
"message": "The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.\r\n\t\r\nProvider ID:\t{17171717-1717-1717-1717-171717171717}\r\nProvider Name:\tRPCFW\r\nSub-layer ID:\t{77777777-1717-1717-1717-171717171717}\r\nSub-layer Name:\tRPCFWSublayer\r\nSub-layer Type:\tPersistent\r\nWeight:\t\t32769"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5444
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5444
Event ID 5446: A Windows Filtering Platform callout has been changed.
#Description
A Windows Filtering Platform callout has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ProviderKey GUID | [Provider Information] ID |
ProviderName UnicodeString | [Provider Information] Name |
ChangeType UnicodeString | [Change Information] Change Type |
CalloutKey GUID | [Callout Information] ID |
CalloutName UnicodeString | [Callout Information] Name |
CalloutType UnicodeString | [Callout Information] Type |
CalloutId UInt32 | [Callout Information] Run-Time ID |
LayerKey GUID | [Layer Information] ID |
LayerName UnicodeString | [Layer Information] Name Known values
|
LayerId UInt32 | [Layer Information] Run-Time ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5446,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:51:41.9871103+00:00",
"event_record_id": 1905148,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 7632
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": "6836",
"UserSid": "S-1-5-19",
"UserName": "NT AUTHORITY\\LOCAL SERVICE",
"ProviderKey": "{00000000-0000-0000-0000-000000000000}",
"ProviderName": "-",
"ChangeType": "%%16384",
"CalloutKey": "{31114833-2891-4edd-a8ec-2ff8549aa491}",
"CalloutName": "windefend_flow_established_v6",
"CalloutType": "%%16388",
"CalloutId": "289",
"LayerKey": "{7021d2b3-dfa4-406e-afeb-6afaf7e70efd}",
"LayerName": "ALE Flow Established v6 Layer",
"LayerId": "54"
},
"message": "A Windows Filtering Platform callout has been changed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\r\n\r\nProcess Information:\r\n\tProcess ID:\t6836\r\n\r\nProvider Information:\r\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tName:\t\t-\r\n\r\nChange Information:\r\n\tChange Type:\tAdd\r\n\r\nCallout Information:\r\n\tID:\t\t{31114833-2891-4edd-a8ec-2ff8549aa491}\r\n\tName:\t\twindefend_flow_established_v6\r\n\tType:\t\tNot persistent\r\n\tRun-Time ID:\t289\r\n\r\nLayer Information:\r\n\tID:\t\t{7021d2b3-dfa4-406e-afeb-6afaf7e70efd}\r\n\tName:\t\tALE Flow Established v6 Layer\r\n\tRun-Time ID:\t54"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5446
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5446
Event ID 5447: A Windows Filtering Platform filter has been changed.
#Description
A Windows Filtering Platform filter has been changed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ProcessId UInt32 | [Process Information] Process ID. | |
UserSid SID | [Subject] Security ID. | |
UserName UnicodeString | [Subject] Account Name. | |
ProviderKey GUID | [Provider Information] ID. | |
ProviderName UnicodeString | [Provider Information] Name. | |
ChangeType UnicodeString | [Change Information] Change Type. | |
FilterKey GUID | [Filter Information] ID. | |
FilterName UnicodeString | [Filter Information] Name. | 1 |
FilterType UnicodeString | [Filter Information] Type. | |
FilterId UInt64 | [Filter Information] Run-Time ID. | |
LayerKey GUID | [Layer Information] ID. | |
LayerName UnicodeString | [Layer Information] Name. Known values
| |
LayerId UInt32 | [Layer Information] Run-Time ID. | |
Weight UInt64 | [Additional Information] Weight. | |
Conditions UnicodeString | [Additional Information] Conditions. | |
Action UnicodeString | [Additional Information] Filter Action. | |
CalloutKey GUID | [Callout Information] ID. | |
CalloutName UnicodeString | [Callout Information] Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5447,
"version": 0,
"level": 0,
"task": 13573,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:51:41.9868983+00:00",
"event_record_id": 1905144,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 7632
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": "6836",
"UserSid": "S-1-5-19",
"UserName": "NT AUTHORITY\\LOCAL SERVICE",
"ProviderKey": "{00000000-0000-0000-0000-000000000000}",
"ProviderName": "-",
"ChangeType": "%%16384",
"FilterKey": "{4994b7fe-47d8-4ac5-8fa8-77b203c5b640}",
"FilterName": "windefend_flow_established_v6",
"FilterType": "%%16388",
"FilterId": "69778",
"LayerKey": "{7021d2b3-dfa4-406e-afeb-6afaf7e70efd}",
"LayerName": "ALE Flow Established v6 Layer",
"LayerId": "54",
"Weight": "33286004704",
"Conditions": "\n\tCondition ID:\t{8784c146-ca97-44d6-9fd1-19fb1840cbf7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000000\n\n\tCondition ID:\t{8784c146-ca97-44d6-9fd1-19fb1840cbf7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000001\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x11\n",
"Action": "%%16391",
"CalloutKey": "{31114833-2891-4edd-a8ec-2ff8549aa491}",
"CalloutName": "windefend_flow_established_v6"
},
"message": "A Windows Filtering Platform filter has been changed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\r\n\r\nProcess Information:\r\n\tProcess ID:\t6836\r\n\r\nProvider Information:\r\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tName:\t\t-\r\n\r\nChange Information:\r\n\tChange Type:\tAdd\r\n\r\nFilter Information:\r\n\tID:\t\t{4994b7fe-47d8-4ac5-8fa8-77b203c5b640}\r\n\tName:\t\twindefend_flow_established_v6\r\n\tType:\t\tNot persistent\r\n\tRun-Time ID:\t69778\r\n\r\nLayer Information:\r\n\tID:\t\t{7021d2b3-dfa4-406e-afeb-6afaf7e70efd}\r\n\tName:\t\tALE Flow Established v6 Layer\r\n\tRun-Time ID:\t54\r\n\r\nCallout Information:\r\n\tID:\t\t{31114833-2891-4edd-a8ec-2ff8549aa491}\r\n\tName:\t\twindefend_flow_established_v6\r\n\r\nAdditional Information:\r\n\tWeight:\t33286004704\t\r\n\tConditions:\t\n\tCondition ID:\t{8784c146-ca97-44d6-9fd1-19fb1840cbf7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000000\n\n\tCondition ID:\t{8784c146-ca97-44d6-9fd1-19fb1840cbf7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000001\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x11\n\r\n\tFilter Action:\tCallout"
}
Detection Patterns #
Stealth: Token Impersonation/Theft
1 rule
Stealth: Impair Defenses
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5447
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5447
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5447.yml
Event ID 5448: A Windows Filtering Platform provider has been changed.
#Description
A Windows Filtering Platform provider has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ChangeType UnicodeString | [Change Information] Change Type |
ProviderKey GUID | [Provider Information] ID |
ProviderName UnicodeString | [Provider Information] Name |
ProviderType UnicodeString | [Provider Information] Type |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5448,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:27:26.268863+00:00",
"event_record_id": 2450415,
"correlation": {
"ActivityID": "164E10E5-B120-0003-FC10-4E1620B1DC01"
},
"execution": {
"process_id": 720,
"thread_id": 1044
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 3624,
"UserSid": "S-1-5-18",
"UserName": "NT AUTHORITY\\SYSTEM",
"ChangeType": "%%16384",
"ProviderKey": "32B38E01-DDB2-45AB-A37A-189A2BCA5CFC",
"ProviderName": "Microsoft Corporation",
"ProviderType": "%%16388"
},
"message": ""
}
Detection Patterns #
References #
Event ID 5449: A Windows Filtering Platform provider context has been changed.
#Description
A Windows Filtering Platform provider context has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ProviderKey GUID | [Provider Information] Provider ID |
ProviderName UnicodeString | [Provider Information] Provider Name |
ChangeType UnicodeString | [Change Information] Change Type |
ProviderContextKey GUID | [Provider Context] ID |
ProviderContextName UnicodeString | [Provider Context] Name |
ProviderContextType UnicodeString | [Provider Context] Type |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5449,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:51:26.0889469+00:00",
"event_record_id": 1904802,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 4240
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": "1812",
"UserSid": "S-1-5-19",
"UserName": "NT AUTHORITY\\LOCAL SERVICE",
"ProviderKey": "{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}",
"ProviderName": "Microsoft Corporation",
"ChangeType": "%%16385",
"ProviderContextKey": "{c0bd751f-d66c-4b96-ac14-d47629a19bac}",
"ProviderContextName": "MPSSVC",
"ProviderContextType": "%%16388"
},
"message": "A Windows Filtering Platform provider context has been changed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\r\n\r\nProcess Information:\r\n\tProcess ID:\t1812\r\n\r\nProvider Information:\r\n\tProvider ID:\t{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}\r\n\tProvider Name:\tMicrosoft Corporation\r\n\r\nChange Information:\r\n\tChange Type:\tDelete\r\n\r\nProvider Context:\r\n\tID:\t{c0bd751f-d66c-4b96-ac14-d47629a19bac}\r\n\tName:\tMPSSVC\r\n\tType:\tNot persistent"
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5449
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5449
Event ID 5450: A Windows Filtering Platform sub-layer has been changed.
#Description
A Windows Filtering Platform sub-layer has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ProviderKey GUID | [Provider Information] Provider ID |
ProviderName UnicodeString | [Provider Information] Provider Name |
ChangeType UnicodeString | [Change Information] Change Type |
SubLayerKey GUID | [Sub-layer Information] Sub-layer ID |
SubLayerName UnicodeString | [Sub-layer Information] Sub-layer Name |
SubLayerType UnicodeString | [Sub-layer Information] Sub-layer Type |
Weight UInt32 | [Additional Information] Weight |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 5450,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-06-13T05:51:41.9871510+00:00",
"event_record_id": 1905149,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 7632
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": "6836",
"UserSid": "S-1-5-19",
"UserName": "NT AUTHORITY\\LOCAL SERVICE",
"ProviderKey": "{00000000-0000-0000-0000-000000000000}",
"ProviderName": "-",
"ChangeType": "%%16384",
"SubLayerKey": "{3c1cd879-1b8c-4ab4-8f83-5ed129176ef3}",
"SubLayerName": "windefend",
"SubLayerType": "%%16388",
"Weight": "4096"
},
"message": "A Windows Filtering Platform sub-layer has been changed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\r\n\r\nProcess Information:\r\n\tProcess ID:\t6836\r\n\r\nProvider Information:\r\n\tProvider ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tProvider Name:\t-\r\n\r\nChange Information:\r\n\tChange Type:\tAdd\r\n\r\nSub-layer Information:\r\n\tSub-layer ID:\t{3c1cd879-1b8c-4ab4-8f83-5ed129176ef3}\r\n\tSub-layer Name:\twindefend\r\n\tSub-layer Type:\tNot persistent\r\n\r\nAdditional Information:\r\n\tWeight:\t4096"
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5450
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5450
Event ID 5451: An IPsec quick mode security association was established.
#Description
An IPsec quick mode security association was established.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalAddressMask UnicodeString | [Local Endpoint] Network Address mask |
LocalPort UInt32 | [Local Endpoint] Port |
LocalTunnelEndpoint UnicodeString | [Local Endpoint] Tunnel Endpoint |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteAddressMask UnicodeString | [Remote Endpoint] Network Address Mask |
RemotePort UInt32 | [Remote Endpoint] Port |
PeerPrivateAddress UnicodeString | [Remote Endpoint] Private Address |
RemoteTunnelEndpoint UnicodeString | [Remote Endpoint] Tunnel Endpoint |
IpProtocol UInt32 | [Remote Endpoint] Protocol |
KeyingModuleName UnicodeString | [Remote Endpoint] Keying Module Name |
AhAuthType UnicodeString | [Cryptographic Information] Integrity Algorithm - AH |
EspAuthType UnicodeString | [Cryptographic Information] Integrity Algorithm - ESP |
CipherType UnicodeString | [Cryptographic Information] Encryption Algorithm |
LifetimeSeconds UInt32 | [Security Association Information] Lifetime - seconds |
LifetimeKilobytes UInt32 | [Security Association Information] Lifetime - data |
LifetimePackets UInt32 | [Security Association Information] Lifetime - packets |
Mode UnicodeString | [Security Association Information] Mode |
Role UnicodeString | [Security Association Information] Role |
TransportFilterId UInt64 | [Security Association Information] Quick Mode Filter ID |
MainModeSaId UInt64 | [Security Association Information] Main Mode SA ID |
QuickModeSaId UInt64 | [Security Association Information] Quick Mode SA ID |
InboundSpi UInt64 | [Additional Information] Inbound SPI |
OutboundSpi UInt64 | [Additional Information] Outbound SPI |
TunnelId UInt64 | [Additional Information] Virtual Interface Tunnel ID |
TrafficSelectorId UInt64 | [Additional Information] Traffic Selector ID |
References #
Event ID 5452: An IPsec quick mode security association ended.
#Description
An IPsec quick mode security association ended.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalAddressMask UnicodeString | [Local Endpoint] Network Address mask |
LocalPort UInt32 | [Local Endpoint] Port |
LocalTunnelEndpoint UnicodeString | [Local Endpoint] Tunnel Endpoint |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteAddressMask UnicodeString | [Remote Endpoint] Network Address mask |
RemotePort UInt32 | [Remote Endpoint] Port |
RemoteTunnelEndpoint UnicodeString | [Remote Endpoint] Tunnel Endpoint |
IpProtocol UInt32 | [Additional Information] Protocol |
QuickModeSaId UInt64 | [Additional Information] Quick Mode SA ID |
TunnelId UInt64 | [Additional Information] Virtual Interface Tunnel ID |
TrafficSelectorId UInt64 | [Additional Information] Traffic Selector ID |
References #
Event ID 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
#Description
An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Event ID 5456: PAStore Engine applied Active Directory storage IPsec policy on the computer.
#Event ID 5457: PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
#Event ID 5458: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
#Description
IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5459: PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
#Description
IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5460: PAStore Engine applied local registry storage IPsec policy on the computer.
#Description
IPsec Policy Agent applied local registry storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5461: PAStore Engine failed to apply local registry storage IPsec policy on the computer.
#Description
IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5462: PAStore Engine failed to apply some rules of the active IPsec policy on the computer.
#Description
IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5463: PAStore Engine polled for changes to the active IPsec policy and detected no changes.
#Description
IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5464: PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
#Description
IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5465: PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
#Description
IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5466: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead.
#Description
IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5467: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy.
#Description
IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5468: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes.
#Description
IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5471: PAStore Engine loaded local storage IPsec policy on the computer.
#Description
IPsec Policy Agent loaded local storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5472: PAStore Engine failed to load local storage IPsec policy on the computer.
#Description
IPsec Policy Agent failed to load local storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5473: PAStore Engine loaded directory storage IPsec policy on the computer.
#Description
IPsec Policy Agent loaded directory storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5474: PAStore Engine failed to load directory storage IPsec policy on the computer.
#Description
IPsec Policy Agent failed to load directory storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5477: PAStore Engine failed to add quick mode filter.
#Event ID 5478: IPsec Services has started successfully.
#Description
The IPsec Policy Agent service was started.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5479: IPsec Services has been shut down successfully.
#Description
The IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack or expose the computer to potential security risks.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5480: IPsec Services failed to get the complete list of network interfaces on the computer.
#Description
IPsec Policy Agent failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5483: IPsec Services failed to initialize RPC server.
#Event ID 5484: IPsec Services has experienced a critical failure and has been shut down.
#Description
The IPsec Policy Agent service experienced a critical failure and has shut down. The shutdown of this service can put the computer at greater risk of network attack or expose the computer to potential security risks. Error Code: Error
Message #
Fields #
| Name | Description |
|---|---|
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces.
#Description
IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5632: A request was made to authenticate to a wireless network.
#Description
This event generates when 802.1x authentication attempt was made for wireless network.
Message #
Fields #
| Name | Description |
|---|---|
SSID UnicodeString | SSID of the wireless network to which authentication request was sent. |
Identity UnicodeString | User Principal Name (UPN) or another type of account identifier for which 802.1x authentication request was made. |
SubjectUserName UnicodeString | The name of the account for which 802.1x authentication request was made. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
PeerMac UnicodeString | [Network Information] Peer MAC Address. |
LocalMac UnicodeString | [Network Information] Local MAC Address. |
IntfGuid GUID | GUID of the network interface which was used for authentication request. |
ReasonCode HexInt32 | Hexadecimal Reason Code for wired authentication results. |
ReasonText UnicodeString | Contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. |
ErrorCode HexInt32 | There is no information about this field in this document. |
EAPReasonCode HexInt32 | Related to NPS (Network Policy Server) error code. [See NPS error codes](https://technet.microsoft.com/library/dd197570(v=ws.10).aspx). |
EapRootCauseString UnicodeString | [Additional Information] EAP Root Cause String. |
EAPErrorCode HexInt32 | [Additional Information] EAP Error Code. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5632
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5632_v1.yml
Event ID 5633: A request was made to authenticate to a wired network.
#Description
This event generates when 802.1x authentication attempt was made for wired network.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceName UnicodeString | The name (description) of network interface which was used for authentication request. You can get the list of all available network adapters using "ipconfig /all" command. |
Identity UnicodeString | User Principal Name (UPN) of account for which 802.1x authentication request was made. |
SubjectUserName UnicodeString | The name of the account for which 802.1x authentication request was made. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Logon session ID of the account that requested the operation. Correlates with Event ID 4624. |
ReasonCode HexInt32 | Hexadecimal Reason Code for wired authentication results. |
ReasonText UnicodeString | Contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. |
ErrorCode HexInt32 | [Interface] Error Code. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5633
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5633.yml
Event ID 5712: A Remote Procedure Call (RPC) was attempted.
#Description
A Remote Procedure Call (RPC) was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] SID |
SubjectUserName UnicodeString | [Subject] Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] LogonId |
ProcessId UInt32 | [Process Information] PID |
ProcessName UnicodeString | [Process Information] Name |
RemoteIpAddress UnicodeString | [Network Information] Remote IP Address |
RemotePort UnicodeString | [Network Information] Remote Port |
InterfaceUuid GUID | [RPC Attributes] Interface UUID |
ProtocolSequence UnicodeString | [RPC Attributes] Protocol Sequence |
AuthenticationService UInt32 | [RPC Attributes] Authentication Service |
AuthenticationLevel UInt32 | [RPC Attributes] Authentication Level |
OpNum UInt32 | |
Endpoint UnicodeString | |
RemoteHost UnicodeString |
References #
Event ID 5888: An object in the COM+ Catalog was modified.
#Description
An object in the COM+ Catalog was modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "modify/change object" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "modify/change object" operation. |
SubjectUserDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId UInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectCollectionName UnicodeString | The name of COM+ collection in which the object was modified. |
ObjectIdentifyingProperties UnicodeString | Object-specific fields with the names and identifiers for the modified object. |
ModifiedObjectProperties UnicodeString | The list of object's (Object Name) properties which were modified. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5888,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:07:28.323865+00:00",
"event_record_id": 2042752,
"correlation": {
"ActivityID": "56E3EAD5-F269-44B1-8096-7C737168F10A"
},
"execution": {
"process_id": 984,
"thread_id": 1556
},
"channel": "Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "SYSTEM",
"SubjectUserDomainName": "NT AUTHORITY",
"SubjectLogonId": 999,
"ObjectCollectionName": "Components",
"ObjectIdentifyingProperties": "\r\n\t\tCLSID = {315FA593-3CF5-4310-887B-3977A578488A}\r\n\t\tBitness = 2\r\n\t\tApplicationID = {5268CA1B-44FF-4FE6-9D5F-9CF63F69C4E3}",
"ModifiedObjectProperties": "\r\n\t\tApplicationID = '<null>' -> '{5268CA1B-44FF-4FE6-9D5F-9CF63F69C4E3}'\r\n\t\tTransaction = '0' -> '1'\r\n\t\tSynchronization = '0' -> '3'\r\n\t\tJustInTimeActivation = '0' -> '1'\r\n\t\tEventTrackingEnabled = '0' -> '1'\r\n\t\tSavedProgId = '<null>' -> 'IISFtpHost.IISFtpHost.1'\r\n\t\tAllowInprocSubscribers = '0' -> '1'\r\n\t\tIsEnabled = '0' -> '1'\r\n\t\tTxIsolationLevel = '0' -> '4'"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5888
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5888.yml
Event ID 5889: An object was deleted from the COM+ Catalog.
#Description
An object was deleted from the COM+ Catalog.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "delete object" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "delete object" operation. |
SubjectUserDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId UInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectCollectionName UnicodeString | The name of COM+ collection in which COM+ object was deleted. |
ObjectIdentifyingProperties UnicodeString | Object-specific fields with the names and identifiers for the deleted object. |
ObjectProperties UnicodeString | The list of deleted object's (Object Name) properties. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5889,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T22:30:46.980255+00:00",
"event_record_id": 3332,
"correlation": {
"ActivityID": "59A0D65F-1037-0001-A7D6-A0593710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 888
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "SYSTEM",
"SubjectUserDomainName": "NT AUTHORITY",
"SubjectLogonId": 999,
"ObjectCollectionName": "Applications",
"ObjectIdentifyingProperties": "\r\n\t\tID = {A14C837E-C9BC-4E79-B228-2A6CB72524A5}\r\n\t\tAppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}",
"ObjectProperties": "\r\n\t\tName = VMware Snapshot Provider\r\n\t\tApplicationProxyServerName = \r\n\t\tProcessType = 2\r\n\t\tCommandLine = \r\n\t\tServiceName = vmvss\r\n\t\tRunAsUserType = 1\r\n\t\tIdentity = LocalSystem\r\n\t\tDescription = VMware Snapshot Provider\r\n\t\tIsSystem = N\r\n\t\tAuthentication = 6\r\n\t\tShutdownAfter = 3\r\n\t\tRunForever = N\r\n\t\tPassword = ********\r\n\t\tActivation = Local\r\n\t\tChangeable = Y\r\n\t\tDeleteable = Y\r\n\t\tCreatedBy = \r\n\t\tAccessChecksLevel = 1\r\n\t\tApplicationAccessChecksEnabled = 0\r\n\t\tcCOL_SecurityDescriptor = <Opaque>\r\n\t\tImpersonationLevel = 2\r\n\t\tAuthenticationCapability = 2\r\n\t\tCRMEnabled = 0\r\n\t\t3GigSupportEnabled = 0\r\n\t\tQueuingEnabled = 0\r\n\t\tQueueListenerEnabled = N\r\n\t\tEventsEnabled = 1\r\n\t\tProcessFlags = 0\r\n\t\tThreadMax = 0\r\n\t\tApplicationProxy = 0\r\n\t\tCRMLogFile = \r\n\t\tDumpEnabled = 0\r\n\t\tDumpOnException = 0\r\n\t\tDumpOnFailfast = 0\r\n\t\tMaxDumpCount = 5\r\n\t\tDumpPath = %systemroot%\\system32\\com\\dmp\r\n\t\tIsEnabled = 1\r\n\t\tAppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}\r\n\t\tConcurrentApps = 1\r\n\t\tRecycleLifetimeLimit = 0\r\n\t\tRecycleCallLimit = 0\r\n\t\tRecycleActivationLimit = 0\r\n\t\tRecycleMemoryLimit = 0\r\n\t\tRecycleExpirationTimeout = 15\r\n\t\tQCListenerMaxThreads = 0\r\n\t\tQCAuthenticateMsgs = 0\r\n\t\tApplicationDirectory = \r\n\t\tSRPTrustLevel = 262144\r\n\t\tSRPEnabled = 0\r\n\t\tSoapActivated = 0\r\n\t\tSoapVRoot = \r\n\t\tSoapMailTo = \r\n\t\tSoapBaseUrl = \r\n\t\tReplicable = 1"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5889
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5889
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5889.yml
Event ID 5890: An object was added to the COM+ Catalog.
#Description
This event generates when new object was added to the COM+ Catalog.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that requested the "add object" operation. |
SubjectUserName UnicodeString | The name of the account that requested the "add object" operation. |
SubjectUserDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId UInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
ObjectCollectionName UnicodeString | The name of COM+ collection to which the new object was added. |
ObjectIdentifyingProperties UnicodeString | Object-specific fields with the names and identifiers for the new object. |
ObjectProperties UnicodeString | The list of new object's (Object Name) properties. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5890,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T22:30:50.680307+00:00",
"event_record_id": 3348,
"correlation": {
"ActivityID": "59A0D65F-1037-0001-A7D6-A0593710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "SYSTEM",
"SubjectUserDomainName": "NT AUTHORITY",
"SubjectLogonId": 999,
"ObjectCollectionName": "UsersInRole",
"ObjectIdentifyingProperties": "\r\n\t\tApplId = {B0C2D0B3-B19E-4769-B00B-A0D5996BAD73}\r\n\t\tName = Administrators\r\n\t\tUser = SYSTEM",
"ObjectProperties": "\r\n\t\t<null>"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5890
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5890
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5890.yml
Event ID 6144: Security policy in the group policy objects has been applied successfully.
#Description
This event generates every time settings from the "Security Settings" section in the group policy object are applied successfully to a computer, without any errors.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Always has "0" value for this event. |
GPOList UnicodeString | The list of Group Policy Objects that include "Security Settings" policies, and that were applied to the computer. |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6144
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6144.yml
Event ID 6145: One or more errors occured while processing security policy in the group policy objects.
#Description
This event generates every time settings from the "Security Settings" section in the group policy object are applied to a computer with one or more errors.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Specific error code which shows the error which happened during Group Policy processing. |
GPOList UnicodeString | The list of Group Policy Objects that include "Security Settings" policies, and that were applied with errors to the computer. |
References #
Event ID 6272: Network Policy Server granted access to a user.
#Description
Network Policy Server granted access to a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
LoggingResult UnicodeString | [Authentication Details] Logging Results |
References #
Event ID 6273: Network Policy Server denied access to a user.
#Description
Network Policy Server denied access to a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
ReasonCode UnicodeString | [Authentication Details] Reason Code |
Reason UnicodeString | [Authentication Details] Reason |
LoggingResult UnicodeString | [Authentication Details] Logging Results |
Community Notes #
Large numbers of Reason 16 or 23 from the same IP or MAC indicates bruting of WiFi, VPN, 802.1x portals. Repeat denials for privileged accounts should be investigated.
References #
Event ID 6274: Network Policy Server discarded the request for a user.
#Description
Network Policy Server discarded the request for a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
ReasonCode UnicodeString | [Authentication Details] Reason Code |
Reason UnicodeString | [Authentication Details] Reason |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server
Event ID 6275: Network Policy Server discarded the accounting request for a user.
#Description
Network Policy Server discarded the accounting request for a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
ReasonCode UnicodeString | [Authentication Details] Reason Code |
Reason UnicodeString | [Authentication Details] Reason |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server
Event ID 6276: Network Policy Server quarantined a user.
#Description
Network Policy Server quarantined a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
MachineInventory UnicodeString | [Client Machine] OS-Version |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
QuarantineState UnicodeString | [Quarantine Information] Result |
ExtendedQuarantineState UnicodeString | [Quarantine Information] Extended-Result |
QuarantineSessionID UnicodeString | [Quarantine Information] Session Identifier |
QuarantineHelpURL UnicodeString | [Quarantine Information] Help URL |
QuarantineSystemHealthResult UnicodeString | [Quarantine Information] System Health Validator Result(s) |
References #
Event ID 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
#Description
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
MachineInventory UnicodeString | [Client Machine] OS-Version |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
QuarantineState UnicodeString | [Quarantine Information] Result |
ExtendedQuarantineState UnicodeString | [Quarantine Information] Extended-Result |
QuarantineSessionID UnicodeString | [Quarantine Information] Session Identifier |
QuarantineHelpURL UnicodeString | [Quarantine Information] Help URL |
QuarantineSystemHealthResult UnicodeString | [Quarantine Information] System Health Validator Result(s) |
QuarantineGraceTime UnicodeString | [Quarantine Information] Quarantine Grace Time |
References #
Event ID 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
#Description
Network Policy Server granted full access to a user because the host met the defined health policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
MachineInventory UnicodeString | [Client Machine] OS-Version |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
QuarantineState UnicodeString | [Quarantine Information] Result |
ExtendedQuarantineState UnicodeString | [Quarantine Information] Extended-Result |
QuarantineSessionID UnicodeString | [Quarantine Information] Session Identifier |
QuarantineHelpURL UnicodeString | [Quarantine Information] Help URL |
QuarantineSystemHealthResult UnicodeString | [Quarantine Information] System Health Validator Result(s) |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server
Event ID 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
#Description
Network Policy Server locked the user account due to repeated failed authentication attempts.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
References #
Event ID 6280: Network Policy Server unlocked the user account.
#Description
Network Policy Server unlocked the user account.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server
Event ID 6281: Code Integrity determined that the page hashes of an image file are not valid.
#Description
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: param1
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | File Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"event_id": 6281,
"level": 0,
"task": 12290,
"opcode": 0,
"time_created": "2026-05-27T16:20:14.3413842+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Security"
},
"event_data": {
"param1": "\\Device\\HarddiskVolume4\\Windows\\System32\\fcon.dll"
}
}
Detection Patterns #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Event ID 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.
#Event ID 6401: BranchCache: Received invalid data from a peer.
#Description
BranchCache: Received invalid data from a peer. Data discarded.
Message #
Fields #
| Name | Description |
|---|---|
ClientIPAddress UnicodeString | IP address of the client that sent this data |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
#Description
BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Message #
Fields #
| Name | Description |
|---|---|
ClientIPAddress UnicodeString | IP address of the client that sent this message |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
#Event ID 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
#Event ID 6405: BranchCache: Count instance(s) of event id EventId occurred.
#Event ID 6406: ProductName registered to Windows Firewall to control filtering for the following.
#Event ID 6407: Firewall category unregistered: Message
#Event ID 6408: Registered product ProductName failed and Windows Firewall is now controlling the filtering for Categories.
#Description
Registered product ProductName failed and Windows Firewall is now controlling the filtering for Categories.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | Registered product |
Categories UnicodeString | failed and Windows Firewall is now controlling the filtering for |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 6409: BranchCache: A service connection point object could not be parsed.
#Description
BranchCache: A service connection point object could not be parsed.
Message #
Fields #
| Name | Description |
|---|---|
GUID UnicodeString | SCP object GUID |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 6410: Code integrity determined that a file does not meet the security requirements to load into a process.
#Description
Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | File Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Event ID 6416: A new external device was recognized by the system.
#Description
This event generates every time a new external device is recognized by a system.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
SubjectUserSid SID | SID of account that registered the new device. | |
SubjectUserName UnicodeString | The name of the account that registered the new device. | |
SubjectDomainName UnicodeString | Subject's domain or computer name. | |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." | |
DeviceId UnicodeString | "Device instance path" attribute of device. | |
DeviceDescription UnicodeString | "Device description" attribute of device. | 4 |
ClassId GUID | "Class Guid" attribute of device. | |
ClassName UnicodeString | Class Name. | 1 |
VendorIds UnicodeString | "Hardware Ids" attribute of device. | |
CompatibleIds UnicodeString | "Compatible Ids" attribute of device. | |
LocationInformation UnicodeString | "Location information" attribute of device. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 6416,
"version": 1,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-29T16:33:58.4662298+00:00",
"event_record_id": 1724262,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 1936
},
"channel": "Security",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "TELEMETRY-DC-A$",
"SubjectDomainName": "cell-a",
"SubjectLogonId": "0x3e7",
"DeviceId": "SWD\\PRINTENUM\\{F1CCC35B-6BA0-41BE-B88E-DA82067D6391}",
"DeviceDescription": "Microsoft Print to PDF",
"ClassId": "{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}",
"ClassName": "PrintQueue",
"VendorIds": "\n\t\tPRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}\n\t\tPRINTENUM\\LocalPrintQueue\n\t\t{084f01fa-e634-4d77-83ee-074817c03581}\n\t\t\n\t\t",
"CompatibleIds": "\n\t\tGenPrintQueue\n\t\tSWD\\GenericRaw\n\t\tSWD\\Generic\n\t\t\n\t\t",
"LocationInformation": "-"
},
"message": "A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSWD\\PRINTENUM\\{F1CCC35B-6BA0-41BE-B88E-DA82067D6391}\r\n\r\nDevice Name:\tMicrosoft Print to PDF\r\n\r\nClass ID:\t\t{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}\r\n\r\nClass Name:\tPrintQueue\r\n\r\nVendor IDs:\t\r\n\t\tPRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}\r\n\t\tPRINTENUM\\LocalPrintQueue\r\n\t\t{084f01fa-e634-4d77-83ee-074817c03581}\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tGenPrintQueue\r\n\t\tSWD\\GenericRaw\r\n\t\tSWD\\Generic\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t-"
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- External Disk Drive Or USB Storage Device Was Recognized By The System source low: Detects external disk drives or plugged-in USB devices.
- SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) source high: Detects scenarios where an attacker exploit the PrintNightmare vulnerability by abusing the Windows print spooler using the service exposed by Gentilkiwi
Splunk # view in coverage
- Removable Media Detected (Windows Event Log) source: Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of…
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6416
- OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6416_v1.yml
Event ID 6417: The FIPS mode crypto selftests succeeded.
#Description
The FIPS mode crypto selftests succeeded.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId Pointer | Process ID |
ProcessName UnicodeString | Process Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"event_id": 6417,
"level": 0,
"task": 12290,
"opcode": 0,
"time_created": "2026-05-27T19:31:54.4018912+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Security"
},
"event_data": {
"ProcessName": "C:\\Windows\\System32\\lsass.exe",
"ProcessId": "0x3b0"
}
}
Event ID 6418: The FIPS mode crypto selftests failed.
#Event ID 6419: A request was made to disable a device.
#Description
This event generates every time when someone made a request to disable a device.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that made the request. |
SubjectUserName UnicodeString | The name of the account that made the request. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
DeviceId UnicodeString | "Device instance path" attribute of device. |
DeviceDescription UnicodeString | "Device description" attribute of device. |
ClassId GUID | "Class Guid" attribute of device. |
ClassName UnicodeString | Class Name. |
HardwareIds UnicodeString | "Hardware Ids" attribute of device. |
CompatibleIds UnicodeString | "Compatible Ids" attribute of device. |
LocationInformation UnicodeString | "Location information" attribute of device. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6419,
"version": 0,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:51.247229+00:00",
"event_record_id": 16259082,
"correlation": {},
"execution": {
"process_id": 6984,
"thread_id": 9864
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"DeviceId": "PCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\\3&267A616A&0&90",
"DeviceDescription": "Red Hat VirtIO Ethernet Adapter",
"ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ClassName": "Net",
"HardwareIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_020000\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_0200\r\n\t\t\r\n\t\t",
"CompatibleIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000\r\n\t\tPCI\\VEN_1AF4&CC_020000\r\n\t\tPCI\\VEN_1AF4&CC_0200\r\n\t\tPCI\\VEN_1AF4\r\n\t\tPCI\\CC_020000\r\n\t\tPCI\\CC_0200\r\n\t\t\r\n\t\t",
"LocationInformation": "-"
},
"message": ""
}
References #
Event ID 6420: A device was disabled.
#Description
This event generates every time specific device was disabled.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that disabled the device. |
SubjectUserName UnicodeString | The name of the account that disabled the device. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
DeviceId UnicodeString | "Device instance path" attribute of device. |
DeviceDescription UnicodeString | "Device description" attribute of device. |
ClassId GUID | "Class Guid" attribute of device. |
ClassName UnicodeString | Class Name. |
HardwareIds UnicodeString | "Hardware Ids" attribute of device. |
CompatibleIds UnicodeString | "Compatible Ids" attribute of device. |
LocationInformation UnicodeString | "Location information" attribute of device. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6420,
"version": 0,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:32:01.859671+00:00",
"event_record_id": 2461244,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 356
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-WIN11$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"DeviceId": "ROOT\\VMS_VSMP\\0000",
"DeviceDescription": "Hyper-V Virtual Switch Extension Adapter",
"ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ClassName": "Net",
"HardwareIds": "\r\n\t\tvms_vsmp\r\n\t\t\r\n\t\t",
"CompatibleIds": "-",
"LocationInformation": "-"
},
"message": ""
}
References #
Event ID 6421: A request was made to enable a device.
#Description
This event generates every time when someone made a request to enable a device.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | "Location information" attribute of device. |
SubjectUserName UnicodeString | The name of the account that made the request. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
DeviceId UnicodeString | "Device instance path" attribute of device. |
DeviceDescription UnicodeString | "Device description" attribute of device. |
ClassId GUID | "Class Guid" attribute of device. |
ClassName UnicodeString | Class Name. |
HardwareIds UnicodeString | "Hardware Ids" attribute of device. |
CompatibleIds UnicodeString | "Compatible Ids" attribute of device. |
LocationInformation UnicodeString | "Location information" attribute of device. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6421,
"version": 0,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:54.348192+00:00",
"event_record_id": 16267789,
"correlation": {},
"execution": {
"process_id": 6984,
"thread_id": 6948
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"DeviceId": "PCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\\3&267A616A&0&90",
"DeviceDescription": "Red Hat VirtIO Ethernet Adapter",
"ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ClassName": "Net",
"HardwareIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_020000\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_0200\r\n\t\t\r\n\t\t",
"CompatibleIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000\r\n\t\tPCI\\VEN_1AF4&CC_020000\r\n\t\tPCI\\VEN_1AF4&CC_0200\r\n\t\tPCI\\VEN_1AF4\r\n\t\tPCI\\CC_020000\r\n\t\tPCI\\CC_0200\r\n\t\t\r\n\t\t",
"LocationInformation": "-"
},
"message": ""
}
References #
Event ID 6422: A device was enabled.
#Description
This event generates every time specific device was enabled.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that enabled the device. |
SubjectUserName UnicodeString | The name of the account that enabled the device. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
DeviceId UnicodeString | "Device instance path" attribute of device. |
DeviceDescription UnicodeString | "Device description" attribute of device. |
ClassId GUID | "Class Guid" attribute of device. |
ClassName UnicodeString | Class Name. |
HardwareIds UnicodeString | "Hardware Ids" attribute of device. |
CompatibleIds UnicodeString | "Compatible Ids" attribute of device. |
LocationInformation UnicodeString | "Location information" attribute of device. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6422,
"version": 0,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:32:01.861463+00:00",
"event_record_id": 2461246,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3728
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-WIN11$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"DeviceId": "ROOT\\VMS_VSMP\\0000",
"DeviceDescription": "Hyper-V Virtual Switch Extension Adapter",
"ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ClassName": "Net",
"HardwareIds": "\r\n\t\tvms_vsmp\r\n\t\t\r\n\t\t",
"CompatibleIds": "-",
"LocationInformation": "-"
},
"message": ""
}
Community Notes #
May indicate removable storage or network adapters to stage tools or exfiltrate data.
References #
Event ID 6423: The installation of this device is forbidden by system policy.
#Description
The installation of this device is forbidden by system policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of account that forbids the device installation. |
SubjectUserName UnicodeString | The name of the account that forbids the device installation. |
SubjectDomainName UnicodeString | Subject's domain or computer name. |
SubjectLogonId HexInt64 | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on." |
DeviceId UnicodeString | "Device instance path" attribute of device. |
DeviceDescription UnicodeString | "Device description" attribute of device. |
ClassId GUID | "Class Guid" attribute of device. |
ClassName UnicodeString | Class Name. |
HardwareIds UnicodeString | "Hardware Ids" attribute of device. |
CompatibleIds UnicodeString | "Compatible Ids" attribute of device. |
LocationInformation UnicodeString | "Location information" attribute of device. |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Device Installation Blocked source medium: Detects an installation of a device that is forbidden by the system policy
References #
Event ID 6424: The installation of this device was allowed, after having previously been forbidden by policy.
#Description
The installation of this device was allowed, after having previously been forbidden by policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DeviceId UnicodeString | Device ID |
DeviceDescription UnicodeString | Device Name |
ClassId GUID | Class ID |
ClassName UnicodeString | Class Name |
HardwareIds UnicodeString | Hardware IDs |
CompatibleIds UnicodeString | Compatible IDs |
LocationInformation UnicodeString | Location Information |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
Event ID 6425: A network client used a legacy RPC method to modify authentication information on a trusted domain object.
#Description
A network client used a legacy RPC method to modify authentication information on a trusted domain object. The authentication information was encrypted with a legacy encryption algorithm. Consider upgrading the client operating system or application to use the latest and more secure version of this method. Trusted Domain: Domain Name: TrustedDomainName Domain ID: TrustedDomainId Modified By: Security ID: SubjectUserSid Account Name: SubjectUserName Account Domain: SubjectDomainName Logon ID: SubjectLogonId Client Network Address: ClientNetworkAddress RPC Method Name: LegacyRPCMethodName For more information please see https://go.microsoft.com/fwlink/?linkid=2161080.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Modified By] Security ID |
SubjectUserName UnicodeString | [Modified By] Account Name |
SubjectDomainName UnicodeString | [Modified By] Account Domain |
SubjectLogonId HexInt64 | [Modified By] Logon ID |
TrustedDomainName UnicodeString | [Trusted Domain] Domain Name |
TrustedDomainId SID | [Trusted Domain] Domain ID |
ClientNetworkAddress UnicodeString | Client Network Address |
LegacyRPCMethodName UnicodeString | RPC Method Name |
Event ID 6426: The volatile system access rights assigned to an account were modified.
#Description
The volatile system access rights assigned to an account were modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
TargetSid SID | |
OriginalAccessRightsMask HexInt32 | |
OriginalAccessRights UnicodeString | |
GrantedAccessRightsMask HexInt32 | |
GrantedAccessRights UnicodeString | |
RemovedAccessRightsMask HexInt32 | |
RemovedAccessRights UnicodeString | |
FinalAccessRightsMask HexInt32 | |
FinalAccessRights UnicodeString |
Event ID 6427: System access right details for a successful logon.
#Description
System access right details for a successful logon.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
TargetUserSid SID | SID of the target account. |
TargetUserName UnicodeString | Account name of the target. |
TargetDomainName UnicodeString | Domain or machine name of the target account. |
TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
LogonType UInt32 | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference |
SystemAccessRightRequiredForLogon UnicodeString | |
SystemAccessRightRequiredForLogonUlong HexInt32 | |
EventIndex UInt32 | |
EventCountTotal UInt32 | |
SystemAccessRightSidList UnicodeString | |
LocalSystemAccessRightSidList UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 6427,
"version": 0,
"level": 0,
"task": 12555,
"opcode": 0,
"keywords": -9214364837600034816,
"time_created": "2026-05-30T02:02:20.8629342+00:00",
"event_record_id": 22242617,
"correlation": {},
"execution": {
"process_id": 1000,
"thread_id": 660
},
"channel": "Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "JD-DC01-2022$",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetUserName": "domainadmin",
"TargetDomainName": "ludus",
"TargetLogonId": "0x4cd67e15",
"LogonType": "3",
"SystemAccessRightRequiredForLogon": "SeNetworkLogonRight",
"SystemAccessRightRequiredForLogonUlong": "0x2",
"EventIndex": "1",
"EventCountTotal": "1",
"SystemAccessRightSidList": "\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-554}\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-11}",
"LocalSystemAccessRightSidList": "-"
},
"message": "System access right details for a successful logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tJD-DC01-2022$\r\n\tAccount Domain:\t\tludus\r\n\tLogon ID:\t\t0x3E7\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tludus\r\n\tLogon ID:\t\t0x4CD67E15\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAllow right:\t\t\tSeNetworkLogonRight (0x2)\r\n\r\nEvent in sequence:\t\t1 of 1\r\n\r\nPolicy assignments:\t\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-554}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-11}\r\n\r\nLocal assignments:\t-\r\n\r\nAdditional details about this logon attempt may be found in the correlated 4624 event.\r\n\r\nFor more information please see https://go.microsoft.com/fwlink/?linkid=2305011."
}
Event ID 6428: System access right details for a failed logon that was explicitly denied.
#Description
System access right details for a failed logon that was explicitly denied.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
TargetUserSid SID | SID of the target account. |
TargetUserName UnicodeString | Account name of the target. |
TargetDomainName UnicodeString | Domain or machine name of the target account. |
LogonType UInt32 | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference |
DenySystemAccessRight UnicodeString | |
DenySystemAccessRightUlong HexInt32 | |
EventIndex UInt32 | |
EventCountTotal UInt32 | |
DenySystemAccessRightsSidList UnicodeString | |
DenyLocalSystemAccessRightsSidList UnicodeString |
Event ID 6429: System access right details for a failed logon that was implicitly denied.
#Description
System access right details for a failed logon that was implicitly denied.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | SID of the account that performed the operation. |
SubjectUserName UnicodeString | Account name of the subject. |
SubjectDomainName UnicodeString | Domain or machine name of the subject account. |
SubjectLogonId HexInt64 | Logon session identifier (LUID) for the subject. Correlates with logon events (4624). |
TargetUserSid SID | SID of the target account. |
TargetUserName UnicodeString | Account name of the target. |
TargetDomainName UnicodeString | Domain or machine name of the target account. |
LogonType UInt32 | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference |
AllowSystemAccessRight UnicodeString | |
AllowSystemAccessRightUlong HexInt32 |
Event ID 6430: A Windows Firewall policy was imported.
#Event ID 8191: Highest System-Defined Audit Message Value.
#Description
Highest System-Defined Audit Message Value.
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 54849625-5478-4994-a5ba-3e3b0328c30d
Defined in adtschema.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893 · schema read from the registered manifest · binary version 10.0.20348.4163 · captured 2026-06-02
- Win11-26200.6584 · schema read from the registered manifest · binary version 10.0.26100.4484 · captured 2026-06-02
Downloads
- Microsoft-Windows-Security-Auditing registered manifest XML (WS2022-20348.4893) manifest-xml
- Microsoft-Windows-Security-Auditing registered manifest XML (Win11-26200.6584) manifest-xml