Microsoft-Windows-Security-Auditing
426 events across 1 channel
Event ID 412 — AD FS authentication failure.
Description
AD FS auditing event emitted on the federation server when an authentication attempt fails. Logged under the Security provider via AD FS audit policy; referenced by Sentinel ADFS rules.
Detection Patterns #
Collection: Data from Local System
Security-Auditing Event ID 412: AD FS authentication failure.→Event ID 501: AD FS proxy authentication request.→Event ID 5156: The Windows Filtering Platform has permitted a connection.
1 rule
Kusto Query Language
Event ID 501 — AD FS proxy authentication request.
Description
AD FS auditing event emitted when the federation proxy forwards an authentication request. Logged under the Security provider via AD FS audit policy; referenced by Sentinel ADFS rules.
Detection Patterns #
Collection: Data from Local System
Security-Auditing Event ID 412: AD FS authentication failure.→Event ID 501: AD FS proxy authentication request.→Event ID 5156: The Windows Filtering Platform has permitted a connection.
1 rule
Kusto Query Language
Event ID 675 — Pre-authentication failed (legacy Windows 2003 Kerberos event; superseded by 4771).
Description
Legacy Kerberos pre-authentication failure event from Windows 2003. Superseded by EventID 4771 in Vista+.
Event ID 4608 — Windows is starting up.
#Description
Windows is starting up.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4608,
"version": 0,
"level": 0,
"task": 12288,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:27.349587+00:00",
"event_record_id": 2754,
"correlation": {},
"execution": {
"process_id": 808,
"thread_id": 812
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4608
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4609 — Windows is shutting down.
Description
Windows is shutting down.
Message #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4609
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4609
Event ID 4610 — An authentication package has been loaded by the Local Security Authority.
#Description
An authentication package has been loaded by the Local Security Authority.
Message #
Fields #
| Name | Description |
|---|---|
AuthenticationPackageName UnicodeString | Authentication Package Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4610,
"version": 0,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:13.483248+00:00",
"event_record_id": 25342,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 616
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"AuthenticationPackageName": "C:\\Windows\\system32\\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4610
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4610
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4611 — A trusted logon process has been registered with the Local Security Authority.
#Description
A trusted logon process has been registered with the Local Security Authority.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
LogonProcessName UnicodeString | [Subject] Logon Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4611,
"version": 0,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:50:33.878854+00:00",
"event_record_id": 31791,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 3232
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WIN-TKC15D7KHUR$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"LogonProcessName": "UserManager"
},
"message": ""
}
Community Notes #
May be seen when a process injects into LSASS.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Register new Logon Process by Rubeus source high: Detects potential use of Rubeus via registered new trusted logon process
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4611
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4612 — Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Description
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Message #
Fields #
| Name | Description |
|---|---|
AuditsDiscarded UInt32 | Number of audit messages discarded |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4612
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4612
Event ID 4614 — A notification package has been loaded by the Security Account Manager.
#Description
A notification package has been loaded by the Security Account Manager.
Message #
Fields #
| Name | Description |
|---|---|
NotificationPackageName UnicodeString | Notification Package Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4614,
"version": 0,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:13.532261+00:00",
"event_record_id": 25349,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 616
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"NotificationPackageName": "scecli"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4614
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4614
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4615 — Invalid use of LPC port.
Description
Invalid use of LPC port.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Invalid_Use UnicodeString | [Process Information] Invalid Use. |
LPC_Server_Port_Name UnicodeString | [Process Information] LPC Server Port Name. |
PID Pointer | [Process Information] PID. |
Name UnicodeString | [Process Information] Name. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
InvalidCallName UnicodeString | Invalid Use |
ServerPortName UnicodeString | LPC Server Port Name |
ProcessId Pointer | [Process Information] PID |
ProcessName UnicodeString | [Process Information] Name |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4615
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4615
Event ID 4616 — The system time was changed.
#Description
The system time was changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PreviousTime FILETIME | Previous Time |
NewTime FILETIME | New Time |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4616,
"version": 1,
"level": 0,
"task": 12288,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T22:32:22.236565+00:00",
"event_record_id": 3458,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 52
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PreviousTime": "2023-11-05T22:32:20.942615Z",
"NewTime": "2023-11-05T22:32:22.232000Z",
"ProcessId": "0xcec",
"ProcessName": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Unauthorized System Time Modification source low: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4616
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4618 — A monitored security event pattern has occurred.
Description
A monitored security event pattern has occurred.
Message #
Fields #
| Name | Description |
|---|---|
EventId UInt32 | [Alert Information] Event ID |
ComputerName UnicodeString | [Alert Information] Computer |
TargetUserSid SID | [Subject] Security ID |
TargetUserName UnicodeString | [Subject] Account Name |
TargetUserDomain UnicodeString | [Subject] Account Domain |
TargetLogonId HexInt64 | [Subject] Logon ID |
EventCount UInt32 | [Alert Information] Number of Events |
Duration UnicodeString | [Alert Information] Duration |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4618
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4618
Event ID 4621 — Administrator recovered system from CrashOnAuditFail.
Description
Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
Message #
Fields #
| Name | Description |
|---|---|
CrashOnAuditFailValue UnicodeString | Value of CrashOnAuditFail |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4621
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4621
Event ID 4622 — A security package has been loaded by the Local Security Authority.
#Description
A security package has been loaded by the Local Security Authority.
Message #
Fields #
| Name | Description |
|---|---|
SecurityPackageName UnicodeString | Security Package Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4622,
"version": 0,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:13.482782+00:00",
"event_record_id": 25341,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 616
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"SecurityPackageName": "C:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4622
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4622
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4624 — An account was successfully logged on.
#Description
An account was successfully logged on.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. Indicates the account on the local system which requested the logon. |
SubjectUserName UnicodeString | [Subject] Account Name. Indicates the account on the local system which requested the logon. |
SubjectDomainName UnicodeString | [Subject] Account Domain. Indicates the account on the local system which requested the logon. |
SubjectLogonId HexInt64 | [Subject] Logon ID. Indicates the account on the local system which requested the logon. |
TargetUserSid SID | [New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetUserName UnicodeString | [New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetDomainName UnicodeString | [New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetLogonId HexInt64 | [New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
LogonType UInt32 | [Logon Information] Logon Type. Indicates the kind of logon that occurred. Logon type reference |
LogonProcessName UnicodeString | [Detailed Authentication Information] Logon Process. Provides detailed information about this specific logon request. |
AuthenticationPackageName UnicodeString | [Detailed Authentication Information] Authentication Package. Provides detailed information about this specific logon request. |
WorkstationName UnicodeString | [Network Information] Workstation Name. Indicates where a remote logon request originated. |
LogonGuid GUID | [New Logon] Logon GUID. Is a unique identifier that can be used to correlate this event with a KDC event. |
TransmittedServices UnicodeString | [Detailed Authentication Information] Transited Services. Indicate which intermediate services have participated in this logon request. |
LmPackageName UnicodeString | [Detailed Authentication Information] Package Name (NTLM only). Indicates which sub-protocol was used among the NTLM protocols. |
KeyLength UInt32 | [Detailed Authentication Information] Key Length. Indicates the length of the generated session key. This will be 0 if no session key was requested. |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
IpAddress UnicodeString | [Network Information] Source Network Address. Indicates where a remote logon request originated. |
IpPort UnicodeString | [Network Information] Source Port. Indicates where a remote logon request originated. |
ImpersonationLevel UnicodeString | [Logon Information] Impersonation Level. Indicates the extent to which a process in the logon session can impersonate. Known values
|
RestrictedAdminMode UnicodeString | [Logon Information] Restricted Admin Mode. Known values
|
RemoteCredentialGuard UnicodeString | [Logon Information] Remote Credential Guard. Known values
|
TargetOutboundUserName UnicodeString | [New Logon] Network Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetOutboundDomainName UnicodeString | [New Logon] Network Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
VirtualAccount UnicodeString | [Logon Information] Virtual Account. Known values
|
TargetLinkedLogonId HexInt64 | [New Logon] Linked Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
ElevatedToken UnicodeString | [Logon Information] Elevated Token. Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4624,
"version": 3,
"level": 0,
"task": 12544,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:52.440978+00:00",
"event_record_id": 2948,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-5-18",
"TargetUserName": "SYSTEM",
"TargetDomainName": "NT AUTHORITY",
"TargetLogonId": "0x3e7",
"LogonType": 5,
"LogonProcessName": "Advapi ",
"AuthenticationPackageName": "Negotiate",
"WorkstationName": "-",
"LogonGuid": "00000000-0000-0000-0000-000000000000",
"TransmittedServices": "-",
"LmPackageName": "-",
"KeyLength": 0,
"ProcessId": "0x30c",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"IpAddress": "-",
"IpPort": "-",
"ImpersonationLevel": "%%1833",
"RestrictedAdminMode": "-",
"RemoteCredentialGuard": "-",
"TargetOutboundUserName": "-",
"TargetOutboundDomainName": "-",
"VirtualAccount": "%%1843",
"TargetLinkedLogonId": "0x0",
"ElevatedToken": "%%1842"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.
11 rules
Splunk
Kusto Query Language
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.
9 rules
Splunk
Kusto Query Language
Credential Access: Brute Force
Security-Auditing Event ID 4625: An account failed to log on.→Event ID 4624: An account was successfully logged on.
8 rules
Splunk
Kusto Query Language
Show 1 more (4 total)
Credential Access: LLMNR/NBT-NS Poisoning and SMB Relay
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.
8 rules
Elastic
Splunk
Kusto Query Language
Show 1 more (4 total)
Credential Access: Password Spraying
Defender-DeviceLogonEvents Event ID 9003001: Logon succeededANDEvent ID 9003002: Logon failedANDSecurity-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.
7 rules
Splunk
Kusto Query Language
Show 1 more (4 total)
Relay Attack Against
Uses Authentication Normalization
Uses Authentication Normalization
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.ANDEvent ID 4647: User initiated logoff.ANDEvent ID 4648: A logon was attempted using explicit credentials.ANDEvent ID 4675: SIDs were filtered.
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4776: The domain controller attempted to validate the credentials for an account.
2 rules
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4724: An attempt was made to reset an account's password.
1 rule
Initial Access: Exploit Public-Facing Application
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4648: A logon was attempted using explicit credentials.
1 rule
Defense Evasion: Disable or Modify Tools
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4656: A handle to an object was requested.
1 rule
Kusto Query Language
Credential Access: DCSync
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4662: An operation was performed on an object.
1 rule
Kusto Query Language
Lateral Movement: Exploitation of Remote Services
Defender-DeviceLogonEvents Event ID 9003001: Logon succeeded→Security-Auditing Event ID 4624: An account was successfully logged on.
1 rule
Kusto Query Language
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
1 rule
Kusto Query Language
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
Community Notes #
See the Logon Type Reference for a full breakdown of LogonType values and detection guidance.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Access Token Abuse source medium: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
- Admin User Remote Logon source low: Detect remote login by Administrator user (depending on internal pattern).
- DiagTrackEoP Default Login Username source critical: Detects the default "UserName" used by the DiagTrackEoP POC
Show 9 more (12 total)
- Successful Overpass the Hash Attempt source high: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
- Pass the Hash Activity 2 source medium: Detects the attack technique pass the hash which is used to move laterally inside the network
- RDP Login from Localhost source high: RDP login with localhost source address may be a tunnelled login
- External Remote RDP Logon from Public IP source medium: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
- External Remote SMB Logon from Public IP source high: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
- Outgoing Logon with New Credentials source low: Detects logon events that specify new credentials
- Potential Privilege Escalation via Local Kerberos Relay over LDAP source high: Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
- RottenPotato Like Attack Pattern source high: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
- Successful Account Login Via WMI source low: Detects successful logon attempts performed with WMI
Elastic # view in reference
- Potential Pass-the-Hash (PtH) Attempt source medium: Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.
- Potential Account Takeover - Mixed Logon Types source medium: Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected).
- Process Creation via Secondary Logon source medium: Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Show 1 more (4 total)
- Potential Account Takeover - Logon from New Source IP source medium: Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location.
Splunk # view in reference
- Unusual Number of Remote Endpoint Authentication Events source: The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.
- Windows AD Replication Request Initiated by User Account source: The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.↳ also matches:Event ID 4662: An operation was performed on an object.
- Windows AD Replication Request Initiated from Unsanctioned Location source: The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.↳ also matches:Event ID 4662: An operation was performed on an object.
Show 4 more (7 total)
- Windows AD Short Lived Domain Controller SPN Attribute source: The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.↳ also matches:Event ID 5136: A directory service object was modified.
- Windows Kerberos Local Successful Logon source: The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local Administrator account. This activity is significant as it may suggest a Kerberos relay attack, a method attackers use to escalate privileges. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive systems, execute arbitrary code, or create new accounts in Active Directory, leading to potential system compromise.
- Windows Rapid Authentication On Multiple Hosts source: The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.
- Windows RDP Login Session Was Established source: The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only provided valid credentials but has also initiated a full interactive RDP session. It is a key indicator of successful remote access to a Windows system. When correlated with Event ID 1149, which logs RDP authentication success, this analytic helps distinguish between mere credential acceptance and actual session establishment—critical for effective monitoring and threat detection.
Kusto Query Language # view in reference
- Multiple RDP connections from Single System source low: 'Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day. RDP connections are indicated by the EventID 4624 with LogonType = 10'
- Rare RDP Connections source medium: 'Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonType = 10'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4624-successful-logon.md
Event ID 4625 — An account failed to log on.
#Description
An account failed to log on.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. Indicates the account on the local system which requested the logon. |
Account_Name | [Subject] Account Name. Indicates the account on the local system which requested the logon. |
Account_Domain | [Subject] Account Domain. Indicates the account on the local system which requested the logon. |
Logon_ID | [Subject] Logon ID. Indicates the account on the local system which requested the logon. |
Security_ID | [Account For Which Logon Failed] Security ID. |
Account_Name | [Account For Which Logon Failed] Account Name. |
Account_Domain | [Account For Which Logon Failed] Account Domain. |
Status HexInt32 | [Failure Information] Status. NTSTATUS reference |
Failure_Reason | [Failure Information] Failure Reason. Known values
|
Sub_Status | [Failure Information] Sub Status. NTSTATUS reference |
Logon_Type | [Subject] Logon Type. Indicates the account on the local system which requested the logon. Logon type reference |
Logon_Process | [Detailed Authentication Information] Logon Process. Provides detailed information about this specific logon request. |
Authentication_Package | [Detailed Authentication Information] Authentication Package. Provides detailed information about this specific logon request. |
Workstation_Name | [Network Information] Workstation Name. Indicates where a remote logon request originated. |
Transited_Services | [Detailed Authentication Information] Transited Services. Indicate which intermediate services have participated in this logon request. |
Package_Name_NTLM_only | [Detailed Authentication Information] Package Name (NTLM only). Indicates which sub-protocol was used among the NTLM protocols. |
Key_Length | [Detailed Authentication Information] Key Length. Indicates the length of the generated session key. This will be 0 if no session key was requested. |
Caller_Process_ID | [Process Information] Caller Process ID. Indicates which account and process on the system requested the logon. |
Caller_Process_Name | [Process Information] Caller Process Name. Indicates which account and process on the system requested the logon. |
Source_Network_Address | [Network Information] Source Network Address. Indicates where a remote logon request originated. |
Source_Port | [Network Information] Source Port. Indicates where a remote logon request originated. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4625,
"version": 0,
"level": 0,
"task": 12544,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2016-09-19T16:50:06.477878Z",
"event_record_id": 2455,
"correlation": {
"#attributes": {
"ActivityID": "B864D168-0B7B-0000-89D1-64B87B0BD201"
}
},
"execution": {
"process_id": 752,
"thread_id": 4068
},
"channel": "Security",
"computer": "DESKTOP-M5SN04R",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-0-0",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "JcDfcZTc",
"TargetDomainName": ".",
"Status": "0xc000006d",
"FailureReason": "%%2313",
"SubStatus": "0xc0000064",
"LogonType": 3,
"LogonProcessName": "NtLmSsp ",
"AuthenticationPackageName": "NTLM",
"WorkstationName": "6hgtmVlrrFuWtO65",
"TransmittedServices": "-",
"LmPackageName": "-",
"KeyLength": 0,
"ProcessId": "0x0",
"ProcessName": "-",
"IpAddress": "192.168.198.149",
"IpPort": "50249"
}
}
Detection Patterns #
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.
11 rules
Splunk
Kusto Query Language
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.
9 rules
Splunk
Kusto Query Language
Credential Access: Brute Force
Security-Auditing Event ID 4625: An account failed to log on.→Event ID 4624: An account was successfully logged on.
8 rules
Splunk
Kusto Query Language
Show 1 more (4 total)
Credential Access: LLMNR/NBT-NS Poisoning and SMB Relay
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.
8 rules
Elastic
Splunk
Kusto Query Language
Show 1 more (4 total)
Credential Access: Password Spraying
Defender-DeviceLogonEvents Event ID 9003001: Logon succeededANDEvent ID 9003002: Logon failedANDSecurity-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.
7 rules
Splunk
Kusto Query Language
Show 1 more (4 total)
Relay Attack Against
Uses Authentication Normalization
Uses Authentication Normalization
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.ANDEvent ID 4647: User initiated logoff.ANDEvent ID 4648: A logon was attempted using explicit credentials.ANDEvent ID 4675: SIDs were filtered.
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4776: The domain controller attempted to validate the credentials for an account.
2 rules
Initial Access: Exploit Public-Facing Application
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4648: A logon was attempted using explicit credentials.
1 rule
Community Notes #
The Status field indicates the top-level failure reason; SubStatus provides additional detail. When Status is 0xC000006D (generic logon failure), check SubStatus for the specific cause.
Kerberos result codes (Status, when authentication uses Kerberos):
| Code | Description |
|---|---|
| 0x6 | KDC_ERR_C_PRINCIPAL_UNKNOWN — invalid/non-existent user account |
| 0x7 | KDC_ERR_S_PRINCIPAL_UNKNOWN — requested server not found |
| 0xC | KDC_ERR_POLICY — policy restriction prohibited logon |
| 0x12 | KDC_ERR_CLIENT_REVOKED — account locked, disabled, or expired |
| 0x17 | KDC_ERR_KEY_EXPIRED — expired password |
| 0x18 | KDC_ERR_PREAUTH_FAILED — invalid password |
| 0x25 | KRB_AP_ERR_SKEW — clock skew too great between client and server |
NTSTATUS codes (Status and SubStatus):
| Code | Name | Description |
|---|---|---|
| 0xC000006D | STATUS_LOGON_FAILURE | Generic logon failure — check SubStatus for detail |
| 0xC0000064 | STATUS_NO_SUCH_USER | Non-existent account username |
| 0xC000006A | STATUS_WRONG_PASSWORD | Incorrect password (username correct) |
| 0xC000006E | STATUS_ACCOUNT_RESTRICTION | Account restriction prevented logon |
| 0xC000006C | STATUS_PASSWORD_RESTRICTION | Password does not meet policy requirements |
| 0xC000006F | STATUS_INVALID_LOGON_HOURS | Account not allowed to log on at this time |
| 0xC0000070 | STATUS_INVALID_WORKSTATION | Account not allowed to log on from this computer |
| 0xC0000071 | STATUS_PASSWORD_EXPIRED | Expired password |
| 0xC0000072 | STATUS_ACCOUNT_DISABLED | Disabled account |
| 0xC000005E | STATUS_NO_LOGON_SERVERS | No logon servers available |
| 0xC0000133 | STATUS_TIME_DIFFERENCE_AT_DC | Clock skew between client and DC too great |
| 0xC000015B | STATUS_LOGON_TYPE_NOT_GRANTED | Logon type not granted to this account |
| 0xC000018D | STATUS_TRUSTED_RELATIONSHIP_FAILURE | Trust relationship between domain and trusted domain failed |
| 0xC0000192 | STATUS_NETLOGON_NOT_STARTED | Netlogon service not started |
| 0xC0000193 | STATUS_ACCOUNT_EXPIRED | Expired account |
| 0xC0000224 | STATUS_PASSWORD_MUST_CHANGE | Password must change at next logon |
| 0xC0000234 | STATUS_ACCOUNT_LOCKED_OUT | Account locked out |
| 0xC0000388 | STATUS_DOWNGRADE_DETECTED | Kerberos/NTLM downgrade detected |
| 0xC0000413 | STATUS_AUTHENTICATION_FIREWALL_FAILED | Blocked by authentication policy/silo |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Failed Logon From Public IP source medium: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Elastic # view in reference
- Privileged Accounts Brute Force source medium: Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.
- Multiple Logon Failure from the same Source Address source medium: Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.
Splunk # view in reference
- Detect Password Spray Attempts source: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.
- Windows Multiple Users Failed To Authenticate From Process source: The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk.
- Windows Multiple Users Remotely Failed To Authenticate From Host source: The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.
Show 2 more (5 total)
- Windows Unusual Count Of Users Failed To Authenticate From Process source: The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access, data exfiltration, or further lateral movement within the network.
- Windows Unusual Count Of Users Remotely Failed To Auth From Host source: The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3 (remote authentication) to detect this behavior. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the network.
Kusto Query Language # view in reference
- Failed logon attempts by valid accounts within 10 mins source low: 'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.'
- Excessive Windows Logon Failures source low: 'This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4625-failed-logon.md
Event ID 4626 — User / Device claims information.
Description
User / Device claims information.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
TargetUserSid SID | [New Logon] Security ID |
TargetUserName UnicodeString | [New Logon] Account Name |
TargetDomainName UnicodeString | [New Logon] Account Domain |
TargetLogonId HexInt64 | [New Logon] Logon ID |
LogonType UInt32 | Logon Type Logon type reference |
EventIdx UInt32 | Event in sequence |
EventCountTotal UInt32 | of |
UserClaims UnicodeString | User Claims |
DeviceClaims UnicodeString | Device Claims |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4626
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-device-claims
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4626
Event ID 4627 — Group membership information.
#Description
Group membership information.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. Indicates the account on the local system which requested the logon. |
SubjectUserName UnicodeString | [Subject] Account Name. Indicates the account on the local system which requested the logon. |
SubjectDomainName UnicodeString | [Subject] Account Domain. Indicates the account on the local system which requested the logon. |
SubjectLogonId HexInt64 | [Subject] Logon ID. Indicates the account on the local system which requested the logon. |
TargetUserSid SID | [New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetUserName UnicodeString | [New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetDomainName UnicodeString | [New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
TargetLogonId HexInt64 | [New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
LogonType UInt32 | [Subject] Logon Type. Indicates the account on the local system which requested the logon. Logon type reference |
EventIdx UInt32 | [New Logon] Event in sequence. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
EventCountTotal UInt32 | of |
GroupMembership UnicodeString | [New Logon] Group Membership. Indicates the account for whom the new logon was created, i.e. the account that was logged on. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4627,
"version": 0,
"level": 0,
"task": 12554,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T02:00:32.200180+00:00",
"event_record_id": 310791,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 16720
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-5-18",
"TargetUserName": "SYSTEM",
"TargetDomainName": "NT AUTHORITY",
"TargetLogonId": "0x3e7",
"LogonType": 5,
"EventIdx": 1,
"EventCountTotal": 1,
"GroupMembership": "\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-16-16384}"
},
"message": ""
}
Community Notes #
Shows the full AD group list for every successful logon (useful to detect changes in privileges).
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Domain Admin Impersonation Indicator source: The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-group-membership
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4627
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4634 — An account was logged off.
#Description
An account was logged off.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | [Subject] Security ID. |
TargetUserName UnicodeString | [Subject] Account Name. |
TargetDomainName UnicodeString | [Subject] Account Domain. |
TargetLogonId HexInt64 | [Subject] Logon ID. |
LogonType UInt32 | [Subject] Logon Type. Logon type reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4634,
"version": 0,
"level": 0,
"task": 12545,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-10-25T22:56:14.242850+00:00",
"event_record_id": 2692,
"correlation": {},
"execution": {
"process_id": 824,
"thread_id": 880
},
"channel": "Security",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserSid": "S-1-5-111-3847866527-469524349-687026318-516638107-1125189541-4560",
"TargetUserName": "sshd_4560",
"TargetDomainName": "VIRTUAL USERS",
"TargetLogonId": "0x41a49",
"LogonType": 5
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.
11 rules
Splunk
Kusto Query Language
Uses Authentication Normalization
Uses Authentication Normalization
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.ANDEvent ID 4647: User initiated logoff.ANDEvent ID 4648: A logon was attempted using explicit credentials.ANDEvent ID 4675: SIDs were filtered.
Impact: Account Access Removal
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4646 — notification
Message #
Fields #
| Name | Description |
|---|---|
notification UnicodeString | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4646
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4646
Event ID 4647 — User initiated logoff.
#Description
User initiated logoff.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | [Subject] Security ID. |
TargetUserName UnicodeString | [Subject] Account Name. |
TargetDomainName UnicodeString | [Subject] Account Domain. |
TargetLogonId HexInt64 | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4647,
"version": 0,
"level": 0,
"task": 12545,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T22:31:33.526113+00:00",
"event_record_id": 3363,
"correlation": {
"ActivityID": "59A0D65F-1037-0001-A7D6-A0593710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 8392
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"TargetUserName": "User",
"TargetDomainName": "WINDEV2310EVAL",
"TargetLogonId": "0x580c6"
},
"message": ""
}
Detection Patterns #
Uses Authentication Normalization
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.ANDEvent ID 4647: User initiated logoff.ANDEvent ID 4648: A logon was attempted using explicit credentials.ANDEvent ID 4675: SIDs were filtered.
Impact: Account Access Removal
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4647
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4648 — A logon was attempted using explicit credentials.
#Description
A logon was attempted using explicit credentials.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
LogonGuid GUID | [Subject] Logon GUID. |
TargetUserName UnicodeString | [Account Whose Credentials Were Used] Account Name. |
TargetDomainName UnicodeString | [Account Whose Credentials Were Used] Account Domain. |
TargetLogonGuid GUID | [Account Whose Credentials Were Used] Logon GUID. |
TargetServerName UnicodeString | [Target Server] Target Server Name. |
TargetInfo UnicodeString | [Target Server] Additional Information. |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
IpAddress UnicodeString | [Network Information] Network Address. |
IpPort UnicodeString | [Network Information] Port. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4648,
"version": 0,
"level": 0,
"task": 12544,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:29.161457+00:00",
"event_record_id": 2767,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"LogonGuid": "00000000-0000-0000-0000-000000000000",
"TargetUserName": "DWM-1",
"TargetDomainName": "Window Manager",
"TargetLogonGuid": "00000000-0000-0000-0000-000000000000",
"TargetServerName": "localhost",
"TargetInfo": "localhost",
"ProcessId": "0x2e0",
"ProcessName": "C:\\Windows\\System32\\winlogon.exe",
"IpAddress": "-",
"IpPort": "-"
},
"message": ""
}
Detection Patterns #
Uses Authentication Normalization
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.ANDEvent ID 4647: User initiated logoff.ANDEvent ID 4648: A logon was attempted using explicit credentials.ANDEvent ID 4675: SIDs were filtered.
Initial Access: Exploit Public-Facing Application
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4648: A logon was attempted using explicit credentials.
1 rule
Community Notes #
Logon with explicit credentials (RunAs, SchTasks, Pass-the-Hash, WinRM, SMB). May appear when an NTLM relayed session is used to create a service/task. Useful with 4624 (successful logon)/4634 (logoff completed) for reconstructing interactive or service logons.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Suspicious Remote Logon with Explicit Credentials source medium: Detects suspicious processes logging on with explicit credentials
Splunk # view in reference
- Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials source: The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.
- Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials source: The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4648-explicit-credentials.md
Event ID 4649 — A replay attack was detected.
#Description
A replay attack was detected.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Account_Name UnicodeString | [Credentials Which Were Replayed] Account Name. |
Account_Domain UnicodeString | [Credentials Which Were Replayed] Account Domain. |
Request_Type UnicodeString | [Detailed Authentication Information] Request Type. |
Logon_Process UnicodeString | [Detailed Authentication Information] Logon Process. |
Authentication_Package UnicodeString | [Detailed Authentication Information] Authentication Package. |
Workstation_Name UnicodeString | [Network Information] Workstation Name. |
Transited_Services UnicodeString | [Detailed Authentication Information] Transited Services. |
Process_ID Pointer | [Process Information] Process ID. |
Process_Name UnicodeString | [Process Information] Process Name. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
TargetUserName UnicodeString | [Credentials Which Were Replayed] Account Name |
TargetDomainName UnicodeString | [Credentials Which Were Replayed] Account Domain |
RequestType UnicodeString | [Detailed Authentication Information] Request Type |
LogonProcessName UnicodeString | [Detailed Authentication Information] Logon Process |
AuthenticationPackage UnicodeString | [Detailed Authentication Information] Authentication Package |
WorkstationName UnicodeString | [Network Information] Workstation Name |
TransmittedServices UnicodeString | [Detailed Authentication Information] Transited Services |
ProcessId Pointer | [Process Information] Process ID |
ProcessName UnicodeString | [Process Information] Process Name |
Community Notes #
Alerts when a copied ticket is reused.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Replay Attack Detected source high: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4649
Event ID 4650 — An IPsec main mode security association was established.
Description
An IPsec main mode security association was established. Extended mode was not enabled. Certificate authentication was not used.
Message #
Fields #
| Name | Description |
|---|---|
Principal_Name UnicodeString | [Local Endpoint] Principal Name. |
Principal_Name UnicodeString | [Remote Endpoint] Principal Name. |
Network_Address UnicodeString | [Local Endpoint] Network Address. |
Keying_Module_Port UInt32 | [Local Endpoint] Keying Module Port. |
Network_Address UnicodeString | [Remote Endpoint] Network Address. |
Keying_Module_Port UInt32 | [Remote Endpoint] Keying Module Port. |
Keying_Module_Name UnicodeString | [Additional Information] Keying Module Name. |
Authentication_Method UnicodeString | [Additional Information] Authentication Method. |
Cipher_Algorithm UnicodeString | [Cryptographic Information] Cipher Algorithm. |
Integrity_Algorithm UnicodeString | [Cryptographic Information] Integrity Algorithm. |
DiffieHellman_Group UnicodeString | [Cryptographic Information] Diffie-Hellman Group. |
Lifetime_minutes UInt32 | [Security Association Information] Lifetime (minutes). |
Quick_Mode_Limit UInt32 | [Security Association Information] Quick Mode Limit. |
Role UnicodeString | [Additional Information] Role. |
Impersonation_State UnicodeString | [Additional Information] Impersonation State. |
Main_Mode_Filter_ID UInt64 | [Additional Information] Main Mode Filter ID. |
Main_Mode_SA_ID UInt64 | [Security Association Information] Main Mode SA ID. |
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
MMAuthMethod UnicodeString | [Additional Information] Authentication Method |
MMCipherAlg UnicodeString | [Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Security Association Information] Lifetime (minutes) |
QMLimit UInt32 | [Security Association Information] Quick Mode Limit |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Security Association Information] Main Mode SA ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4650
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4650
Event ID 4651 — An IPsec main mode security association was established.
Description
An IPsec main mode security association was established. Extended mode was not enabled. A certificate was used for authentication.
Message #
Fields #
| Name | Description |
|---|---|
Principal_Name UnicodeString | [Local Endpoint] Principal Name. |
SHA_Thumbprint UnicodeString | [Local Certificate] SHA Thumbprint. |
Issuing_CA UnicodeString | [Local Certificate] Issuing CA. |
Root_CA UnicodeString | [Local Certificate] Root CA. |
Principal_Name UnicodeString | [Remote Endpoint] Principal Name. |
SHA_thumbprint UnicodeString | [Remote Certificate] SHA thumbprint. |
Issuing_CA UnicodeString | [Remote Certificate] Issuing CA. |
Root_CA UnicodeString | [Remote Certificate] Root CA. |
Network_Address UnicodeString | [Local Endpoint] Network Address. |
Keying_Module_Port UInt32 | [Local Endpoint] Keying Module Port. |
Network_Address UnicodeString | [Remote Endpoint] Network Address. |
Keying_Module_Port UInt32 | [Remote Endpoint] Keying Module Port. |
Keying_Module_Name UnicodeString | [Additional Information] Keying Module Name. |
Authentication_Method UnicodeString | [Additional Information] Authentication Method. |
Cipher_Algorithm UnicodeString | [Cryptographic Information] Cipher Algorithm. |
Integrity_Algorithm UnicodeString | [Cryptographic Information] Integrity Algorithm. |
DiffieHellman_Group UnicodeString | [Cryptographic Information] Diffie-Hellman Group. |
Lifetime_minutes UInt32 | [Security Association Information] Lifetime (minutes). |
Quick_Mode_Limit UInt32 | [Security Association Information] Quick Mode Limit. |
Role UnicodeString | [Additional Information] Role. |
Impersonation_State UnicodeString | [Additional Information] Impersonation State. |
Main_Mode_Filter_ID UInt64 | [Additional Information] Main Mode Filter ID. |
Main_Mode_SA_ID UInt64 | [Security Association Information] Main Mode SA ID. |
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalMMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalMMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalMMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteMMCertHash UnicodeString | [Remote Certificate] SHA thumbprint |
RemoteMMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteMMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
MMAuthMethod UnicodeString | [Additional Information] Authentication Method |
MMCipherAlg UnicodeString | [Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Security Association Information] Lifetime (minutes) |
QMLimit UInt32 | [Security Association Information] Quick Mode Limit |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Security Association Information] Main Mode SA ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4651
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4651
Event ID 4652 — An IPsec main mode negotiation failed.
Description
An IPsec main mode negotiation failed.
Message #
Fields #
| Name | Description |
|---|---|
Principal_Name UnicodeString | [Local Endpoint] Principal Name. |
SHA_Thumbprint UnicodeString | [Local Certificate] SHA Thumbprint. |
Issuing_CA UnicodeString | [Local Certificate] Issuing CA. |
Root_CA UnicodeString | [Local Certificate] Root CA. |
Principal_Name UnicodeString | [Remote Endpoint] Principal Name. |
SHA_thumbprint UnicodeString | [Remote Certificate] SHA thumbprint. |
Issuing_CA UnicodeString | [Remote Certificate] Issuing CA. |
Root_CA UnicodeString | [Remote Certificate] Root CA. |
Network_Address UnicodeString | [Local Endpoint] Network Address. |
Keying_Module_Port UInt32 | [Local Endpoint] Keying Module Port. |
Network_Address UnicodeString | [Remote Endpoint] Network Address. |
Keying_Module_Port UInt32 | [Remote Endpoint] Keying Module Port. |
Keying_Module_Name UnicodeString | [Additional Information] Keying Module Name. |
Failure_Point UnicodeString | [Failure Information] Failure Point. |
Failure_Reason UnicodeString | [Failure Information] Failure Reason. Known values
|
Authentication_Method UnicodeString | [Additional Information] Authentication Method. |
State UnicodeString | [Failure Information] State. |
Role UnicodeString | [Additional Information] Role. |
Impersonation_State UnicodeString | [Additional Information] Impersonation State. |
Main_Mode_Filter_ID UInt64 | [Additional Information] Main Mode Filter ID. |
Initiator_Cookie UnicodeString | [Failure Information] Initiator Cookie. |
Responder_Cookie UnicodeString | [Failure Information] Responder Cookie. |
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalMMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalMMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalMMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteMMCertHash UnicodeString | [Remote Certificate] SHA thumbprint |
RemoteMMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteMMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
MMAuthMethod UnicodeString | [Additional Information] Authentication Method |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
InitiatorCookie UnicodeString | [Failure Information] Initiator Cookie |
ResponderCookie UnicodeString | [Failure Information] Responder Cookie |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4652
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4652
Event ID 4653 — An IPsec main mode negotiation failed.
#Description
An IPsec main mode negotiation failed.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Local Principal Name |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
MMAuthMethod UnicodeString | [Additional Information] Authentication Method |
State UnicodeString | [Failure Information] State. |
Role UnicodeString | [Additional Information] Role. |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
InitiatorCookie UnicodeString | [Failure Information] Initiator Cookie |
ResponderCookie UnicodeString | [Failure Information] Responder Cookie |
Local_Principal_Name UnicodeString | [Local Endpoint] Local Principal Name. |
Principal_Name UnicodeString | [Remote Endpoint] Principal Name. |
Network_Address UnicodeString | [Local Endpoint] Network Address. |
Keying_Module_Port UInt32 | [Local Endpoint] Keying Module Port. |
Keying_Module_Name UnicodeString | [Additional Information] Keying Module Name. |
Failure_Point UnicodeString | [Failure Information] Failure Point. |
Failure_Reason UnicodeString | [Failure Information] Failure Reason. Known values
|
Authentication_Method UnicodeString | [Additional Information] Authentication Method. |
Impersonation_State UnicodeString | [Additional Information] Impersonation State. |
Main_Mode_Filter_ID UInt64 | [Additional Information] Main Mode Filter ID. |
Initiator_Cookie UnicodeString | [Failure Information] Initiator Cookie. |
Responder_Cookie UnicodeString | [Failure Information] Responder Cookie. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4653,
"version": 0,
"level": 0,
"task": 12547,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T23:09:45.572614+00:00",
"event_record_id": 16633999,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 13940
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"LocalMMPrincipalName": "-",
"RemoteMMPrincipalName": "-",
"LocalAddress": "10.2.10.11",
"LocalKeyModPort": 500,
"RemoteAddress": "10.2.20.41",
"RemoteKeyModPort": 500,
"KeyModName": "%%8223",
"FailurePoint": "%%8199",
"FailureReason": "New policy invalidated SAs formed with old policy\r\n",
"MMAuthMethod": "%%8194",
"State": "%%8202",
"Role": "%%8205",
"MMImpersonationState": "%%8217",
"MMFilterID": 72917,
"InitiatorCookie": "abd97649c27753ac",
"ResponderCookie": "0000000000000000"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4653
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4653
Event ID 4654 — An IPsec quick mode negotiation failed.
Description
An IPsec quick mode negotiation failed.
Message #
Fields #
| Name | Description |
|---|---|
Network_Address | [Local Endpoint] Network Address. |
Network_Address_mask | [Local Endpoint] Network Address mask. |
Port | [Local Endpoint] Port. |
Tunnel_Endpoint | [Local Endpoint] Tunnel Endpoint. |
Network_Address | [Remote Endpoint] Network Address. |
Address_Mask | [Remote Endpoint] Address Mask. |
Port | [Remote Endpoint] Port. |
Tunnel_Endpoint | [Remote Endpoint] Tunnel Endpoint. |
Protocol UInt32 | [Additional Information] Protocol. Known values
|
Private_Address | [Remote Endpoint] Private Address. |
Keying_Module_Name | [Additional Information] Keying Module Name. |
Failure_Point | [Failure Information] Failure Point. |
Failure_Reason | [Failure Information] Failure Reason. Known values
|
Mode UnicodeString | [Additional Information] Mode. |
State UnicodeString | [Failure Information] State. |
Role UnicodeString | [Additional Information] Role. |
Message_ID | [Failure Information] Message ID. |
Quick_Mode_Filter_ID | [Additional Information] Quick Mode Filter ID. |
Main_Mode_SA_ID | [Additional Information] Main Mode SA ID. |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalAddressMask UnicodeString | [Local Endpoint] Network Address mask |
LocalPort UInt32 | [Local Endpoint] Port |
LocalTunnelEndpoint UnicodeString | [Local Endpoint] Tunnel Endpoint |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteAddressMask UnicodeString | [Remote Endpoint] Address Mask |
RemotePort UInt32 | [Remote Endpoint] Port |
RemoteTunnelEndpoint UnicodeString | [Remote Endpoint] Tunnel Endpoint |
RemotePrivateAddress UnicodeString | [Remote Endpoint] Private Address |
KeyModName UnicodeString | [Additional Information] Keying Module Name |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
MessageID UInt32 | [Failure Information] Message ID |
QMFilterID UInt64 | [Additional Information] Quick Mode Filter ID |
MMSAID UInt64 | [Additional Information] Main Mode SA ID |
TunnelId UInt64 | [Additional Information] Virtual Interface Tunnel ID |
TrafficSelectorId UInt64 | [Additional Information] Traffic Selector ID |
References #
Event ID 4655 — An IPsec main mode security association ended.
Description
An IPsec main mode security association ended.
Message #
Fields #
| Name | Description |
|---|---|
Local_Network_Address UnicodeString | — |
Remote_Network_Address UnicodeString | — |
Keying_Module_Name UnicodeString | — |
Main_Mode_SA_ID UInt64 | — |
LocalAddress UnicodeString | Local Network Address |
RemoteAddress UnicodeString | Remote Network Address |
KeyModName UnicodeString | Keying Module Name |
MMSAID UInt64 | Main Mode SA ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4655
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4655
Event ID 4656 — A handle to an object was requested.
#Description
A handle to an object was requested.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Handle_ID | [Object] Handle ID. |
Transaction_ID | [Access Request Information] Transaction ID. |
Accesses | [Access Request Information] Accesses. |
Access_Mask | [Access Request Information] Access Reasons. Access mask reference |
PrivilegesUsedForAccessCheck | — Privilege constants reference |
Restricted_SID_Count | [Access Request Information] Privileges Used for Access Check. |
Process_ID | [Access Request Information] Restricted SID Count. |
Process_Name | [Process Information] Process ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4656,
"version": 1,
"level": 0,
"task": 12802,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-03-08T22:11:34.340479Z",
"event_record_id": 314461,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 160
},
"channel": "Security",
"computer": "MSEDGEWIN10",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-3461203602-4096304019-2269080069-1000",
"SubjectUserName": "IEUser",
"SubjectDomainName": "MSEDGEWIN10",
"SubjectLogonId": "0x33392",
"ObjectServer": "Security",
"ObjectType": "Process",
"ObjectName": "\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe",
"HandleId": "0x558",
"TransactionId": "00000000-0000-0000-0000-000000000000",
"AccessList": "%%1537\r\n\t\t\t\t%%1538\r\n\t\t\t\t%%1539\r\n\t\t\t\t%%1540\r\n\t\t\t\t%%1541\r\n\t\t\t\t%%4480\r\n\t\t\t\t%%4481\r\n\t\t\t\t%%4482\r\n\t\t\t\t%%4483\r\n\t\t\t\t%%4484\r\n\t\t\t\t%%4485\r\n\t\t\t\t%%4486\r\n\t\t\t\t%%4487\r\n\t\t\t\t%%4488\r\n\t\t\t\t%%4489\r\n\t\t\t\t%%4490\r\n\t\t\t\t%%4491\r\n\t\t\t\t%%4492\r\n\t\t\t\t%%4493\r\n\t\t\t\t",
"AccessReason": "-",
"AccessMask": "0x1f3fff",
"PrivilegeList": "-",
"RestrictedSidCount": 0,
"ProcessId": "0x1688",
"ProcessName": "C:\\Windows\\System32\\cscript.exe",
"ResourceAttributes": "-"
}
}
Detection Patterns #
Registry Keys Access
Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4663: An attempt was made to access an object.
10 rules
Sigma
Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4658: The handle to an object was closed.OREvent ID 4663: An attempt was made to access an object.
1 rule
Defense Evasion: Disable or Modify Tools
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4656: A handle to an object was requested.
1 rule
Kusto Query Language
Community Notes #
Combined with 4663, may reveal bulk reads of sensitive shares before data exfil.
The AccessMask shown assumes File access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType GUID at runtime. Common alternatives:
| Bit | File | Registry | Process | Service |
|---|---|---|---|---|
| 0x01 | ReadData / ListDirectory | KEY_QUERY_VALUE | PROCESS_TERMINATE | SERVICE_QUERY_CONFIG |
| 0x02 | WriteData / AddFile | KEY_SET_VALUE | PROCESS_CREATE_THREAD | SERVICE_CHANGE_CONFIG |
| 0x04 | AppendData / AddSubDir | KEY_CREATE_SUB_KEY | PROCESS_SET_SESSIONID | SERVICE_QUERY_STATUS |
| 0x08 | ReadEA | KEY_ENUMERATE_SUB_KEYS | PROCESS_VM_OPERATION | SERVICE_ENUMERATE_DEPENDENTS |
| 0x10 | WriteEA | KEY_NOTIFY | PROCESS_VM_READ | SERVICE_START |
| 0x20 | Execute / Traverse | KEY_CREATE_LINK | PROCESS_VM_WRITE | SERVICE_STOP |
Standard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- SAM Registry Hive Handle Request source high: Detects handles requested to SAM registry hive
- SCM Database Handle Failure source medium: Detects non-system users failing to get a handle of the SCM database.
- Password Dumper Activity on LSASS source high: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Elastic # view in reference
- LSASS Memory Dump Handle Access source medium: Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4656
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4657 — A registry value was modified.
#Description
A registry value was modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectName UnicodeString | [Object] Object Name. |
ObjectValueName UnicodeString | [Object] Object Value Name. |
HandleId Pointer | [Object] Handle ID. |
OperationType UnicodeString | [Object] Operation Type. Known values
|
OldValueType UnicodeString | [Change Information] Old Value Type. Known values
|
OldValue UnicodeString | [Change Information] Old Value. |
NewValueType UnicodeString | [Change Information] New Value Type. Known values
|
NewValue UnicodeString | [Change Information] New Value. |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4657,
"version": 0,
"level": 0,
"task": 12801,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:45:45.086232+00:00",
"event_record_id": 292511,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 12116
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ObjectName": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates\\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E",
"ObjectValueName": "Blob",
"HandleId": "0x1994",
"OperationType": "%%1905",
"OldValueType": "%%1875",
"OldValue": "%%1800",
"NewValueType": "%%1875",
"NewValue": "%%1800",
"ProcessId": "0x328",
"ProcessName": "C:\\Windows\\System32\\lsass.exe"
},
"message": ""
}
Detection Patterns #
Uac Bypass
Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent
5 rules
Kusto Query Language
Privilege Escalation: Bypass User Account Control
Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4688: A new process has been created.
1 rule
Kusto Query Language
Defense Evasion: Modify Registry
Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.
1 rule
Defense Evasion: Impair Defenses
Defender-DeviceRegistryEvents Event ID 9005003: Registry value setORSecurity-Auditing Event ID 4657: A registry value was modified.ORSysmon Event ID 13: RegistryEvent
1 rule
Kusto Query Language
Community Notes #
Requires AuditRegistry/SetValue SACL.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- ETW Logging Disabled In .NET Processes - Registry source high: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
- NetNTLM Downgrade Attack source high: Detects NetNTLM downgrade attack
- Windows Defender Exclusion List Modified source medium: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
Kusto Query Language # view in reference
- Scheduled Task Hide source high: 'This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler. The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive as well as audit policy for registry auditing to be turned on. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4658 — The handle to an object was closed.
#Description
The handle to an object was closed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Handle_ID | [Object] Handle ID. |
Process_ID | [Process Information] Process ID. |
Process_Name | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4658,
"version": 0,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2017-06-12T23:39:43.512986Z",
"event_record_id": 8076,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 252
},
"channel": "Security",
"computer": "2012r2srv.maincorp.local",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-2634088540-571122920-1382659128-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "MAINCORP",
"SubjectLogonId": "0x432c8",
"ObjectServer": "Security Account Manager",
"HandleId": "0xc9774b43b0",
"ProcessId": "0x1f0",
"ProcessName": "C:\\Windows\\System32\\lsass.exe"
}
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4658
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4659 — A handle to an object was requested with intent to delete.
Description
A handle to an object was requested with intent to delete.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectServer UnicodeString | [Object] Object Server |
ObjectType UnicodeString | [Object] Object Type |
ObjectName UnicodeString | [Object] Object Name |
HandleId Pointer | [Object] Handle ID |
TransactionId GUID | [Access Request Information] Transaction ID |
AccessList UnicodeString | [Access Request Information] Accesses |
AccessMask HexInt32 | [Access Request Information] Access Mask Access mask reference |
PrivilegeList UnicodeString | [Access Request Information] Privileges Used for Access Check Privilege constants reference |
ProcessId Pointer | [Process Information] Process ID |
References #
Event ID 4660 — An object was deleted.
#Description
An object was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Handle_ID | [Object] Handle ID. |
Process_ID | [Process Information] Process ID. |
Process_Name | [Process Information] Process Name. |
Transaction_ID | [Process Information] Transaction ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4660,
"version": 0,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-01-24T17:03:25.009874Z",
"event_record_id": 1934527,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4488
},
"channel": "Security",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x14f509e2",
"ObjectServer": "Security Account Manager",
"HandleId": "0xe9a9292e70",
"ProcessId": "0x1e0",
"ProcessName": "C:\\Windows\\System32\\lsass.exe",
"TransactionId": "00000000-0000-0000-0000-000000000000"
}
}
Detection Patterns #
Uac Bypass
Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent
5 rules
Kusto Query Language
Community Notes #
Could be a filesystem, kernel, or registry object. Does not track names, but is generated only during real deletes (pair with 4663).
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4660
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4661 — A handle to an object was requested.
#Description
A handle to an object was requested.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Handle_ID | [Object] Handle ID. |
Transaction_ID | [Access Request Information] Transaction ID. |
Accesses | [Access Request Information] Accesses. |
Access_Mask | [Access Request Information] Access Reasons. Bitmask flags
|
PrivilegesUsedForAccessCheck | — Privilege constants reference |
Properties UnicodeString | [Access Request Information] Privileges Used for Access Check. |
Restricted_SID_Count | [Access Request Information] Properties. |
Process_ID | [Access Request Information] Restricted SID Count. |
Process_Name | [Process Information] Process ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4661,
"version": 0,
"level": 0,
"task": 12803,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-18T23:23:52.522462Z",
"event_record_id": 565602,
"correlation": {},
"execution": {
"process_id": 452,
"thread_id": 460
},
"channel": "Security",
"computer": "WIN-77LTAPHIQ1R.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1587066498-1489273250-1035260531-1106",
"SubjectUserName": "user01",
"SubjectDomainName": "EXAMPLE",
"SubjectLogonId": "0x15e1a7",
"ObjectServer": "Security Account Manager",
"ObjectType": "SAM_DOMAIN",
"ObjectName": "DC=example,DC=corp",
"HandleId": "0x14c7b1f20",
"TransactionId": "00000000-0000-0000-0000-000000000000",
"AccessList": "%%1538\r\n\t\t\t\t%%5394\r\n\t\t\t\t%%5396\r\n\t\t\t\t%%5399\r\n\t\t\t\t",
"AccessMask": "0x2d",
"PrivilegeList": "\u0002-",
"Properties": "---\r\n\t{19195a5a-6da0-11d0-afd3-00c04fd930c9}\r\n%%1538\r\n%%5394\r\n%%5396\r\n%%5399\r\n\t\t{c7407360-20bf-11d0-a768-00aa006e0529}\r\n\t\t\t{bf9679a4-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a6-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679bb-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c2-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c3-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a09-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a0b-0de6-11d0-a285-00aa003049e2}\r\n\t\t{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}\r\n\t\t\t{bf967a34-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a33-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a61-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967977-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf96795e-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ea-0de6-11d0-a285-00aa003049e2}\r\n\t\t{ab721a52-1e2f-11d0-9819-00aa0040529b}\r\n",
"RestrictedSidCount": 0,
"ProcessId": "0x1c4",
"ProcessName": "C:\\Windows\\System32\\lsass.exe"
}
}
Community Notes #
May indicate BloodHound-style LDAP reads.
This event covers SAM object handle requests. The default bitmask shown uses SAM_DOMAIN rights (the most commonly audited SAM object type). Bits 0x01–0x0400 vary by SAM object subtype:
| Bit | SAM_SERVER | SAM_DOMAIN | SAM_GROUP | SAM_ALIAS | SAM_USER |
|---|---|---|---|---|---|
| 0x01 | ConnectToServer | ReadPasswordParameters | ReadInformation | AddMember | ReadGeneralInformation |
| 0x02 | ShutdownServer | WritePasswordParameters | WriteAccount | RemoveMember | ReadPreferences |
| 0x04 | InitializeServer | ReadOtherParameters | AddMember | ListMembers | WritePreferences |
| 0x08 | CreateDomain | WriteOtherParameters | RemoveMember | ReadInformation | ReadLogon |
| 0x10 | EnumerateDomains | CreateUser | ListMembers | WriteAccount | ReadAccount |
| 0x20 | LookupDomain | CreateGlobalGroup | — | — | WriteAccount |
Standard rights are shared: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- AD Privileged Users or Groups Reconnaissance source high: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
- Password Policy Enumerated source medium: Detects when the password policy is enumerated.
- Reconnaissance Activity source high: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4661
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4662 — An operation was performed on an object.
#Description
An operation was performed on an object.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Object_Server | [Object] Object Server. |
Object_Type | [Object] Object Type. |
Object_Name | [Object] Object Name. |
Operation_Type | [Operation] Operation Type. Known values
|
Handle_ID | [Object] Handle ID. |
Accesses | [Operation] Accesses. |
Access_Mask | [Operation] Access Mask. Bitmask flags
|
Properties UnicodeString | [Operation] Properties. |
Parameter_1 | [Additional Information] Parameter 1. |
Parameter_2 | [Additional Information] Parameter 2. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4662,
"version": 0,
"level": 0,
"task": 14080,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-25T10:05:30.695604Z",
"event_record_id": 198238041,
"correlation": {},
"execution": {
"process_id": 444,
"thread_id": 4200
},
"channel": "Security",
"computer": "DC1.insecurebank.local",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "DC1$",
"SubjectDomainName": "insecurebank",
"SubjectLogonId": "0xb3ac2",
"ObjectServer": "DS",
"ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
"ObjectName": "%{c6faf700-bfe4-452a-a766-424f84c29583}",
"OperationType": "Object Access",
"HandleId": "0x0",
"AccessList": "%%7688\r\n\t\t\t\t",
"AccessMask": "0x100",
"Properties": "%%7688\r\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n",
"AdditionalInfo": "-",
"AdditionalInfo2": ""
}
}
Detection Patterns #
Kerberos Coercion Via DNS
Kerberos Coercion Via DNS
Potential Kerberos Coercion
Credential Access: DCSync
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4662: An operation was performed on an object.
1 rule
Kusto Query Language
Community Notes #
Operation on AD object, may indicate enum of domain trusts, OUs, SPNs, ACLs. Also logged when an attacker uses mimikatz or similar to extract the DPAPI Domain Backup Key.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- AD Object WriteDAC Access source critical: Detects WRITE_DAC access to a domain object
- Active Directory Replication from Non Machine Account source critical: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
- Potential AD User Enumeration From Non-Machine Account source medium: Detects read access to a domain user from a non-machine account
Show 3 more (6 total)
- Mimikatz DC Sync source high: Detects Mimikatz DC sync security events
- DPAPI Domain Backup Key Extraction source high: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
- WMI Persistence - Security source medium: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Elastic # view in reference
- FirstTime Seen Account Performing DCSync source high: This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
- Potential Credential Access via DCSync source medium: This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
- Access to a Sensitive LDAP Attribute source medium: Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
Show 1 more (4 total)
- Suspicious Access to LDAP Attributes source low: Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
Splunk # view in reference
- Windows AD Abnormal Object Access Activity source: The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
- Windows AD Privileged Object Access Activity source: The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources.
- Windows AD Replication Request Initiated by User Account source: The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.↳ also matches:Event ID 4624: An account was successfully logged on.
Show 1 more (4 total)
- Windows AD Replication Request Initiated from Unsanctioned Location source: The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.↳ also matches:Event ID 4624: An account was successfully logged on.
Kusto Query Language # view in reference
- ADFS DKM Master Key Export source medium: 'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this: https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469 https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339 '
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-access
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4663 — An attempt was made to access an object.
#Description
An attempt was made to access an object.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | [Object] Object Type. |
ObjectName UnicodeString | [Object] Object Name. |
HandleId Pointer | [Object] Handle ID. |
AccessList UnicodeString | [Access Request Information] Accesses. |
AccessMask HexInt32 | [Access Request Information] Access Mask. Access mask reference |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
ResourceAttributes UnicodeString | [Object] Resource Attributes. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4663,
"version": 1,
"level": 0,
"task": 12802,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:55:26.055947+00:00",
"event_record_id": 304894,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 15220
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "Process",
"ObjectName": "\\Device\\HarddiskVolume4\\Windows\\System32\\lsass.exe",
"HandleId": "0x1978",
"AccessList": "%%4484\r\n\t\t\t\t",
"AccessMask": "0x10",
"ProcessId": "0x4a28",
"ProcessName": "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe",
"ResourceAttributes": "-"
},
"message": ""
}
Detection Patterns #
Registry Keys Access
Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4663: An attempt was made to access an object.
10 rules
Sigma
Uac Bypass
Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent
5 rules
Kusto Query Language
Sunburst And Supernova Backdoor
Sunburst And Supernova Backdoor
Sunburst And Supernova Backdoor
Security-Auditing Event ID 4663: An attempt was made to access an object.OREvent ID 4688: A new process has been created.
2 rules
Defender-DeviceFileEvents Event ID 9002001: File createdORSecurity-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreate
2 rules
Kusto Query Language
Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4658: The handle to an object was closed.OREvent ID 4663: An attempt was made to access an object.
1 rule
Execution: User Execution
Defender-DeviceFileEvents Event ID 9002000: File activity→Security-Auditing Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 11: FileCreate
1 rule
Kusto Query Language
Defense Evasion: Modify Registry
Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.
1 rule
Lateral Movement: Lateral Tool Transfer
Defender-DeviceFileEvents Event ID 9002000: File activityANDSecurity-Auditing Event ID 4663: An attempt was made to access an object.ANDSysmon Event ID 11: FileCreate
1 rule
Kusto Query Language
Community Notes #
An attempt was made to access an object. May catch mass permission changes or tampering. Also catches renaming, and may be noisy (pair with 4660).
The AccessMask shown assumes File access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType at runtime. Common alternatives:
| Bit | File | Registry | Process | Service |
|---|---|---|---|---|
| 0x01 | ReadData / ListDirectory | KEY_QUERY_VALUE | PROCESS_TERMINATE | SERVICE_QUERY_CONFIG |
| 0x02 | WriteData / AddFile | KEY_SET_VALUE | PROCESS_CREATE_THREAD | SERVICE_CHANGE_CONFIG |
| 0x04 | AppendData / AddSubDir | KEY_CREATE_SUB_KEY | PROCESS_SET_SESSIONID | SERVICE_QUERY_STATUS |
| 0x08 | ReadEA | KEY_ENUMERATE_SUB_KEYS | PROCESS_VM_OPERATION | SERVICE_ENUMERATE_DEPENDENTS |
| 0x10 | WriteEA | KEY_NOTIFY | PROCESS_VM_READ | SERVICE_START |
| 0x20 | Execute / Traverse | KEY_CREATE_LINK | PROCESS_VM_WRITE | SERVICE_STOP |
Standard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).
Binary Defense post Windows Defender ACL Blocking: A Silent Technique With Serious Impact — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for WRITE_DAC (0x40000) access to Defender paths paired with 4670 ACL changes.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- ISO Image Mounted source medium: Detects the mount of an ISO image on an endpoint
- Service Registry Key Read Access Request source low: Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
- File Access Of Signal Desktop Sensitive Data source medium: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
Show 1 more (4 total)
- Suspicious Teams Application Related ObjectAcess Event source high: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Splunk # view in reference
- ConnectWise ScreenConnect Path Traversal Windows SACL source: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the ScreenConnect service. This activity is significant as it allows unauthorized access to sensitive files and directories, potentially leading to data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access to critical data or execute harmful code, compromising the integrity and security of the affected system. Immediate remediation by updating to version 23.9.8 or above is recommended.
- Non Chrome Process Accessing Chrome Default Dir source: The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system.
- Non Firefox Process Access Firefox Profile Dir source: The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant because it may indicate attempts by malware, such as RATs or trojans, to harvest user information. If confirmed malicious, this behavior could lead to data exfiltration, unauthorized access to user accounts, and further compromise of the affected system.
Show 14 more (17 total)
- SAM Database File Access Attempt source: The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\system32\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system.
- Windows Credential Access From Browser Password Store source: The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.
- Windows Credentials from Password Stores Chrome Extension Access source: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.
- Windows Credentials from Password Stores Chrome LocalState Access source: The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.
- Windows Credentials from Password Stores Chrome Login Data Access source: The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.
- Windows Hosts File Access source: This Analytic detects the execution of a process attempting to access the hosts file. The hosts file is a critical file for network configuration and DNS resolution. If an attacker gains access to it, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites.
- Windows Increase in Group or Object Modification Activity source: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.↳ also matches:Event ID 4670: Permissions on an object were changed., Event ID 4727: A security-enabled global group was created., Event ID 4731: A security-enabled local group was created., Event ID 4734: A security-enabled local group was deleted., Event ID 4735: A security-enabled local group was changed., Event ID 4764: A group’s type was changed.
- Windows Non Discord App Access Discord LevelDB source: The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users.
- Windows Product Key Registry Query source: This Analytic detects the execution of a process attempting to access the registry for product key recovery purposes. This behavior could be significant as it might indicate potential malware activity or attempts to bypass security measures or data exfiltration.
- Windows Query Registry Browser List Application source: The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths. This activity is significant because adversaries can exploit this registry key to gather information about installed browsers and their settings, potentially leading to the theft of sensitive data such as login credentials and browsing history. If confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts.
- Windows Query Registry UnInstall Program List source: The following analytic detects an access request on the uninstall registry key. It leverages Windows Security Event logs, specifically event code 4663. This activity is significant because adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks. If confirmed malicious, this behavior could allow attackers to map out installed software, potentially identifying vulnerabilities or software to exploit, leading to further system compromise.
- Windows Unsecured Outlook Credentials Access In Registry source: The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.
- Windows Unusual FileZilla XML Config Access source: The following analytic identifies processes accessing FileZilla XML config files such as recentservers.xml and sitemanager.xml. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive configuration files used by FileZilla, a popular FTP client. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.
- Windows Unusual Intelliform Storage Registry Access source: The following analytic identifies processes accessing Intelliform Storage Registry keys used by Internet Explorer. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive registry keys used for storing form data in Internet Explorer. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4664 — An attempt was made to create a hard link.
#Description
An attempt was made to create a hard link.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Account Name. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
FileName UnicodeString | [Link Information] File Name. |
LinkName UnicodeString | [Link Information] Link Name. |
TransactionId GUID | [Link Information] Transaction ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4664,
"version": 0,
"level": 0,
"task": 12800,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:40:05.111192+00:00",
"event_record_id": 275147,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8800
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"FileName": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x64__8wekyb3d8bbwe\\zh-TW\\Microsoft.UI.Xaml.Phone.dll.mui",
"LinkName": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\\zh-TW\\Microsoft.UI.Xaml.Phone.dll.mui",
"TransactionId": "00000000-0000-0000-0000-000000000000"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4664
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4664
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4665 — An attempt was made to create an application client context.
Description
An attempt was made to create an application client context.
Message #
Fields #
| Name | Description |
|---|---|
Application_Name UnicodeString | [Application Information] Application Name. |
Application_Instance_ID UInt64 | [Application Information] Application Instance ID. |
Client_Name UnicodeString | [Subject] Client Name. |
Client_Domain UnicodeString | [Subject] Client Domain. |
Client_Context_ID UInt64 | [Subject] Client Context ID. |
Status UInt32 | [Application Information] Status. NTSTATUS reference |
AppName UnicodeString | [Application Information] Application Name |
AppInstance UInt64 | [Application Information] Application Instance ID |
ClientName UnicodeString | [Subject] Client Name |
ClientDomain UnicodeString | [Subject] Client Domain |
ClientLogonId UInt64 | [Subject] Client Context ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4665
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4665
Event ID 4666 — An application attempted an operation.
Description
An application attempted an operation.
Message #
Fields #
| Name | Description |
|---|---|
Application_Name | [Application Information] Application Name. |
Application_Instance_ID | [Application Information] Application Instance ID. |
Object_Name | [Object] Object Name. |
Scope_Names | [Object] Scope Names. |
Client_Name | [Subject] Client Name. |
Client_Domain | [Subject] Client Domain. |
Client_Context_ID | [Subject] Client Context ID. |
Role UnicodeString | [Access Request Information] Role. |
Groups | [Access Request Information] Groups. |
Operation_Name | [Access Request Information] Operation Name. |
AppName UnicodeString | [Application Information] Application Name |
AppInstance UInt64 | [Application Information] Application Instance ID |
ObjectName UnicodeString | [Object] Object Name |
ScopeName UnicodeString | [Object] Scope Names |
ClientName UnicodeString | [Subject] Client Name |
ClientDomain UnicodeString | [Subject] Client Domain |
ClientLogonId UInt64 | [Subject] Client Context ID |
Group UnicodeString | [Access Request Information] Groups |
OperationName UnicodeString | [Access Request Information] Operation Name |
OperationId UInt32 | [Access Request Information] ( |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4666
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4666
Event ID 4667 — An application client context was deleted.
Description
An application client context was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Application_Name UnicodeString | [Application Information] Application Name. |
Application_Instance_ID UInt64 | [Application Information] Application Instance ID. |
Client_Name UnicodeString | [Subject] Client Name. |
Client_Domain UnicodeString | [Subject] Client Domain. |
Client_Context_ID UInt64 | [Subject] Client Context ID. |
AppName UnicodeString | [Application Information] Application Name |
AppInstance UInt64 | [Application Information] Application Instance ID |
ClientName UnicodeString | [Subject] Client Name |
ClientDomain UnicodeString | [Subject] Client Domain |
ClientLogonId UInt64 | [Subject] Client Context ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4667
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4667
Event ID 4668 — An application was initialized.
Description
An application was initialized.
Message #
Fields #
| Name | Description |
|---|---|
Application_Name UnicodeString | [Application Information] Application Name. |
Application_Instance_ID UInt64 | [Application Information] Application Instance ID. |
Client_Name UnicodeString | [Subject] Client Name. |
Client_Domain UnicodeString | [Subject] Client Domain. |
Client_ID UInt64 | [Subject] Client ID. |
Policy_Store_URL UnicodeString | [Additional Information] Policy Store URL. |
AppName UnicodeString | [Application Information] Application Name |
AppInstance UInt64 | [Application Information] Application Instance ID |
ClientName UnicodeString | [Subject] Client Name |
ClientDomain UnicodeString | [Subject] Client Domain |
ClientLogonId UInt64 | [Subject] Client ID |
StoreUrl UnicodeString | [Additional Information] Policy Store URL |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4668
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4668
Event ID 4670 — Permissions on an object were changed.
#Description
Permissions on an object were changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | [Object] Object Type. |
ObjectName UnicodeString | [Object] Object Name. |
HandleId Pointer | [Object] Handle ID. |
OldSd UnicodeString | [Permissions Change] Original Security Descriptor. |
NewSd UnicodeString | [Permissions Change] New Security Descriptor. |
ProcessId Pointer | [Process] Process ID. |
ProcessName UnicodeString | [Process] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4670,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T02:03:41.603666+00:00",
"event_record_id": 314599,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 21268
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "Token",
"ObjectName": "-",
"HandleId": "0xddc",
"OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)",
"NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)",
"ProcessId": "0x30c",
"ProcessName": "C:\\Windows\\System32\\services.exe"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4670: Permissions on an object were changed.ANDEvent ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4734: A security-enabled local group was deleted.ANDEvent ID 4735: A security-enabled local group was changed.ANDEvent ID 4764: A group’s type was changed.
Defense Evasion: Impair Defenses
Security-Auditing Event ID 4670: Permissions on an object were changed.OREvent ID 4688: A new process has been created.
1 rule
Kusto Query Language
Community Notes #
Permissions on an object were changed, may detect ACL edits on files, registry, or tokens that grant elevated rights.
Binary Defense post Windows Defender ACL Blocking: A Silent Technique With Serious Impact — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for ACL changes targeting Defender paths (e.g. C:\ProgramData\Microsoft\Windows Defender\) paired with 4663 WRITE_DAC access.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4670
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4671 — An application attempted to access a blocked ordinal through the TBS.
Description
An application attempted to access a blocked ordinal through the TBS.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Ordinal UInt32 | [Subject] Ordinal. |
CallerUserSid SID | [Subject] Security ID |
CallerUserName UnicodeString | [Subject] Account Name |
CallerDomainName UnicodeString | [Subject] Account Domain |
CallerLogonId HexInt64 | [Subject] Logon ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4671
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4671
Event ID 4672 — Special privileges assigned to new logon.
#Description
Special privileges assigned to new logon.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Subject] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4672,
"version": 0,
"level": 0,
"task": 12548,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:52.440990+00:00",
"event_record_id": 2949,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "SYSTEM",
"SubjectDomainName": "NT AUTHORITY",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
},
"message": ""
}
Detection Patterns #
Community Notes #
Detects Administrator or SYSTEM-equivalent sessions at logon time.
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Special Privileged Logon On Multiple Hosts source: The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4673 — A privileged service was called.
#Description
A privileged service was called.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectServer UnicodeString | [Service] Server. |
Service UnicodeString | [Service] Service Name. |
PrivilegeList UnicodeString | [Service Request Information] Privileges. Privilege constants reference |
ProcessId Pointer | [Process] Process ID. |
ProcessName UnicodeString | [Process] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4673,
"version": 0,
"level": 0,
"task": 13056,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2023-11-06T02:04:44.872475+00:00",
"event_record_id": 315408,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 9496
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"ObjectServer": "Security",
"Service": "-",
"PrivilegeList": "SeProfileSingleProcessPrivilege",
"ProcessId": "0x33f0",
"ProcessName": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
},
"message": ""
}
Community Notes #
Logs use of SeDebugPrivilege (often precedes scraping memory), SeTcbPrivilege.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' source high: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
- Potential Privileged System Service Operation - SeLoadDriverPrivilege source medium: Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4673
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4674 — An operation was attempted on a privileged object.
#Description
An operation was attempted on a privileged object.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | [Object] Object Type. |
ObjectName UnicodeString | [Object] Object Name. |
HandleId Pointer | [Object] Object Handle. |
AccessMask UnicodeString | [Requested Operation] Desired Access. Access mask reference |
PrivilegeList UnicodeString | [Requested Operation] Privileges. Privilege constants reference |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4674,
"version": 0,
"level": 0,
"task": 13056,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:39:25.936087+00:00",
"event_record_id": 273230,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 17676
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x277c6",
"ObjectServer": "Security",
"ObjectType": "-",
"ObjectName": "-",
"HandleId": "0xfffffffffffffffc",
"AccessMask": "1024",
"PrivilegeList": "SeIncreaseBasePriorityPrivilege",
"ProcessId": "0x39dc",
"ProcessName": "C:\\Program Files\\WindowsApps\\Microsoft.SysinternalsSuite_2023.10.0.0_x64__8wekyb3d8bbwe\\Tools\\Procmon.exe"
},
"message": ""
}
Community Notes #
Logs direct interaction with objects that require SeSecurity/SeTakeOwnership, ie SAM hives.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- SCM Database Privileged Operation source medium: Detects non-system users performing privileged operation os the SCM database
Elastic # view in reference
- Suspicious SeIncreaseBasePriorityPrivilege Use source high: Identifies attempts to use the SeIncreaseBasePriorityPrivilege privilege by an unusual process. This could be related to hijack execution flow of a process via threats priority manipulation.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4674
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4675 — SIDs were filtered.
#Description
SIDs were filtered.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Target Account] Security ID. |
Account_Name UnicodeString | [Target Account] Account Name. |
Account_Domain UnicodeString | [Target Account] Account Domain. |
Trust_Direction UInt32 | [Trust Information] Trust Direction. |
Trust_Attributes UInt32 | [Trust Information] Trust Attributes. |
Trust_Type UInt32 | [Trust Information] Trust Type. |
TDO_Domain_SID SID | [Trust Information] TDO Domain SID. |
Filtered_SIDs UnicodeString | [Trust Information] Filtered SIDs. |
TargetUserSid SID | [Target Account] Security ID |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TdoDirection UInt32 | [Trust Information] Trust Direction |
TdoAttributes UInt32 | [Trust Information] Trust Attributes |
TdoType UInt32 | [Trust Information] Trust Type |
TdoSid SID | [Trust Information] TDO Domain SID |
SidList UnicodeString | Filtered SIDs |
Detection Patterns #
Uses Authentication Normalization
Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4625: An account failed to log on.ANDEvent ID 4634: An account was logged off.ANDEvent ID 4647: User initiated logoff.ANDEvent ID 4648: A logon was attempted using explicit credentials.ANDEvent ID 4675: SIDs were filtered.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4675
Event ID 4688 — A new process has been created.
#Description
A new process has been created.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Creator Subject] Security ID. |
SubjectUserName UnicodeString | [Creator Subject] Account Name. |
SubjectDomainName UnicodeString | [Creator Subject] Account Domain. |
SubjectLogonId HexInt64 | [Creator Subject] Logon ID. |
NewProcessId Pointer | [Process Information] New Process ID. |
NewProcessName UnicodeString | [Process Information] New Process Name. |
TokenElevationType UnicodeString | [Process Information] Token Elevation Type. Known values
|
ProcessId Pointer | [Process Information] Creator Process ID. |
CommandLine UnicodeString | [Process Information] Process Command Line. |
TargetUserSid SID | [Target Subject] Security ID. |
TargetUserName UnicodeString | [Target Subject] Account Name. |
TargetDomainName UnicodeString | [Target Subject] Account Domain. |
TargetLogonId HexInt64 | [Target Subject] Logon ID. |
ParentProcessName UnicodeString | [Process Information] Creator Process Name. |
MandatoryLabel SID | [Process Information] Mandatory Label. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4688,
"version": 2,
"level": 0,
"task": 13312,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:27.153945+00:00",
"event_record_id": 2753,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 336
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x3e7",
"NewProcessId": "0x328",
"NewProcessName": "C:\\Windows\\System32\\lsass.exe",
"TokenElevationType": "%%1936",
"ProcessId": "0x27c",
"CommandLine": "",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "-",
"TargetDomainName": "-",
"TargetLogonId": "0x0",
"ParentProcessName": "C:\\Windows\\System32\\wininit.exe",
"MandatoryLabel": "S-1-16-16384"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
429 rules
Sigma
Show 411 more (414 total)
Splunk
Show 11 more (14 total)
Kusto Query Language
Defender-DeviceProcessEvents Event ID 9001000: Process activityORSecurity-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation
26 rules
Kusto Query Language
Show 23 more (26 total)
Defender-DeviceProcessEvents Event ID 9001000: Process activityANDSecurity-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 1: Process creation
14 rules
Kusto Query Language
Show 11 more (14 total)
Normalized Process Events
Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated
7 rules
Kusto Query Language
Defender-DeviceProcessEvents Event ID 9001000: Process activity→Security-Auditing Event ID 4688: A new process has been created.→Sysmon Event ID 1: Process creation
7 rules
Kusto Query Language
(Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 11: FileCreate)OR(Event ID 1: Process creationANDEvent ID 11: FileCreate)
7 rules
Splunk
Normalized Process Events
Asim Version
Security-Auditing Event ID 4663: An attempt was made to access an object.OREvent ID 4688: A new process has been created.
2 rules
Privilege Escalation: Bypass User Account Control
Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4688: A new process has been created.
1 rule
Kusto Query Language
Defense Evasion: Impair Defenses
Security-Auditing Event ID 4670: Permissions on an object were changed.OREvent ID 4688: A new process has been created.
1 rule
Kusto Query Language
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent
1 rule
Kusto Query Language
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Chromium Browser Headless Execution To Mockbin Like Site source high: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
- NtdllPipe Like Activity Execution source high: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
- Potentially Suspicious Child Process Of ClickOnce Application source medium: Detects potentially suspicious child processes of a ClickOnce deployment application
Show 17 more (55 total)
- Potential Discovery Activity Via Dnscmd.EXE source medium: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
- Uncommon FileSystem Load Attempt By Format.com source high: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
- Potentially Suspicious GoogleUpdate Child Process source high: Detects potentially suspicious child processes of "GoogleUpdate.exe"
- Arbitrary Binary Execution Using GUP Utility source medium: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
- HackTool - LaZagne Execution source medium: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
- HackTool - Wmiexec Default Powershell Command source high: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
- ImagingDevices Unusual Parent/Child Processes source high: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
- Suspicious Execution of InstallUtil Without Log source medium: Uses the .NET InstallUtil.exe application in order to execute image without log
- Suspicious Shells Spawn by Java Utility Keytool source high: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
- Suspicious Processes Spawned by Java.EXE source high: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
- Shell Process Spawned by Java.EXE source medium: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
- Potentially Suspicious Execution Of PDQDeployRunner source medium: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
- Suspicious Obfuscated PowerShell Code source high: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
- Email Exifiltration Via Powershell source high: Detects email exfiltration via powershell cmdlets
- Potential Suspicious Windows Feature Enabled - ProcCreation source medium: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
- Suspicious PowerShell Invocations - Specific - ProcessCreation source medium: Detects suspicious PowerShell invocation command parameters
- Suspicious PowerShell Mailbox Export to Share source critical: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Elastic # view in reference
- Potential LSASS Clone Creation via PssCaptureSnapShot source high: Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Kusto Query Language # view in reference
- SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
- Unusual identity creation using exchange powershell source high: ' The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/'
- Identify Mango Sandstorm powershell commands source high: 'The query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
Show 16 more (19 total)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript source medium: 'This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
- Midnight Blizzard - Script payload stored in Registry source medium: 'This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'
- Silk Typhoon New UM Service Child Process source medium: 'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
- Powershell Empire Cmdlets Executed in Command Line source medium: 'This query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.'
- DEV-0270 New User Creation source high: 'The following query tries to detect creation of a new user using a known DEV-0270 username/password schema'
- Dev-0270 Malicious Powershell usage source high: 'DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.'
- Dev-0270 Registry IOC - September 2022 source high: 'The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes'
- Dev-0270 WMIC Discovery source high: 'The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.'
- Windows Binaries Executed from Non-Default Directory source medium: 'The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\Windows\, C:\Windows\System32 etc.). Ref: https://lolbas-project.github.io/'
- Caramel Tsunami Actor IOC - July 2021 source high: 'Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami'
- Chia_Crypto_Mining IOC - June 2021 source low: 'Identifies a match across IOC's related to Chia cryptocurrency farming/plotting activity'
- NRT Base64 Encoded Windows Process Command-lines source medium: 'This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.'
- NRT Process executed from binary hidden in Base64 encoded file source medium: 'Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64.'
- New EXE deployed via Default Domain or Default Domain Controller Policies source high: 'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files. A threat actor may use these policies to deploy files or scripts to all hosts in a domain.'
- Potential re-named sdelete usage source low: 'This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive. A threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.'
- Sdelete deployed via GPO and run recursively source medium: 'This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4688-process-created.md
Event ID 4689 — A process has exited.
#Description
A process has exited.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
Status HexInt32 | [Process Information] Exit Status. NTSTATUS reference |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4689,
"version": 0,
"level": 0,
"task": 13313,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T02:04:26.563982+00:00",
"event_record_id": 315178,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 20768
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"Status": "0x0",
"ProcessId": "0x3f24",
"ProcessName": "C:\\Windows\\System32\\svchost.exe"
},
"message": ""
}
Detection Patterns #
Normalized Process Events
Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated
7 rules
Kusto Query Language
Normalized Process Events
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4689
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-termination
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4689
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4690 — An attempt was made to duplicate a handle to an object.
#Description
An attempt was made to duplicate a handle to an object.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Source_Handle_ID | [Source Handle Information] Source Handle ID. |
Source_Process_ID | [Source Handle Information] Source Process ID. |
Target_Handle_ID | [New Handle Information] Target Handle ID. |
Target_Process_ID | [New Handle Information] Target Process ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4690,
"version": 0,
"level": 0,
"task": 12807,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-04-26T08:26:03.063863Z",
"event_record_id": 463066,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 6080
},
"channel": "Security",
"computer": "srvdefender01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "SRVDEFENDER01$",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x3e7",
"SourceHandleId": "0x2a4",
"SourceProcessId": "0xc8c",
"TargetHandleId": "0x11ac",
"TargetProcessId": "0x4"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-handle-manipulation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4690
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4691 — Indirect access to an object was requested.
Description
Indirect access to an object was requested.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Object_Type UnicodeString | [Object] Object Type. |
Object_Name UnicodeString | [Object] Object Name. |
Accesses UnicodeString | [Access Request Information] Accesses. |
Access_Mask HexInt32 | [Access Request Information] Access Mask. Access mask reference |
Process_ID Pointer | [Process Information] Process ID. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectType UnicodeString | [Object] Object Type |
ObjectName UnicodeString | [Object] Object Name |
AccessList UnicodeString | [Access Request Information] Accesses |
AccessMask HexInt32 | [Access Request Information] Access Mask Access mask reference |
ProcessId Pointer | [Process Information] Process ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4691
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4691
Event ID 4692 — Backup of data protection master key was attempted.
#Description
Backup of data protection master key was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
MasterKeyId UnicodeString | [Key Information] Key Identifier |
RecoveryServer UnicodeString | [Key Information] Recovery Server |
RecoveryKeyId UnicodeString | [Key Information] Recovery Key ID |
FailureReason HexInt32 | [Status Information] Status Code Known values
|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Key_Identifier UnicodeString | [Key Information] Key Identifier. |
Recovery_Server UnicodeString | [Key Information] Recovery Server. |
Recovery_Key_ID UnicodeString | [Key Information] Recovery Key ID. |
Status_Code HexInt32 | [Status Information] Status Code. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4692,
"version": 0,
"level": 0,
"task": 13314,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-14T16:30:04.309269+00:00",
"event_record_id": 2554242,
"correlation": {
"ActivityID": "0375AF68-73B8-434A-AE18-9AF03149A7A2"
},
"execution": {
"process_id": 1092,
"thread_id": 4244
},
"channel": "Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x1470e85",
"MasterKeyId": "0bb6fb5d-7c2d-44b7-8df0-e4526299350b",
"RecoveryServer": "",
"RecoveryKeyId": "fed516d7-c48c-48e4-8eb3-77f6590ccb36",
"FailureReason": "0x0"
},
"message": ""
}
Community Notes #
Backup of a user/computer master key to the DC, rarely seen after first logon. Several events may indicate key theft or mass profile creation.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- DPAPI Domain Master Key Backup Attempt source medium: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4692
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4692
Event ID 4693 — Recovery of data protection master key was attempted.
#Description
Recovery of data protection master key was attempted.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Key_Identifier UnicodeString | [Key Information] Key Identifier. |
Recovery_Server HexInt32 | [Key Information] Recovery Server. |
Recovery_Reason UnicodeString | [Key Information] Recovery Reason. |
Recovery_Key_ID UnicodeString | [Key Information] Recovery Key ID. |
Status_Code HexInt32 | [Status Information] Status Code. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
MasterKeyId UnicodeString | [Key Information] Key Identifier |
RecoveryReason HexInt32 | [Key Information] Recovery Server |
RecoveryServer UnicodeString | [Key Information] Recovery Reason |
RecoveryKeyId UnicodeString | [Key Information] Recovery Key ID |
FailureId HexInt32 | [Status Information] Status Code |
Community Notes #
May appear when an attacker re-uses offline profiles or moves tokens between hosts. Correlate with LogonType 7/9 in 4624. Detecting Credential Stealing Attacks Through Active In-Network Defense
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4693
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4693
Event ID 4694 — Protection of auditable protected data was attempted.
#Description
Protection of auditable protected data was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
DataDescription UnicodeString | [Protected Data] Key Identifier. |
MasterKeyId UnicodeString | [Protected Data] Data Description. |
ProtectedDataFlags HexInt32 | [Protected Data] Protected Data Flags. |
CryptoAlgorithms UnicodeString | [Protected Data] Protection Algorithms. |
FailureReason HexInt32 | [Status Information] Status Code. Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4694,
"version": 0,
"level": 0,
"task": 13314,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:44:39.871358+00:00",
"event_record_id": 290370,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 844
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"DataDescription": "ecf918da-9b78-4ed5-bd64-9ff40e3484a1",
"MasterKeyId": "Chromium",
"ProtectedDataFlags": "0x10",
"CryptoAlgorithms": "AES-256 , SHA2-512 ",
"FailureReason": "0x0"
},
"message": ""
}
Community Notes #
When seen outside of software installation it may indicate payload staging hidden in DPAPI.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4694
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4694
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4695 — Unprotection of auditable protected data was attempted.
#Description
Unprotection of auditable protected data was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
DataDescription UnicodeString | [Protected Data] Key Identifier. |
MasterKeyId UnicodeString | [Protected Data] Data Description. |
ProtectedDataFlags HexInt32 | [Protected Data] Protected Data Flags. |
CryptoAlgorithms UnicodeString | [Protected Data] Protection Algorithms. |
FailureReason HexInt32 | [Status Information] Status Code. Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4695,
"version": 0,
"level": 0,
"task": 13314,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:47:40.735119+00:00",
"event_record_id": 293247,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 15768
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"DataDescription": "ecf918da-9b78-4ed5-bd64-9ff40e3484a1",
"MasterKeyId": "Google Chrome",
"ProtectedDataFlags": "0x0",
"CryptoAlgorithms": "AES-256 , SHA2-512 ",
"FailureReason": "0x0"
},
"message": ""
}
Community Notes #
Pair with 4694 to identify which user accessed encrypted blobs.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4695
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4695
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4696 — A primary token was assigned to process.
#Description
A primary token was assigned to process.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
TargetUserSid SID | [New Token Information] Security ID. |
TargetUserName UnicodeString | [New Token Information] Account Name. |
TargetDomainName UnicodeString | [New Token Information] Account Domain. |
TargetLogonId HexInt64 | [New Token Information] Logon ID. |
TargetProcessId Pointer | [Target Process] Target Process ID. |
TargetProcessName UnicodeString | [Target Process] Target Process Name. |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4696,
"version": 0,
"level": 0,
"task": 13312,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:19.637636+00:00",
"event_record_id": 2742,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 96
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-0-0",
"TargetUserName": "-",
"TargetDomainName": "-",
"TargetLogonId": "0x3e7",
"TargetProcessId": "0x64",
"TargetProcessName": "Registry",
"ProcessId": "0x4",
"ProcessName": ""
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4696
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4697 — A service was installed in the system.
#Description
A service was installed in the system.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ServiceName UnicodeString | [Service Information] Service Name. |
ServiceFileName UnicodeString | [Service Information] Service File Name. |
ServiceType HexInt32 | [Service Information] Service Type. Known values
|
ServiceStartType UInt32 | [Service Information] Service Start Type. Known values
|
ServiceAccount UnicodeString | [Service Information] Service Account. |
ClientProcessStartKey UInt64 | — |
ClientProcessId UInt32 | — |
ParentProcessId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4697,
"version": 1,
"level": 0,
"task": 12289,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T14:08:37.173232+00:00",
"event_record_id": 34393,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 3964
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WIN-TKC15D7KHUR$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ServiceName": "MpKsl6680716f",
"ServiceFileName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{94297FD4-6E63-4B60-B47B-85D76376014D}\\MpKslDrv.sys",
"ServiceType": "0x1",
"ServiceStartType": 3,
"ServiceAccount": "LocalSystem",
"ClientProcessStartKey": 1407374883553325,
"ClientProcessId": 1796,
"ParentProcessId": 604
},
"message": ""
}
Detection Patterns #
Persistence: Windows Service
Security-Auditing Event ID 4697: A service was installed in the system.ORService-Control-Manager Event ID 7045: A service was installed in the system.
1 rule
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CobaltStrike Service Installations - Security source high: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
- HybridConnectionManager Service Installation source high: Rule to detect the Hybrid Connection Manager service installation.
- Invoke-Obfuscation CLIP+ Launcher - Security source high: Detects Obfuscated use of Clip.exe to execute PowerShell
Show 17 more (21 total)
- Invoke-Obfuscation Obfuscated IEX Invocation - Security source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
- Invoke-Obfuscation STDIN+ Launcher - Security source high: Detects Obfuscated use of stdin to execute PowerShell
- Invoke-Obfuscation VAR+ Launcher - Security source high: Detects Obfuscated use of Environment Variables to execute PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - Security source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER - Security source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
- Invoke-Obfuscation Via Stdin - Security source high: Detects Obfuscated Powershell via Stdin in Scripts
- Invoke-Obfuscation Via Use Clip - Security source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
- Invoke-Obfuscation Via Use MSHTA - Security source high: Detects Obfuscated Powershell via use MSHTA in Scripts
- Invoke-Obfuscation Via Use Rundll32 - Security source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
- Credential Dumping Tools Service Execution - Security source high: Detects well-known credential dumping tools execution via service execution events
- Metasploit Or Impacket Service Installation Via SMB PsExec source high: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security source high: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
- Windows Pcap Drivers source medium: Detects Windows Pcap driver installation based on a list of associated .sys files.
- PowerShell Scripts Installed as Services - Security source high: Detects powershell script installed as a Service
- Remote Access Tool Services Have Been Installed - Security source medium: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
- Service Installed By Unusual Client - Security source high: Detects a service installed by a client which has PID 0 or whose parent has PID 0
Elastic # view in reference
- Windows Service Installed via an Unusual Client source high: Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4697
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4698 — A scheduled task was created.
#Description
A scheduled task was created.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_Content | [Task Information] Task Content. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4698,
"version": 0,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-19T00:02:04.319945Z",
"event_record_id": 566836,
"correlation": {},
"execution": {
"process_id": 452,
"thread_id": 2836
},
"channel": "Security",
"computer": "WIN-77LTAPHIQ1R.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1587066498-1489273250-1035260531-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "EXAMPLE",
"SubjectLogonId": "0x17e2d2",
"TaskName": "\\CYAlyNSS",
"TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <Triggers>\r\n <CalendarTrigger>\r\n <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>\r\n <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"LocalSystem\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n <LogonType>InteractiveToken</LogonType>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>true</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>P3D</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n </Settings>\r\n <Actions Context=\"LocalSystem\">\r\n <Exec>\r\n <Command>cmd.exe</Command>\r\n <Arguments>/C tasklist > %windir%\\Temp\\CYAlyNSS.tmp 2>&1</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>"
}
}
Detection Patterns #
Scheduled Task
Security-Auditing Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.
2 rules
Scheduled Task With Suspicious
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
Community Notes #
May also indicate remote creation via relayed SMB/WinRM session, PS cmdlets, DCOM over RPC, WMI, others.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Suspicious Scheduled Task Creation source high: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Elastic # view in reference
- Remote Scheduled Task Creation via RPC source medium: Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.
- A scheduled task was created source low: Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.
Splunk # view in reference
- Randomly Generated Scheduled Task Name source: The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network.
- Schedule Task with HTTP Command Arguments source: The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.
- Schedule Task with Rundll32 Command Trigger source: The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.
Show 4 more (7 total)
- Windows Hidden Schedule Task Settings source: The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior is significant as it may indicate malware activity, such as Industroyer2, or the use of living-off-the-land binaries (LOLBINs) to download additional payloads. If confirmed malicious, this activity could allow attackers to execute code stealthily, maintain persistence, or further compromise the system by downloading additional malicious payloads.
- Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr source: The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats.
- WinEvent Scheduled Task Created to Spawn Shell source: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.
- WinEvent Scheduled Task Created Within Public Path source: The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4699 — A scheduled task was deleted.
#Description
A scheduled task was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_Content | [Task Information] Task Content. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4699,
"version": 0,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-19T00:02:04.351252Z",
"event_record_id": 566840,
"correlation": {},
"execution": {
"process_id": 452,
"thread_id": 2836
},
"channel": "Security",
"computer": "WIN-77LTAPHIQ1R.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1587066498-1489273250-1035260531-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "EXAMPLE",
"SubjectLogonId": "0x17e2d2",
"TaskName": "\\CYAlyNSS",
"TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <Triggers>\r\n <CalendarTrigger>\r\n <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>\r\n <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"LocalSystem\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n <LogonType>InteractiveToken</LogonType>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>true</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>P3D</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n </Settings>\r\n <Actions Context=\"LocalSystem\">\r\n <Exec>\r\n <Command>cmd.exe</Command>\r\n <Arguments>/C tasklist > %windir%\\Temp\\CYAlyNSS.tmp 2>&1</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>"
}
}
Detection Patterns #
Scheduled Task
Security-Auditing Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.
2 rules
Execution: Scheduled Task
Security-Auditing Event ID 4699: A scheduled task was deleted.OREvent ID 4701: A scheduled task was disabled.
1 rule
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4699
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4700 — A scheduled task was enabled.
#Description
A scheduled task was enabled.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
TaskName UnicodeString | [Task Information] Task Name |
TaskContent UnicodeString | [Task Information] Task Content |
ClientProcessStartKey UInt64 | [Other Information] ProcessCreationTime |
ClientProcessId UInt32 | [Other Information] ClientProcessId |
ParentProcessId UInt32 | [Other Information] ParentProcessId |
RpcCallClientLocality UInt32 | [Other Information] FQDN |
FQDN UnicodeString | — |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_Content | [Task Information] Task Content. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4700,
"version": 1,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-08T23:13:42.036906+00:00",
"event_record_id": 1552683,
"correlation": {
"ActivityID": "0973643C-548D-4680-AA95-124DB4FF8472"
},
"execution": {
"process_id": 780,
"thread_id": 2440
},
"channel": "Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-20",
"SubjectUserName": "LAB-WIN11$",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x3e4",
"TaskName": "\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTaskLogon",
"TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Version>1.0</Version>\r\n <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)</SecurityDescriptor>\r\n <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\r\n <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\r\n <Description>$(@%systemroot%\\system32\\sppc.dll,-202)</Description>\r\n <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTaskLogon</URI>\r\n </RegistrationInfo>\r\n <Principals>\r\n <Principal id=\"InteractiveUser\">\r\n <GroupId>S-1-5-4</GroupId>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <AllowHardTerminate>false</AllowHardTerminate>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Hidden>true</Hidden>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <RestartOnFailure>\r\n <Count>3</Count>\r\n <Interval>PT1M</Interval>\r\n </RestartOnFailure>\r\n <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n </Settings>\r\n <Triggers>\r\n <LogonTrigger />\r\n </Triggers>\r\n <Actions Context=\"InteractiveUser\">\r\n <ComHandler>\r\n <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\r\n <Data><![CDATA[logon]]></Data>\r\n </ComHandler>\r\n </Actions>\r\n</Task>",
"ClientProcessStartKey": 1970324836977758,
"ClientProcessId": 5592,
"ParentProcessId": 204,
"RpcCallClientLocality": 0,
"FQDN": "LAB-WIN11.ludus.domain"
},
"message": ""
}
Detection Patterns #
Scheduled Task With Suspicious
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4700
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4700
Event ID 4701 — A scheduled task was disabled.
#Description
A scheduled task was disabled.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
TaskName UnicodeString | [Task Information] Task Name |
TaskContent UnicodeString | [Task Information] Task Content |
ClientProcessStartKey UInt64 | [Other Information] ProcessCreationTime |
ClientProcessId UInt32 | [Other Information] ClientProcessId |
ParentProcessId UInt32 | [Other Information] ParentProcessId |
RpcCallClientLocality UInt32 | [Other Information] FQDN |
FQDN UnicodeString | — |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_Content | [Task Information] Task Content. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4701,
"version": 1,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-09T18:21:07.550543+00:00",
"event_record_id": 1753741,
"correlation": {
"ActivityID": "B6034439-245E-4C44-9C16-887F1090313D"
},
"execution": {
"process_id": 8,
"thread_id": 6100
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-WIN11$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TaskName": "\\Microsoft\\Windows\\EnterpriseMgmt\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\Wsc Startup event listener created by enrollment client",
"TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.4\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>\r\n <Author>Microsoft Corporation</Author>\r\n <URI>\\Microsoft\\Windows\\EnterpriseMgmt\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\Wsc Startup event listener created by enrollment client</URI>\r\n </RegistrationInfo>\r\n <Principals>\r\n <Principal id=\"LocalSystem\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <Enabled>false</Enabled>\r\n <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>\r\n <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>\r\n <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n </Settings>\r\n <Triggers>\r\n <WnfStateChangeTrigger>\r\n <StateName>7510BCA33A1D8541</StateName>\r\n </WnfStateChangeTrigger>\r\n </Triggers>\r\n <Actions Context=\"LocalSystem\">\r\n <Exec>\r\n <Command>%windir%\\system32\\deviceenroller.exe</Command>\r\n <Arguments>/s \"69C01DBD-8068-44F9-9507-8A9DF76C127A\" /c /WscStartupAlert</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>",
"ClientProcessStartKey": 3940649673950061,
"ClientProcessId": 9152,
"ParentProcessId": 840,
"RpcCallClientLocality": 0,
"FQDN": "LAB-WIN11"
},
"message": ""
}
Detection Patterns #
Execution: Scheduled Task
Security-Auditing Event ID 4699: A scheduled task was deleted.OREvent ID 4701: A scheduled task was disabled.
1 rule
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4701
Event ID 4702 — A scheduled task was updated.
#Description
A scheduled task was updated.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Task_Name | [Task Information] Task Name. |
Task_New_Content | [Task Information] Task New Content. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4702,
"version": 0,
"level": 0,
"task": 12804,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-25T11:22:45.080609Z",
"event_record_id": 198238563,
"correlation": {},
"execution": {
"process_id": 444,
"thread_id": 2260
},
"channel": "Security",
"computer": "DC1.insecurebank.local",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-20",
"SubjectUserName": "DC1$",
"SubjectDomainName": "insecurebank",
"SubjectLogonId": "0x3e4",
"TaskName": "\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask",
"TaskContentNew": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.4\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\r\n <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\r\n <Version>1.0</Version>\r\n <Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>\r\n <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>\r\n <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <CalendarTrigger>\r\n <StartBoundary>2019-03-26T11:21:44Z</StartBoundary>\r\n <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"NetworkService\">\r\n <UserId>S-1-5-20</UserId>\r\n <RunLevel>LeastPrivilege</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>false</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>true</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\r\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n <RestartOnFailure>\r\n <Interval>PT1M</Interval>\r\n <Count>3</Count>\r\n </RestartOnFailure>\r\n </Settings>\r\n <Actions Context=\"NetworkService\">\r\n <ComHandler>\r\n <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\r\n <Data><![CDATA[timer]]></Data>\r\n </ComHandler>\r\n </Actions>\r\n</Task>"
}
}
Detection Patterns #
Scheduled Task With Suspicious
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
Community Notes #
May indicate path or trigger edits.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Suspicious Scheduled Task Update source high: Detects update to a scheduled task event that contain suspicious keywords.
Elastic # view in reference
- Unusual Scheduled Task Update source low: Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4702
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4703 — A user right was adjusted.
#Description
A token right was adjusted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
TargetUserSid SID | [Target Account] Security ID. |
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetLogonId HexInt64 | [Target Account] Logon ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
ProcessId Pointer | [Process Information] Process ID. |
EnabledPrivilegeList UnicodeString | Enabled Privileges Privilege constants reference |
DisabledPrivilegeList UnicodeString | Disabled Privileges Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4703,
"version": 0,
"level": 0,
"task": 13317,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T02:04:44.861115+00:00",
"event_record_id": 315382,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 9496
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-5-18",
"TargetUserName": "WINDEV2310EVAL$",
"TargetDomainName": "WORKGROUP",
"TargetLogonId": "0x3e7",
"ProcessName": "C:\\Windows\\System32\\svchost.exe",
"ProcessId": "0xd0c",
"EnabledPrivilegeList": "SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeIncreaseQuotaPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeSystemtimePrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeShutdownPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeUndockPrivilege\r\n\t\t\tSeManageVolumePrivilege",
"DisabledPrivilegeList": "-"
},
"message": ""
}
Community Notes #
Generated when token privileges are changed (tracks rights like SeDebugPrivilege, SeLoadDriverPrivilege).
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- SeDebugPrivilege Enabled by a Suspicious Process source medium: Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate privileges and bypass access controls.
Splunk # view in reference
- Windows Access Token Manipulation SeDebugPrivilege source: The following analytic detects a process enabling the "SeDebugPrivilege" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-token-right-adjusted
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4703
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4704 — A user right was assigned.
#Description
A user right was assigned.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
TargetSid SID | [Target Account] Account Name. |
PrivilegeList UnicodeString | [New Right] User Right. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4704,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T23:16:25.782413+00:00",
"event_record_id": 71899,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 844
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TargetSid": "S-1-5-83-0",
"PrivilegeList": "SeCreateSymbolicLinkPrivilege"
},
"message": ""
}
Community Notes #
Tracks changes to token privileges.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Enabled User Right in AD to Control User Objects source high: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Elastic # view in reference
- Sensitive Privilege SeEnableDelegationPrivilege assigned to a User source high: Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4704
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4705 — A user right was removed.
#Description
A user right was removed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Account_Name | [Target Account] Account Name. |
User_Right | [Removed Right] User Right. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4705,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-12T20:23:39.973927Z",
"event_record_id": 1239002,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 2980
},
"channel": "Security",
"computer": "fs02.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x202dac8",
"TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1158",
"PrivilegeList": "SeCreateTokenPrivilege"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4705
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4705
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4706 — A new trust was created to a domain.
#Description
A new trust was created to a domain.
Message #
Fields #
| Name | Description |
|---|---|
Domain_Name | [Trusted Domain] Domain Name. |
Domain_ID | [Trusted Domain] Domain ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Trust_Type | [Trust Information] Trust Type. |
Trust_Direction | [Trust Information] Trust Direction. |
Trust_Attributes | [Trust Information] Trust Attributes. |
SID_Filtering | [Trust Information] SID Filtering. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4706,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-06-22T14:02:41.639162Z",
"event_record_id": 3175612,
"correlation": {},
"execution": {
"process_id": 596,
"thread_id": 11064
},
"channel": "Security",
"computer": "CDCWTRDC01.mypartner.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"DomainName": "rootblue.lan",
"DomainSid": "S-1-5-21-392370121-190461309-2151315433",
"SubjectUserSid": "S-1-5-21-1407145384-2259788832-4099636412-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "MYPARTNER",
"SubjectLogonId": "0xffad8559",
"TdoType": 2,
"TdoDirection": 3,
"TdoAttributes": 8,
"SidFilteringEnabled": "%%1796"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- A New Trust Was Created To A Domain source medium: Addition of domains is seldom and should be verified for legitimacy.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4706
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4707 — A trust to a domain was removed.
Description
A trust to a domain was removed.
Message #
Fields #
| Name | Description |
|---|---|
Domain_Name UnicodeString | [Domain Information] Domain Name. |
Domain_ID SID | [Domain Information] Domain ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
DomainName UnicodeString | [Domain Information] Domain Name |
DomainSid SID | [Domain Information] Domain ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4707
Event ID 4709 — The IPsec Policy Agent service was started.
Description
The IPsec Policy Agent service was started.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | Policy Source |
param3 UnicodeString | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4709
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4709
Event ID 4710 — The IPsec Policy Agent service was disabled.
Description
The IPsec Policy Agent service was disabled.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
param2 UnicodeString | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4710
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4710
Event ID 4711 — param1
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4711
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4711
Event ID 4712 — IPsec Policy Agent encountered a potentially serious failure.
Description
IPsec Policy Agent encountered a potentially serious failure.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4712
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4712
Event ID 4713 — Kerberos policy was changed.
#Description
Kerberos policy was changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
KerberosPolicyChange UnicodeString | — |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4713,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:28:27.466929+00:00",
"event_record_id": 16696941,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11540
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-DC01$",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x3e7",
"KerberosPolicyChange": "KerMaxT: 0x430e234000 (0x53d1ac1000); KerLogoff: 0x7ffdce8d4d08 (0x1); "
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4713
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4713
Event ID 4714 — Data Recovery Agent group policy for Encrypting File System (EFS) has changed.
#Description
Data Recovery Agent group policy for Encrypting File System (EFS) has changed. The new changes have been applied.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
EfsPolicyChange UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"event_source_name": "",
"event_id": 4714,
"version": 0,
"level": 0,
"task": 13573,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:12.649403+00:00",
"event_record_id": 16250501,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 7468
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4714
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4714
Event ID 4715 — The audit policy (SACL) on an object was changed.
Description
The audit policy (SACL) on an object was changed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Original_Security_Descriptor UnicodeString | [Audit Policy Change] Original Security Descriptor. |
New_Security_Descriptor UnicodeString | [Audit Policy Change] New Security Descriptor. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
OldSd UnicodeString | [Audit Policy Change] Original Security Descriptor |
NewSd UnicodeString | [Audit Policy Change] New Security Descriptor |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4715
Event ID 4716 — Trusted domain information was modified.
Description
Trusted domain information was modified.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Domain_Name UnicodeString | [Trusted Domain] Domain Name. |
Domain_ID SID | [Trusted Domain] Domain ID. |
Trust_Type UInt32 | [New Trust Information] Trust Type. |
Trust_Direction UInt32 | [New Trust Information] Trust Direction. |
Trust_Attributes UInt32 | [New Trust Information] Trust Attributes. |
SID_Filtering UnicodeString | [New Trust Information] SID Filtering. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DomainName UnicodeString | [Trusted Domain] Domain Name |
DomainSid SID | [Trusted Domain] Domain ID |
TdoType UInt32 | [New Trust Information] Trust Type |
TdoDirection UInt32 | [New Trust Information] Trust Direction |
TdoAttributes UInt32 | [New Trust Information] Trust Attributes |
SidFilteringEnabled UnicodeString | [New Trust Information] SID Filtering |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4716
Event ID 4717 — System security access was granted to an account.
#Description
System security access was granted to an account.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
TargetSid SID | [Account Modified] Account Name. |
AccessGranted UnicodeString | [Access Granted] Access Right. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4717,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T23:16:25.814727+00:00",
"event_record_id": 71900,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 844
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TargetSid": "S-1-5-83-0",
"AccessGranted": "SeServiceLogonRight"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4717
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4717
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4718 — System security access was removed from an account.
#Description
System security access was removed from an account.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
TargetSid SID | [Account Modified] Account Name. |
AccessRemoved UnicodeString | [Access Removed] Access Right. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4718,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-07T16:44:47.045997+00:00",
"event_record_id": 89,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0000-8485-DCC19E4AD801"
},
"execution": {
"process_id": 648,
"thread_id": 700
},
"channel": "Security",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "MINWINPC$",
"SubjectDomainName": "",
"SubjectLogonId": "0x3e7",
"TargetSid": "S-1-5-90-0",
"AccessRemoved": "SeInteractiveLogonRight"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4718
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4718
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4719 — System audit policy was changed.
#Description
System audit policy was changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
CategoryId UnicodeString | [Audit Policy Change] Category. Known values
|
SubcategoryId UnicodeString | [Audit Policy Change] Subcategory. Known values
|
SubcategoryGuid GUID | [Audit Policy Change] Subcategory GUID. Known values
|
AuditPolicyChanges UnicodeString | [Audit Policy Change] Changes. Known values
|
ClientProcessId UInt32 | — |
ClientProcessStartKey UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4719,
"version": 1,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T23:49:58.098445+00:00",
"event_record_id": 112372,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 8228
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"CategoryId": "%%8279",
"SubcategoryId": "%%14080",
"SubcategoryGuid": "0CCE923B-69AE-11D9-BED3-505054503030",
"AuditPolicyChanges": "%%8449, %%8451",
"ClientProcessId": 8540,
"ClientProcessStartKey": 3659174697239635
},
"message": ""
}
Community Notes #
System audit policy changed. Attackers often disable auditing to reduce detection.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Windows Event Auditing Disabled source low: Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
- Important Windows Event Auditing Disabled source high: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
Elastic # view in reference
- Sensitive Audit Policy Sub-Category Disabled source medium: Identifies attempts to disable auditing for some security sensitive audit policy sub-categories. This is often done by attackers in an attempt to evade detection and forensics on a system.
Splunk # view in reference
- Windows AD Domain Controller Audit Policy Disabled source: The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.
- Windows Important Audit Policy Disabled source: The following analytic detects the disabling of important audit policies. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4719
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4720 — A user account was created.
#Description
A user account was created.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [New Account] Account Name. |
TargetDomainName UnicodeString | [New Account] Account Domain. |
TargetSid SID | [New Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name. |
DisplayName UnicodeString | [Attributes] Display Name. |
UserPrincipalName UnicodeString | [Attributes] User Principal Name. |
HomeDirectory UnicodeString | [Attributes] Home Directory. |
HomePath UnicodeString | [Attributes] Home Drive. |
ScriptPath UnicodeString | [Attributes] Script Path. |
ProfilePath UnicodeString | [Attributes] Profile Path. |
UserWorkstations UnicodeString | [Attributes] User Workstations. |
PasswordLastSet UnicodeString | [Attributes] Password Last Set. |
AccountExpires UnicodeString | [Attributes] Account Expires. |
PrimaryGroupId UnicodeString | [Attributes] Primary Group ID. |
AllowedToDelegateTo UnicodeString | [Attributes] Allowed To Delegate To. |
OldUacValue UnicodeString | [Attributes] Old UAC Value. UAC flags reference |
NewUacValue UnicodeString | [Attributes] New UAC Value. UAC flags reference |
UserAccountControl UnicodeString | [Attributes] User Account Control. |
UserParameters UnicodeString | [Attributes] User Parameters. |
SidHistory UnicodeString | [Attributes] SID History. |
LogonHours UnicodeString | [Attributes] Logon Hours. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4720,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:34.963101+00:00",
"event_record_id": 2779,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "User",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "User",
"DisplayName": "%%1793",
"UserPrincipalName": "-",
"HomeDirectory": "%%1793",
"HomePath": "%%1793",
"ScriptPath": "%%1793",
"ProfilePath": "%%1793",
"UserWorkstations": "%%1793",
"PasswordLastSet": "%%1794",
"AccountExpires": "%%1794",
"PrimaryGroupId": "513",
"AllowedToDelegateTo": "-",
"OldUacValue": "0x0",
"NewUacValue": "0x15",
"UserAccountControl": "\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084",
"UserParameters": "%%1793",
"SidHistory": "-",
"LogonHours": "%%1797"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Security-Auditing Event ID 4720: A user account was created.→Event ID 4726: A user account was deleted.
3 rules
Kusto Query Language
Security-Auditing Event ID 4720: A user account was created.→Event ID 4732: A member was added to a security-enabled local group.
2 rules
Kusto Query Language
Security-Auditing Event ID 4720: A user account was created.OREvent ID 4726: A user account was deleted.
2 rules
Kusto Query Language
Persistence: Local Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4732: A member was added to a security-enabled local group.
1 rule
Defense Evasion: Masquerading
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Hidden Local User Creation source high: Detects the creation of a local hidden user account which should not happen for event ID 4720.
- Suspicious Windows ANONYMOUS LOGON Local Account Created source high: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
- Local User Creation source low: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
Splunk # view in reference
- Windows Create Local Account source: The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.
Kusto Query Language # view in reference
- Fake computer account created source medium: 'This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4720-account-created.md
Event ID 4722 — A user account was enabled.
#Description
A user account was enabled.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4722,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:34.966226+00:00",
"event_record_id": 2780,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "User",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4723 — An attempt was made to change an account's password.
#Description
An attempt was made to change an account's password.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4723,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2021-12-04T22:47:47.872773Z",
"event_record_id": 233289145,
"correlation": {
"#attributes": {
"ActivityID": "D96638DA-E4F9-0001-F038-66D9F9E4D701"
}
},
"execution": {
"process_id": 596,
"thread_id": 3492
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "hacker2",
"TargetDomainName": "OFFSEC",
"TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1242",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x10e7c4430",
"PrivilegeList": "-"
}
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4723
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4724 — An attempt was made to reset an account's password.
#Description
An attempt was made to reset an account's password.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4724,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:35.054380+00:00",
"event_record_id": 2787,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "User",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Account Passwords Changed source: The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4725 — A user account was disabled.
#Description
A user account was disabled.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4725,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-10-25T22:53:19.612560+00:00",
"event_record_id": 2634,
"correlation": {
"ActivityID": "D5BBEBF4-0795-0001-A8EC-BBD59507DA01"
},
"execution": {
"process_id": 824,
"thread_id": 880
},
"channel": "Security",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Administrator",
"TargetDomainName": "WINDEVEVAL",
"TargetSid": "S-1-5-21-2533829718-189860685-2477588761-500",
"SubjectUserSid": "S-1-5-21-2533829718-189860685-2477588761-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "WINDEVEVAL",
"SubjectLogonId": "0x42eea"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Accounts Disabled source: The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4725
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4726 — A user account was deleted.
#Description
A user account was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4726,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-01-24T17:03:25.009874Z",
"event_record_id": 1934526,
"correlation": {},
"execution": {
"process_id": 480,
"thread_id": 1496
},
"channel": "Security",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "3teamssixf$",
"TargetDomainName": "FS03VULN",
"TargetSid": "S-1-5-21-2721507831-1374043488-2540227515-1008",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x14f509e2",
"PrivilegeList": "-"
}
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Security-Auditing Event ID 4720: A user account was created.→Event ID 4726: A user account was deleted.
3 rules
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Accounts Deleted source: The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the `wineventlog_security` dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4727 — A security-enabled global group was created.
#Description
A security-enabled global group was created.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [New Group] Group Name. |
TargetDomainName UnicodeString | [New Group] Group Domain. |
TargetSid SID | [New Group] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name. |
SidHistory UnicodeString | [Attributes] SID History. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4727,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-07T16:44:41.241410+00:00",
"event_record_id": 51,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0000-8485-DCC19E4AD801"
},
"execution": {
"process_id": 648,
"thread_id": 652
},
"channel": "Security",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Storage Replica Administrators",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-582",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "MINWINPC$",
"SubjectDomainName": "",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "Storage Replica Administrators",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4670: Permissions on an object were changed.ANDEvent ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4734: A security-enabled local group was deleted.ANDEvent ID 4735: A security-enabled local group was changed.ANDEvent ID 4764: A group’s type was changed.
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4730: A security-enabled global group was deleted.ANDEvent ID 4737: A security-enabled global group was changed.
1 rule
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4727
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4727
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4728 — A member was added to a security-enabled global group.
#Description
A member was added to a security-enabled global group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name. |
MemberSid SID | [Member] Security ID. |
TargetUserName UnicodeString | [Group] Group Name. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | [Group] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4728,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:34.961043+00:00",
"event_record_id": 2778,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"TargetUserName": "None",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-513",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Security-Auditing Event ID 4728: A member was added to a security-enabled global group.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4756: A member was added to a security-enabled universal group.
3 rules
Kusto Query Language
Persistence: Account Manipulation
Community Notes #
Member added to security-enabled global group. May indicate domain-level privilege escalation, ie membership in Domain Admins.
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- Active Directory Group Modification by SYSTEM source medium: Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.
Splunk # view in reference
- Windows AD add Self to Group source: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, which could be part of a larger attack strategy aimed at compromising critical systems and data.
- Windows AD Privileged Group Modification source: This detection identifies when users are added to privileged Active Directory groups by leveraging the Windows Security Event Code 4728 along with a lookup of privileged AD groups provided by Splunk Enterprise Security. Attackers often add user accounts to privileged AD groups to escalate privileges or maintain persistence within an Active Directory environment. Monitoring for modifications to privileged groups can help identify potential security breaches and unauthorized access attempts.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4728
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4729 — A member was removed from a security-enabled global group.
#Description
A member was removed from a security-enabled global group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4729,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-01-24T17:03:25.009874Z",
"event_record_id": 1934525,
"correlation": {},
"execution": {
"process_id": 480,
"thread_id": 1496
},
"channel": "Security",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-21-2721507831-1374043488-2540227515-1008",
"TargetUserName": "None",
"TargetDomainName": "FS03VULN",
"TargetSid": "S-1-5-21-2721507831-1374043488-2540227515-513",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x14f509e2",
"PrivilegeList": "-"
}
}
Detection Patterns #
Persistence: Account Manipulation
Community Notes #
A member was removed from a security-enabled global group, may be an effort to slow IR or clean-up after escalation. Security-enabled local group changed, indicates changes to local Administrators or Remote Desktop Users.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4729
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4729
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4730 — A security-enabled global group was deleted.
#Description
A security-enabled global group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Deleted Group] Group Name |
TargetDomainName UnicodeString | [Deleted Group] Group Domain |
TargetSid SID | [Deleted Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Group_Name UnicodeString | [Deleted Group] Group Name. |
Group_Domain UnicodeString | [Deleted Group] Group Domain. |
Security_ID SID | [Deleted Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4730,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:14.140561+00:00",
"event_record_id": 16240240,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6288
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_global",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1118",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4730: A security-enabled global group was deleted.ANDEvent ID 4737: A security-enabled global group was changed.
1 rule
Persistence: Account Manipulation
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4730
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4730
Event ID 4731 — A security-enabled local group was created.
#Description
A security-enabled local group was created.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [New Group] Group Name. |
TargetDomainName UnicodeString | [New Group] Group Domain. |
TargetSid SID | [New Group] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name. |
SidHistory UnicodeString | [Attributes] SID History. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4731,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-07T16:44:41.241162+00:00",
"event_record_id": 49,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0000-8485-DCC19E4AD801"
},
"execution": {
"process_id": 648,
"thread_id": 652
},
"channel": "Security",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Remote Management Users",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-580",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "MINWINPC$",
"SubjectDomainName": "",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "Remote Management Users",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4670: Permissions on an object were changed.ANDEvent ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4734: A security-enabled local group was deleted.ANDEvent ID 4735: A security-enabled local group was changed.ANDEvent ID 4764: A group’s type was changed.
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4731
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4731
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4732 — A member was added to a security-enabled local group.
#Description
A member was added to a security-enabled local group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name. |
MemberSid SID | [Member] Security ID. |
TargetUserName UnicodeString | [Group] Group Name. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | [Group] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4732,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:35.063652+00:00",
"event_record_id": 2788,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"TargetUserName": "Administrators",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-544",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Security-Auditing Event ID 4728: A member was added to a security-enabled global group.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4756: A member was added to a security-enabled universal group.
3 rules
Kusto Query Language
Security-Auditing Event ID 4720: A user account was created.→Event ID 4732: A member was added to a security-enabled local group.
2 rules
Kusto Query Language
Persistence: Account Manipulation
Defender-DeviceEvents Event ID 9007007: User account added to local group→Security-Auditing Event ID 4732: A member was added to a security-enabled local group.
1 rule
Kusto Query Language
Persistence: Local Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4732: A member was added to a security-enabled local group.
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- User Added to Local Administrator Group source medium: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
Splunk # view in reference
- Windows DnsAdmins New Member Added source: The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4733 — A member was removed from a security-enabled local group.
#Description
A member was removed from a security-enabled local group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4733,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2013-10-23T16:22:40.036000Z",
"event_record_id": 117,
"correlation": {},
"execution": {
"process_id": 508,
"thread_id": 1032
},
"channel": "Security",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "-",
"MemberSid": "S-1-5-21-3463664321-2923530833-3546627382-1000",
"TargetUserName": "Users",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-545",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WIN-QALA5Q3KJ43$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
}
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4734 — A security-enabled local group was deleted.
#Description
A security-enabled local group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4734,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:14.168517+00:00",
"event_record_id": 16240246,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 1756
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_domlocal",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1119",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4670: Permissions on an object were changed.ANDEvent ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4734: A security-enabled local group was deleted.ANDEvent ID 4735: A security-enabled local group was changed.ANDEvent ID 4764: A group’s type was changed.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4734
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4734
Event ID 4735 — A security-enabled local group was changed.
#Description
A security-enabled local group was changed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | [Group] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SamAccountName UnicodeString | [Changed Attributes] SAM Account Name. |
SidHistory UnicodeString | [Changed Attributes] SID History. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4735,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:37.334332+00:00",
"event_record_id": 2847,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Device Owners",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-583",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "Device Owners",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4670: Permissions on an object were changed.ANDEvent ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4734: A security-enabled local group was deleted.ANDEvent ID 4735: A security-enabled local group was changed.ANDEvent ID 4764: A group’s type was changed.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4735
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4737 — A security-enabled global group was changed.
#Description
A security-enabled global group was changed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | [Group] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SamAccountName UnicodeString | [Changed Attributes] SAM Account Name. |
SidHistory UnicodeString | [Changed Attributes] SID History. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4737,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:37.340456+00:00",
"event_record_id": 2858,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "None",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-513",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "None",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4737
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4738 — A user account was changed.
#Description
A user account was changed.
Message #
Fields #
| Name | Description |
|---|---|
Dummy UnicodeString | — |
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SamAccountName UnicodeString | [Changed Attributes] SAM Account Name. |
DisplayName UnicodeString | [Changed Attributes] Display Name. |
UserPrincipalName UnicodeString | [Changed Attributes] User Principal Name. |
HomeDirectory UnicodeString | [Changed Attributes] Home Directory. |
HomePath UnicodeString | [Changed Attributes] Home Drive. |
ScriptPath UnicodeString | [Changed Attributes] Script Path. |
ProfilePath UnicodeString | [Changed Attributes] Profile Path. |
UserWorkstations UnicodeString | [Changed Attributes] User Workstations. |
PasswordLastSet UnicodeString | [Changed Attributes] Password Last Set. |
AccountExpires UnicodeString | [Changed Attributes] Account Expires. |
PrimaryGroupId UnicodeString | [Changed Attributes] Primary Group ID. |
AllowedToDelegateTo UnicodeString | [Changed Attributes] AllowedToDelegateTo. |
OldUacValue UnicodeString | [Changed Attributes] Old UAC Value. UAC flags reference |
NewUacValue UnicodeString | [Changed Attributes] New UAC Value. UAC flags reference |
UserAccountControl UnicodeString | [Changed Attributes] User Account Control. |
UserParameters UnicodeString | [Changed Attributes] User Parameters. |
SidHistory UnicodeString | [Changed Attributes] SID History. |
LogonHours UnicodeString | [Changed Attributes] Logon Hours. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4738,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:37.339747+00:00",
"event_record_id": 2855,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Dummy": "-",
"TargetUserName": "WDAGUtilityAccount",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-504",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"SamAccountName": "WDAGUtilityAccount",
"DisplayName": "%%1793",
"UserPrincipalName": "-",
"HomeDirectory": "%%1793",
"HomePath": "%%1793",
"ScriptPath": "%%1793",
"ProfilePath": "%%1793",
"UserWorkstations": "%%1793",
"PasswordLastSet": "10/25/2023 8:16:53 PM",
"AccountExpires": "%%1794",
"PrimaryGroupId": "513",
"AllowedToDelegateTo": "-",
"OldUacValue": "0x11",
"NewUacValue": "0x11",
"UserAccountControl": "-",
"UserParameters": "%%1793",
"SidHistory": "-",
"LogonHours": "%%1797"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Domain Sid History Addition
Persistence: Account Manipulation
Community Notes #
User account changed, may capture priv-esc, password changes, or UAC flag changes.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Weak Encryption Enabled and Kerberoast source high: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Elastic # view in reference
- Kerberos Pre-authentication Disabled for User source medium: Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
- KRBTGT Delegation Backdoor source high: Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
Splunk # view in reference
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl source: The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling this flag allows adversaries to perform offline brute force attacks on the user's password using the AS-REP Roasting technique. This activity is significant as it can be used by attackers with existing privileges to escalate their access or maintain persistence. If confirmed malicious, this could lead to unauthorized access and potential compromise of sensitive information.
Kusto Query Language # view in reference
- AD account with Don't Expire Password source low: 'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to "Don't Expire Password - Enabled".'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4738
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4739 — Domain Policy was changed.
#Description
Domain Policy was changed.
Message #
Fields #
| Name | Description |
|---|---|
DomainPolicyChanged UnicodeString | Change Type. |
DomainName UnicodeString | [Domain] Domain Name. |
DomainSid SID | [Domain] Domain ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
MinPasswordAge UnicodeString | [Changed Attributes] Min. Password Age. |
MaxPasswordAge UnicodeString | [Changed Attributes] Max. Password Age. |
ForceLogoff UnicodeString | [Changed Attributes] Force Logoff. |
LockoutThreshold UnicodeString | [Changed Attributes] Lockout Threshold. |
LockoutObservationWindow UnicodeString | [Changed Attributes] Lockout Observation Window. |
LockoutDuration UnicodeString | [Changed Attributes] Lockout Duration. |
PasswordProperties UnicodeString | [Changed Attributes] Password Properties. |
MinPasswordLength UnicodeString | [Changed Attributes] Min. Password Length. |
PasswordHistoryLength UnicodeString | [Changed Attributes] Password History Length. |
MachineAccountQuota UnicodeString | [Changed Attributes] Machine Account Quota. |
MixedDomainMode UnicodeString | [Changed Attributes] Mixed Domain Mode. |
DomainBehaviorVersion UnicodeString | [Changed Attributes] Domain Behavior Version. |
OemInformation UnicodeString | [Changed Attributes] OEM Information. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4739,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:34.991613+00:00",
"event_record_id": 2783,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"DomainPolicyChanged": "Password Policy",
"DomainName": "WINDEV2310EVAL",
"DomainSid": "S-1-5-21-1992711665-1655669231-58201500",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-",
"MinPasswordAge": "ퟏ~",
"MaxPasswordAge": "ퟏ~",
"ForceLogoff": "-",
"LockoutThreshold": "-",
"LockoutObservationWindow": "-",
"LockoutDuration": "-",
"PasswordProperties": "8",
"MinPasswordLength": "0",
"PasswordHistoryLength": "0",
"MachineAccountQuota": "-",
"MixedDomainMode": "-",
"DomainBehaviorVersion": "-",
"OemInformation": "-"
},
"message": ""
}
Community Notes #
Attackers with Domain Admin may weaken password/lockout requirements to speed credential attacks. May precede password spraying or Kerberos ticket forgery. Pair with 4768 and 4771. Also a prelude to DCShadow or other directory-level attacks.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4739
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4740 — A user account was locked out.
#Description
A user account was locked out.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Account That Was Locked Out] Account Name |
TargetDomainName UnicodeString | [Additional Information] Caller Computer Name |
TargetSid SID | [Account That Was Locked Out] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Account_Name UnicodeString | [Account That Was Locked Out] Account Name. |
Caller_Computer_Name UnicodeString | [Additional Information] Caller Computer Name. |
Security_ID SID | [Account That Was Locked Out] Security ID. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4740,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:03:33.513406+00:00",
"event_record_id": 16594636,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 10928
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "KrbTestLockout",
"TargetDomainName": "LAB-DC01",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1268",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-DC01$",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0x3e7"
},
"message": ""
}
Community Notes #
Pair with 4625 and related IPs during investigation. Review Caller_Computer_Name.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740
Event ID 4741 — A computer account was created.
#Description
A computer account was created.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [New Computer Account] Account Name. |
Account_Domain | [New Computer Account] Account Domain. |
Security_ID | [New Computer Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
SAM_Account_Name | — |
Display_Name | [Attributes] SAM Account Name. |
User_Principal_Name | [Attributes] Display Name. |
Home_Directory | [Attributes] User Principal Name. |
Home_Drive | [Attributes] Home Directory. |
Script_Path | [Attributes] Home Drive. |
Profile_Path | [Attributes] Script Path. |
User_Workstations | [Attributes] Profile Path. |
Password_Last_Set | [Attributes] User Workstations. |
Account_Expires | [Attributes] Password Last Set. |
Primary_Group_ID | [Attributes] Account Expires. |
AllowedToDelegateTo UnicodeString | [Attributes] Primary Group ID. |
Old_UAC_Value | [Attributes] AllowedToDelegateTo. UAC flags reference |
New_UAC_Value | [Attributes] Old UAC Value. UAC flags reference |
User_Account_Control | [Attributes] New UAC Value. |
User_Parameters | [Attributes] User Account Control. |
SID_History | [Attributes] User Parameters. |
Logon_Hours | [Attributes] SID History. |
DNS_Host_Name | [Attributes] Logon Hours. |
Service_Principal_Names | [Attributes] DNS Host Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4741,
"version": 0,
"level": 0,
"task": 13825,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-12-12T17:57:52.313673Z",
"event_record_id": 2982085,
"correlation": {},
"execution": {
"process_id": 624,
"thread_id": 3652
},
"channel": "Security",
"computer": "01566s-win16-ir.threebeesco.com",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "DC012$",
"TargetDomainName": "3B",
"TargetSid": "S-1-5-21-308926384-506822093-3341789130-220105",
"SubjectUserSid": "S-1-5-21-308926384-506822093-3341789130-101606",
"SubjectUserName": "labuser",
"SubjectDomainName": "3B",
"SubjectLogonId": "0x738ae4",
"PrivilegeList": "-",
"SamAccountName": "DC012$",
"DisplayName": "-",
"UserPrincipalName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"ScriptPath": "-",
"ProfilePath": "-",
"UserWorkstations": "-",
"PasswordLastSet": "12/12/2021 9:57:52 AM",
"AccountExpires": "%%1794",
"PrimaryGroupId": "515",
"AllowedToDelegateTo": "-",
"OldUacValue": "0x0",
"NewUacValue": "0x80",
"UserAccountControl": "\r\n\t\t%%2087",
"UserParameters": "-",
"SidHistory": "-",
"LogonHours": "%%1793",
"DnsHostName": "DC012.threebeesco.com",
"ServicePrincipalNames": "\r\n\t\tHOST/DC012.threebeesco.com\r\n\t\tRestrictedKrbHost/DC012.threebeesco.com\r\n\t\tHOST/DC012\r\n\t\tRestrictedKrbHost/DC012"
}
}
Detection Patterns #
Defense Evasion: Rogue Domain Controller
Security-Auditing Event ID 4741: A computer account was created.OREvent ID 4743: A computer account was deleted.
1 rule
Community Notes #
May alert on golden ticket style attacks.
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Computer Account Created by Computer Account source: The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.
- Windows Computer Account With SPN source: The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4741
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4742 — A computer account was changed.
#Description
A computer account was changed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | — |
Account_Domain | [Computer Account That Was Changed] Account Name. |
Security_ID | [Computer Account That Was Changed] Account Domain. |
Security_ID | [Computer Account That Was Changed] Security ID. |
Account_Name | [Subject] Security ID. |
Account_Domain | [Subject] Account Name. |
Logon_ID | [Subject] Account Domain. |
Privileges | [Subject] Logon ID. Privilege constants reference |
SAM_Account_Name | [Additional Information] Privileges. |
Display_Name | [Changed Attributes] SAM Account Name. |
User_Principal_Name | [Changed Attributes] Display Name. |
Home_Directory | [Changed Attributes] User Principal Name. |
Home_Drive | [Changed Attributes] Home Directory. |
Script_Path | [Changed Attributes] Home Drive. |
Profile_Path | [Changed Attributes] Script Path. |
User_Workstations | [Changed Attributes] Profile Path. |
Password_Last_Set | [Changed Attributes] User Workstations. |
Account_Expires | [Changed Attributes] Password Last Set. |
Primary_Group_ID | [Changed Attributes] Account Expires. |
AllowedToDelegateTo UnicodeString | [Changed Attributes] Primary Group ID. |
Old_UAC_Value | [Changed Attributes] AllowedToDelegateTo. UAC flags reference |
New_UAC_Value | [Changed Attributes] Old UAC Value. UAC flags reference |
User_Account_Control | [Changed Attributes] New UAC Value. |
User_Parameters | [Changed Attributes] User Account Control. |
SID_History | [Changed Attributes] User Parameters. |
Logon_Hours | [Changed Attributes] SID History. |
DNS_Host_Name | [Changed Attributes] Logon Hours. |
Service_Principal_Names | [Changed Attributes] DNS Host Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4742,
"version": 0,
"level": 0,
"task": 13825,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-25T13:01:41.935605Z",
"event_record_id": 198239294,
"correlation": {},
"execution": {
"process_id": 444,
"thread_id": 3948
},
"channel": "Security",
"computer": "DC1.insecurebank.local",
"security": {
"user_id": ""
}
},
"event_data": {
"ComputerAccountChange": "-",
"TargetUserName": "CLIENT01$",
"TargetDomainName": "insecurebank",
"TargetSid": "S-1-5-21-738609754-2819869699-4189121830-1120",
"SubjectUserSid": "S-1-5-21-738609754-2819869699-4189121830-1108",
"SubjectUserName": "bob",
"SubjectDomainName": "insecurebank",
"SubjectLogonId": "0x3d8e8db",
"PrivilegeList": "-",
"SamAccountName": "-",
"DisplayName": "-",
"UserPrincipalName": "-",
"HomeDirectory": "-",
"HomePath": "-",
"ScriptPath": "-",
"ProfilePath": "-",
"UserWorkstations": "-",
"PasswordLastSet": "-",
"AccountExpires": "-",
"PrimaryGroupId": "-",
"AllowedToDelegateTo": "-",
"OldUacValue": "-",
"NewUacValue": "-",
"UserAccountControl": "-",
"UserParameters": "-",
"SidHistory": "-",
"LogonHours": "-",
"DnsHostName": "-",
"ServicePrincipalNames": "-"
}
}
Detection Patterns #
Domain Sid History Addition
Defense Evasion: Rogue Domain Controller
Security-Auditing Event ID 4742: A computer account was changed.OREvent ID 5136: A directory service object was modified.
1 rule
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- Remote Computer Account DnsHostName Update source high: Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.
Splunk # view in reference
- Detect Computer Changed with Anonymous Account source: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON". This activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
- Windows AD Domain Controller Promotion source: The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4742
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4743 — A computer account was deleted.
#Description
A computer account was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Target Computer] Account Name. |
Account_Domain | [Target Computer] Account Domain. |
Security_ID | [Target Computer] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4743,
"version": 0,
"level": 0,
"task": 13825,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-12T19:36:44.227880Z",
"event_record_id": 16334944,
"correlation": {},
"execution": {
"process_id": 528,
"thread_id": 3156
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "YOURPC$",
"TargetDomainName": "OFFSEC",
"TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1167",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1158",
"SubjectUserName": "lambda-user",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x87e482b",
"PrivilegeList": "-"
}
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Defense Evasion: Rogue Domain Controller
Security-Auditing Event ID 4741: A computer account was created.OREvent ID 4743: A computer account was deleted.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4743
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4744 — A security-disabled local group was created.
#Description
A security-disabled local group was created.
Message #
Fields #
| Name | Description |
|---|---|
Group_Name UnicodeString | [New Group] Group Name. |
Group_Domain UnicodeString | [New Group] Group Domain. |
Security_ID SID | [New Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Attributes] SAM Account Name. |
SID_History UnicodeString | [Attributes] SID History. |
TargetUserName UnicodeString | [New Group] Group Name |
TargetDomainName UnicodeString | [New Group] Group Domain |
TargetSid SID | [New Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
Detection Patterns #
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4744
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4744
Event ID 4745 — A security-disabled local group was changed.
Description
A security-disabled local group was changed.
Message #
Fields #
| Name | Description |
|---|---|
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Changed Attributes] SAM Account Name. |
SID_History UnicodeString | [Changed Attributes] SID History. |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Changed Attributes] SAM Account Name |
SidHistory UnicodeString | [Changed Attributes] SID History |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4745
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4745
Event ID 4746 — A member was added to a security-disabled local group.
Description
A member was added to a security-disabled local group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
MembershipExpirationTime FILETIME | Expiration time |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4746
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4746
Event ID 4747 — A member was removed from a security-disabled local group.
Description
A member was removed from a security-disabled local group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Member] Account Name. |
Security_ID SID | [Member] Security ID. |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4747
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4747
Event ID 4748 — A security-disabled local group was deleted.
Description
A security-disabled local group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4748
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4748
Event ID 4749 — A security-disabled global group was created.
#Description
A security-disabled global group was created.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Attributes] SAM Account Name. |
SID_History UnicodeString | [Attributes] SID History. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4749,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:04.301935+00:00",
"event_record_id": 16239926,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6292
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_distro",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1121",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-",
"SamAccountName": "evtgen_distro",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4749
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4749
Event ID 4750 — A security-disabled global group was changed.
#Description
A security-disabled global group was changed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Changed Attributes] SAM Account Name |
SidHistory UnicodeString | [Changed Attributes] SID History |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Changed Attributes] SAM Account Name. |
SID_History UnicodeString | [Changed Attributes] SID History. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4750,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:45.668811+00:00",
"event_record_id": 16619490,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 7768
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "TestAuditGroup_Distribution",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec",
"PrivilegeList": "-",
"SamAccountName": "-",
"SidHistory": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4750
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4750
Event ID 4751 — A member was added to a security-disabled global group.
#Description
A member was added to a security-disabled global group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
MembershipExpirationTime FILETIME | Expiration time |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4751,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:45.668821+00:00",
"event_record_id": 16619491,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 7768
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "CN=testaudit1,CN=Users,DC=ludus,DC=domain",
"MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1290",
"TargetUserName": "TestAuditGroup_Distribution",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec",
"PrivilegeList": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4751
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4751
Event ID 4752 — A member was removed from a security-disabled global group.
#Description
A member was removed from a security-disabled global group.
Message #
Fields #
| Name | Description |
|---|---|
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Account_Name UnicodeString | [Member] Account Name. |
Security_ID SID | [Member] Security ID. |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4752,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:46.319360+00:00",
"event_record_id": 16619502,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 3104
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "CN=testaudit1,CN=Users,DC=ludus,DC=domain",
"MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1290",
"TargetUserName": "TestAuditGroup_Distribution",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec",
"PrivilegeList": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4752
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4752
Event ID 4753 — A security-disabled global group was deleted.
#Description
A security-disabled global group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4753,
"version": 0,
"level": 0,
"task": 13827,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:24:00.966756+00:00",
"event_record_id": 16290238,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 7132
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "TestDistGroup",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1132",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4753
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4753
Event ID 4754 — A security-enabled universal group was created.
#Description
A security-enabled universal group was created.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Attributes] SAM Account Name. |
SID_History UnicodeString | [Attributes] SID History. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4754,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:04.236865+00:00",
"event_record_id": 16239922,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 1756
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_universal",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-",
"SamAccountName": "evtgen_universal",
"SidHistory": "-"
},
"message": ""
}
Detection Patterns #
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4754
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4754
Event ID 4755 — A security-enabled universal group was changed.
#Description
A security-enabled universal group was changed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Changed Attributes] SAM Account Name |
SidHistory UnicodeString | [Changed Attributes] SID History |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Changed Attributes] SAM Account Name. |
SID_History UnicodeString | [Changed Attributes] SID History. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4755,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:04.432295+00:00",
"event_record_id": 16239937,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6292
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_universal",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-",
"SamAccountName": "-",
"SidHistory": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4755
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755
Event ID 4756 — A member was added to a security-enabled universal group.
#Description
A member was added to a security-enabled universal group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Account_Name | [Group] Account Name. |
Account_Domain | [Group] Account Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4756,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-12T06:01:13.765572Z",
"event_record_id": 16088267,
"correlation": {},
"execution": {
"process_id": 528,
"thread_id": 3156
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"MemberName": "CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan",
"MemberSid": "S-1-5-21-4230534742-2542757381-3142984815-1159",
"TargetUserName": "Enterprise Admins",
"TargetDomainName": "OFFSEC",
"TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-519",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1158",
"SubjectUserName": "lambda-user",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x80e25b9",
"PrivilegeList": "-"
}
}
Detection Patterns #
Security-Auditing Event ID 4728: A member was added to a security-enabled global group.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4756: A member was added to a security-enabled universal group.
3 rules
Kusto Query Language
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
Community Notes #
May capture cross-domain privilege escalation in a multi-forest trust.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4756
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4756
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4757 — A member was removed from a security-enabled universal group.
Description
A member was removed from a security-enabled universal group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Member] Account Name. |
Security_ID SID | [Member] Security ID. |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4757
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4757
Event ID 4758 — A security-enabled universal group was deleted.
#Description
A security-enabled universal group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4758,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:14.194447+00:00",
"event_record_id": 16240252,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6288
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_universal",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4758
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4758
Event ID 4759 — A security-disabled universal group was created.
#Description
A security-disabled universal group was created.
Message #
Fields #
| Name | Description |
|---|---|
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Attributes] SAM Account Name. |
SID_History UnicodeString | [Attributes] SID History. |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
Detection Patterns #
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4759
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4759
Event ID 4760 — A security-disabled universal group was changed.
Description
A security-disabled universal group was changed.
Message #
Fields #
| Name | Description |
|---|---|
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Changed Attributes] SAM Account Name. |
SID_History UnicodeString | [Changed Attributes] SID History. |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Changed Attributes] SAM Account Name |
SidHistory UnicodeString | [Changed Attributes] SID History |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4760
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4760
Event ID 4761 — A member was added to a security-disabled universal group.
Description
A member was added to a security-disabled universal group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
MembershipExpirationTime FILETIME | Expiration time |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4761
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4761
Event ID 4762 — A member was removed from a security-disabled universal group.
Description
A member was removed from a security-disabled universal group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Member] Account Name. |
Security_ID SID | [Member] Security ID. |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4762
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4762
Event ID 4763 — A security-disabled universal group was deleted.
Description
A security-disabled universal group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4763
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4763
Event ID 4764 — A group’s type was changed.
#Description
A group?s type was changed.
Message #
Fields #
| Name | Description |
|---|---|
GroupTypeChange UnicodeString | Change Type |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Change_Type UnicodeString | [Subject] Change Type. |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4764,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:10.897820+00:00",
"event_record_id": 16240135,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 6288
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"GroupTypeChange": "Security Disabled Global Group Changed to Security Enabled Global Group.",
"TargetUserName": "evtgen_distro",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1121",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4670: Permissions on an object were changed.ANDEvent ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4734: A security-enabled local group was deleted.ANDEvent ID 4735: A security-enabled local group was changed.ANDEvent ID 4764: A group’s type was changed.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4764
Event ID 4765 — SID History was added to an account.
#Description
SID History was added to an account.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Source Account] Account Name. |
Security_ID | [Source Account] Security ID. |
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
SID_List | [Additional Information] SID List. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4765,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2017-06-12T23:39:43.512986Z",
"event_record_id": 8075,
"correlation": {},
"execution": {
"process_id": 496,
"thread_id": 1696
},
"channel": "Security",
"computer": "2012r2srv.maincorp.local",
"security": {
"user_id": ""
}
},
"event_data": {
"SourceUserName": "maincorp.local\\Domain Admins",
"SourceSid": "S-1-5-21-2634088540-571122920-1382659128-512",
"TargetUserName": "labuser",
"TargetDomainName": "MAINCORP",
"TargetSid": "S-1-5-21-2634088540-571122920-1382659128-1104",
"SubjectUserSid": "S-1-5-21-2634088540-571122920-1382659128-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "MAINCORP",
"SubjectLogonId": "0x432c8",
"PrivilegeList": "-",
"SidList": "-"
}
}
Detection Patterns #
Community Notes #
May indicate DCShadow or similar lateral movement attacks.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4765
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4766 — An attempt to add SID History to an account failed.
#Description
An attempt to add SID History to an account failed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Target Account] Account Name. |
Account_Name UnicodeString | [Target Account] Account Name. |
Account_Domain UnicodeString | [Target Account] Account Domain. |
Security_ID UnicodeString | [Target Account] Security ID. |
Account_Name UnicodeString | [Security ID] Account Name. |
Account_Domain UnicodeString | [Security ID] Account Domain. |
Logon_ID UnicodeString | [Security ID] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SourceUserName UnicodeString | [Target Account] Account Name |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TargetSid UnicodeString | [Target Account] Security ID |
SubjectUserName UnicodeString | [Security ID] Account Name |
SubjectDomainName UnicodeString | [Security ID] Account Domain |
SubjectLogonId UnicodeString | [Security ID] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Detection Patterns #
Community Notes #
May indicate DCShadow or similar lateral movement attacks.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4766
Event ID 4767 — A user account was unlocked.
#Description
A user account was unlocked.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TargetSid SID | [Target Account] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Account_Name UnicodeString | [Target Account] Account Name. |
Account_Domain UnicodeString | [Target Account] Account Domain. |
Security_ID SID | [Target Account] Security ID. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4767,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:16:10.398421+00:00",
"event_record_id": 16240087,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 1756
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "evtgen_user3",
"TargetDomainName": "ludus",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1115",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
Event ID 4768 — A Kerberos authentication ticket (TGT) was requested.
#Description
A Kerberos authentication ticket (TGT) was requested.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Supplied_Realm_Name | [Account Information] Supplied Realm Name. |
User_ID | [Account Information] User ID. |
Service_Name | [Service Information] Service Name. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. Bitmask flags
|
Result_Code | [Additional Information] Result Code. Known values
|
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. Known values
|
PreAuthentication_Type | [Additional Information] Pre-Authentication Type. Known values
|
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Certificate_Issuer_Name | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint | [Certificate Information] Certificate Thumbprint. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4768,
"version": 0,
"level": 0,
"task": 14339,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2020-07-22T20:29:36.414827Z",
"event_record_id": 887107,
"correlation": {},
"execution": {
"process_id": 568,
"thread_id": 2476
},
"channel": "Security",
"computer": "01566s-win16-ir.threebeesco.com",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "HD01",
"TargetDomainName": "CONTOSO.COM",
"TargetSid": "S-1-0-0",
"ServiceName": "krbtgt/CONTOSO.COM",
"ServiceSid": "S-1-0-0",
"TicketOptions": "0x10",
"Status": "0x6",
"TicketEncryptionType": "0xffffffff",
"PreAuthType": "-",
"IpAddress": "172.16.66.1",
"IpPort": "55961",
"CertIssuerName": "",
"CertSerialNumber": "",
"CertThumbprint": ""
}
}
Detection Patterns #
Defense Evasion: Domain Accounts
Security-Auditing Event ID 4781: The name of an account was changed.→Event ID 4768: A Kerberos authentication ticket (TGT) was requested.
1 rule
Community Notes #
Kerberos TGT request (consider Pass-the-Ticket, Golden TGT attacks). Requests from a non-interactive source prior to 4769 may indicate ticket replay or Pass-the-Ticket staging.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential AS-REP Roasting via Kerberos TGT Requests source medium: Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
- PetitPotam Suspicious Kerberos TGT Request source high: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
Splunk # view in reference
- Kerberos TGT Request Using RC4 Encryption source: The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack. Monitoring this activity is crucial as it can signify credential theft, allowing adversaries to authenticate to the Kerberos Distribution Center (KDC) using a stolen NTLM hash. If confirmed malicious, this could enable unauthorized access to systems and resources, potentially leading to lateral movement and further compromise within the network.
- Kerberos User Enumeration source: The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment.
- PetitPotam Suspicious Kerberos TGT Request source: The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.
Show 5 more (8 total)
- Windows Computer Account Requesting Kerberos Ticket source: The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos source: The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code `0x12`, indicating revoked credentials. This activity is significant as it may indicate a Password Spraying attack targeting disabled accounts, a tactic used by adversaries to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a severe security risk.
- Windows Multiple Invalid Users Fail To Authenticate Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the user is not found in the Kerberos database. This activity is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access or privilege escalation within the Active Directory environment, posing a significant security risk.
- Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code `0x12` (credentials revoked). This behavior is significant as it may indicate a Password Spraying attack targeting disabled accounts, potentially leading to initial access or privilege escalation. If confirmed malicious, attackers could gain unauthorized access or elevate privileges within the Active Directory environment.
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT) and detects failure code 0x6, indicating the user is not found in the Kerberos database. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access and potential privilege escalation within the Active Directory environment.
Kusto Query Language # view in reference
- Certified Pre-Owned - TGTs requested with certificate authentication source medium: This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4769 — A Kerberos service ticket was requested.
#Description
A Kerberos service ticket was requested.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Account_Domain | [Account Information] Account Domain. |
Service_Name | [Service Information] Service Name. Indicates the resource to which access was requested. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. Bitmask flags
|
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. Known values
|
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Failure_Code | [Additional Information] Failure Code. NTSTATUS reference |
Logon_GUID | [Account Information] Logon GUID. |
Transited_Services | [Additional Information] Transited Services. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4769,
"version": 0,
"level": 0,
"task": 14337,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-12-12T17:57:52.277095Z",
"event_record_id": 2982083,
"correlation": {},
"execution": {
"process_id": 624,
"thread_id": 3652
},
"channel": "Security",
"computer": "01566s-win16-ir.threebeesco.com",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "labuser@CONTOSO.COM",
"TargetDomainName": "CONTOSO.COM",
"ServiceName": "01566S-WIN16-IR$",
"ServiceSid": "S-1-5-21-308926384-506822093-3341789130-35103",
"TicketOptions": "0x40810000",
"TicketEncryptionType": "0x12",
"IpAddress": "::ffff:172.16.66.19",
"IpPort": "50612",
"Status": "0x0",
"LogonGuid": "58ADC6C7-668E-A999-C52A-384B1CB8E553",
"TransmittedServices": "-"
}
}
Community Notes #
Tickets for hosts that a user previously hasn't accessed may indicate Pass-the-Ticket or RDP/WMI pivoting. Confirm that the target server is also the host that is contacted, and unusual/vulnerable encryption types (may indicate S4U2Proxy) like RC4. Check for movement between services or SPNs, and unusual service names.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Kerberoasting Activity - Initial Query source medium: This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
- Suspicious Kerberos RC4 Ticket Encryption source medium: Detects service ticket requests using RC4 encryption type
Splunk # view in reference
- Kerberoasting spn request with RC4 encryption source: The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools. This activity is significant as Kerberoasting allows attackers to request service tickets for domain accounts, typically service accounts, and crack them offline to gain privileged access. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the Active Directory environment.
- Kerberos Service Ticket Request Using RC4 Encryption source: The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.
- Suspicious Kerberos Service Ticket Request source: The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.
Show 3 more (6 total)
- Unusual Number of Computer Service Tickets Requested source: The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service ticket was requested." It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration.
- Unusual Number of Kerberos Service Tickets Requested source: The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.
- Windows Large Number of Computer Service Tickets Requested source: The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4770 — A Kerberos service ticket was renewed.
#Description
A Kerberos service ticket was renewed.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Account Domain |
ServiceName UnicodeString | [Service Information] Service Name |
ServiceSid SID | [Service Information] Service ID |
TicketOptions HexInt32 | [Additional Information] Ticket Options Bitmask flags
|
TicketEncryptionType HexInt32 | [Additional Information] Ticket Encryption Type Known values
|
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
Account_Name UnicodeString | [Account Information] Account Name. |
Account_Domain UnicodeString | [Account Information] Account Domain. |
Service_Name UnicodeString | [Service Information] Service Name. |
Service_ID SID | [Service Information] Service ID. |
Ticket_Options HexInt32 | [Additional Information] Ticket Options. Bitmask flags
|
Ticket_Encryption_Type HexInt32 | [Additional Information] Ticket Encryption Type. Known values
|
Client_Address UnicodeString | [Network Information] Client Address. |
Client_Port UnicodeString | [Network Information] Client Port. |
RequestTicketHash UnicodeString | — |
ResponseTicketHash UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4770,
"version": 0,
"level": 0,
"task": 14337,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-07T02:29:17.564406+00:00",
"event_record_id": 13430760,
"correlation": {},
"execution": {
"process_id": 916,
"thread_id": 2888
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "LAB-DC01$@LUDUS.DOMAIN",
"TargetDomainName": "LUDUS.DOMAIN",
"ServiceName": "krbtgt",
"ServiceSid": "S-1-5-21-1006758700-2167138679-1475694448-502",
"TicketOptions": "0x10002",
"TicketEncryptionType": "0x12",
"IpAddress": "::1",
"IpPort": "0"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4770
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4770
Event ID 4771 — Kerberos pre-authentication failed.
#Description
Kerberos pre-authentication failed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Security_ID | [Account Information] Security ID. |
Service_Name | [Service Information] Service Name. |
Ticket_Options | [Additional Information] Ticket Options. Was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. Bitmask flags
|
Failure_Code | [Additional Information] Failure Code. NTSTATUS reference |
PreAuthentication_Type | [Additional Information] Pre-Authentication Type. Known values
|
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Certificate_Issuer_Name | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint | [Certificate Information] Certificate Thumbprint. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4771,
"version": 0,
"level": 0,
"task": 14339,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2020-07-22T20:29:36.425365Z",
"event_record_id": 887114,
"correlation": {},
"execution": {
"process_id": 568,
"thread_id": 2356
},
"channel": "Security",
"computer": "01566s-win16-ir.threebeesco.com",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Administrator",
"TargetSid": "S-1-5-21-308926384-506822093-3341789130-500",
"ServiceName": "krbtgt/CONTOSO.COM",
"TicketOptions": "0x10",
"Status": "0x18",
"PreAuthType": "2",
"IpAddress": "172.16.66.1",
"IpPort": "55967",
"CertIssuerName": "",
"CertSerialNumber": "",
"CertThumbprint": ""
}
}
Community Notes #
May indicate password spraying. Pivot on ClientAddress.
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Users Failed To Authenticate Using Kerberos source: The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these events over a 5-minute window. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.
- Windows Unusual Count Of Users Failed To Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT) due to a wrong password (failure code 0x18). This detection uses statistical analysis, specifically the 3-sigma rule, to identify unusual authentication failures. If confirmed malicious, this activity could allow an attacker to gain initial access or elevate privileges within an Active Directory environment.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4772 — A Kerberos authentication ticket request failed.
Description
A Kerberos authentication ticket request failed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Account Information] Account Name. |
Supplied_Realm_Name UnicodeString | [Account Information] Supplied Realm Name. |
Service_Name UnicodeString | [Service Information] Service Name. |
Ticket_Options UnicodeString | [Additional Information] Ticket Options. Bitmask flags
|
Failure_Code UnicodeString | [Additional Information] Failure Code. NTSTATUS reference |
Client_Address UnicodeString | [Network Information] Client Address. |
Client_Port UnicodeString | [Network Information] Client Port. |
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Supplied Realm Name |
ServiceName UnicodeString | [Service Information] Service Name |
TicketOptions UnicodeString | [Additional Information] Ticket Options Bitmask flags
|
FailureCode UnicodeString | [Additional Information] Failure Code NTSTATUS reference |
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4772
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4772
Event ID 4773 — A Kerberos service ticket request failed.
Description
A Kerberos service ticket request failed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Account Information] Account Name. |
Account_Domain UnicodeString | [Account Information] Account Domain. |
Service_Name UnicodeString | [Service Information] Service Name. |
Ticket_Options UnicodeString | [Additional Information] Ticket Options. Bitmask flags
|
Failure_Code UnicodeString | [Additional Information] Failure Code. NTSTATUS reference |
Client_Address UnicodeString | [Network Information] Client Address. |
Client_Port UnicodeString | [Network Information] Client Port. |
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Account Domain |
ServiceName UnicodeString | [Service Information] Service Name |
TicketOptions UnicodeString | [Additional Information] Ticket Options Bitmask flags
|
FailureCode UnicodeString | [Additional Information] Failure Code NTSTATUS reference |
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4773
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4773
Event ID 4774 — An account was mapped for logon.
Description
An account was mapped for logon.
Message #
Fields #
| Name | Description |
|---|---|
Authentication_Package UnicodeString | — |
Account_UPN UnicodeString | — |
Mapped_Name UnicodeString | — |
MappingBy UnicodeString | Authentication Package |
ClientUserName UnicodeString | Account UPN |
MappedName UnicodeString | Mapped Name |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4774
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4774
Event ID 4775 — An account could not be mapped for logon.
Description
An account could not be mapped for logon.
Message #
Fields #
| Name | Description |
|---|---|
Authentication_Package UnicodeString | — |
Account_Name UnicodeString | — |
ClientUserName UnicodeString | Authentication Package |
MappingBy UnicodeString | Account Name |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4775
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4775
Event ID 4776 — The domain controller attempted to validate the credentials for an account.
#Description
The computer attempted to validate the credentials for an account.
Message #
Fields #
| Name | Description |
|---|---|
PackageName UnicodeString | Authentication Package. |
TargetUserName UnicodeString | Logon Account. |
Workstation UnicodeString | Source Workstation. |
Status HexInt32 | Error Code. NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4776,
"version": 0,
"level": 0,
"task": 14336,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-07T16:48:22.599068+00:00",
"event_record_id": 388,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-E519-7BDD9E4AD801"
},
"execution": {
"process_id": 648,
"thread_id": 3868
},
"channel": "Security",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": ""
}
},
"event_data": {
"PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
"TargetUserName": "Administrator",
"Workstation": "WIN-FPV0DSIC9O6",
"Status": "0x0"
},
"message": ""
}
Detection Patterns #
Community Notes #
This may capture fall-back NTLM use. Note Workstation (does it list the client? If not, this may be NTLM coercion).
The Status field is an NTSTATUS code indicating the credential validation result:
| Code | Name | Description |
|---|---|---|
| 0x00000000 | STATUS_SUCCESS | Credentials validated successfully |
| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure (bad username or password) |
| 0xC0000064 | STATUS_NO_SUCH_USER | Non-existent account |
| 0xC000006A | STATUS_WRONG_PASSWORD | Incorrect password |
| 0xC0000234 | STATUS_ACCOUNT_LOCKED_OUT | Account locked out |
| 0xC0000072 | STATUS_ACCOUNT_DISABLED | Account disabled |
| 0xC0000193 | STATUS_ACCOUNT_EXPIRED | Account expired |
| 0xC0000071 | STATUS_PASSWORD_EXPIRED | Password expired |
| 0xC000006F | STATUS_INVALID_LOGON_HOURS | Outside allowed logon hours |
| 0xC0000070 | STATUS_INVALID_WORKSTATION | Not allowed from this workstation |
| 0xC0000224 | STATUS_PASSWORD_MUST_CHANGE | Password must change at next logon |
| 0xC000005E | STATUS_NO_LOGON_SERVERS | No logon servers available |
| 0xC00002DB | STATUS_NTLM_BLOCKED | NTLM blocked by policy |
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Invalid Users Failed To Authenticate Using NTLM source: The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.
- Windows Multiple Users Failed To Authenticate From Host Using NTLM source: The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment.
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM source: The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access or privilege escalation, posing a significant threat to the Active Directory environment. This detection is focused on domain controllers.
Show 1 more (4 total)
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM source: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the standard deviation for each host and applying the 3-sigma rule to detect anomalies. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, the attacker could compromise multiple accounts, leading to unauthorized access and potential lateral movement within the network.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4777 — The domain controller failed to validate the credentials for an account.
#Description
The domain controller failed to validate the credentials for an account.
Message #
Fields #
| Name | Description |
|---|---|
Authentication_Package UnicodeString | — |
Logon_Account UnicodeString | — |
Source_Workstation UnicodeString | — |
Error_Code UnicodeString | — |
ClientUserName UnicodeString | Authentication Package |
TargetUserName UnicodeString | Logon Account |
Workstation UnicodeString | Source Workstation |
Status UnicodeString | Error Code NTSTATUS reference |
Community Notes #
Logged when NTLM credential validation fails. Pair with 4776 (which logs both successes and failures).
The Status field is an NTSTATUS code — see Event 4776 for the full code table.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4777
Event ID 4778 — A session was reconnected to a Window Station.
#Description
A session was reconnected to a Window Station.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Session_Name | [Session] Session Name. |
Client_Name | [Additional Information] Client Name. |
Client_Address | [Additional Information] Client Address. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4778,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-05-14T21:01:05.831748Z",
"event_record_id": 1829819,
"correlation": {
"#attributes": {
"ActivityID": "A67BE420-4636-0001-36E4-7BA63646D701"
}
},
"execution": {
"process_id": 576,
"thread_id": 4904
},
"channel": "Security",
"computer": "fs01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AccountName": "admmarsid",
"AccountDomain": "OFFSEC",
"LogonID": "0x6a423",
"SessionName": "RDP-Tcp#8",
"ClientName": "JUMP01",
"ClientAddress": "10.23.23.9"
}
}
Community Notes #
Useful for tracing session re-use.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4778
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-4778-session-reconnected.md
Event ID 4779 — A session was disconnected from a Window Station.
#Description
A session was disconnected from a Window Station.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Session_Name | [Session] Session Name. |
Client_Name | [Additional Information] Client Name. |
Client_Address | [Additional Information] Client Address. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4779,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-05-14T21:01:05.370030Z",
"event_record_id": 1829816,
"correlation": {
"#attributes": {
"ActivityID": "A67BE420-4636-0001-36E4-7BA63646D701"
}
},
"execution": {
"process_id": 576,
"thread_id": 628
},
"channel": "Security",
"computer": "fs01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AccountName": "admmig",
"AccountDomain": "OFFSEC",
"LogonID": "0x13b5e1e",
"SessionName": "RDP-Tcp#8",
"ClientName": "JUMP01",
"ClientAddress": "10.23.23.9"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4779
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4780 — The ACL was set on accounts which are members of administrators groups.
#Description
The ACL was set on accounts which are members of administrators groups.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TargetSid SID | [Target Account] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
Account_Name UnicodeString | [Target Account] Account Name. |
Account_Domain UnicodeString | [Target Account] Account Domain. |
Security_ID SID | [Target Account] Security ID. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4780,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-14T00:17:46.607238+00:00",
"event_record_id": 16777470,
"correlation": {},
"execution": {
"process_id": 940,
"thread_id": 1056
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Domain Admins",
"TargetDomainName": "DC=ludus,DC=domain",
"TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-512",
"SubjectUserSid": "S-1-5-7",
"SubjectUserName": "ANONYMOUS LOGON",
"SubjectDomainName": "NT AUTHORITY",
"SubjectLogonId": "0x3e6",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4780
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4780
Event ID 4781 — The name of an account was changed.
#Description
The name of an account was changed.
Message #
Fields #
| Name | Description |
|---|---|
OldTargetUserName UnicodeString | [Target Account] Old Account Name. |
NewTargetUserName UnicodeString | [Target Account] New Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetSid SID | [Target Account] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
PrivilegeList UnicodeString | [Additional Information] Privileges. Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4781,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:37.340432+00:00",
"event_record_id": 2857,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"OldTargetUserName": "None",
"NewTargetUserName": "None",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-513",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"PrivilegeList": "-"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Masquerading
Defense Evasion: Domain Accounts
Security-Auditing Event ID 4781: The name of an account was changed.→Event ID 4768: A Kerberos authentication ticket (TGT) was requested.
1 rule
Community Notes #
Attackers may rename an existing, highly privileged account to blend in.
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- Potential Privileged Escalation via SamAccountName Spoofing source high: Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.
Splunk # view in reference
- Suspicious Computer Account Name Change source: The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not end with a `$`. This behavior is significant as it may indicate an attempt to exploit CVE-2021-42278 and CVE-2021-42287, which can lead to domain controller impersonation and privilege escalation. If confirmed malicious, this activity could allow an attacker to gain elevated privileges and potentially control the domain.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4782 — The password hash an account was accessed.
#Description
The password hash an account was accessed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Target Account] Account Name. |
Account_Domain UnicodeString | [Target Account] Account Domain. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Community Notes #
May indicate Pass-the-Hash. Legitimate use occurs during AD password migration operations under SYSTEM or a dedicated migration account.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782
Event ID 4783 — A basic application group was created.
#Description
A basic application group was created.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Group] Account Name. |
Account_Domain UnicodeString | [Group] Account Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Attributes] SAM Account Name. |
SID_History UnicodeString | [Attributes] SID History. |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
Detection Patterns #
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4783
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4783
Event ID 4784 — A basic application group was changed.
Description
A basic application group was changed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Group] Account Name. |
Account_Domain UnicodeString | [Group] Account Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Attributes] SAM Account Name. |
SID_History UnicodeString | [Attributes] SID History. |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4784
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4784
Event ID 4785 — A member was added to a basic application group.
Description
A member was added to a basic application group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Member] Account Name. |
Security_ID | [Member] Security ID. |
Group_Name | [Group] Group Name. |
Group_Domain | [Group] Group Domain. |
Security_ID | [Group] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Privileges | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
MembershipExpirationTime FILETIME | Expiration time |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4785
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4785
Event ID 4786 — A member was removed from a basic application group.
Description
A member was removed from a basic application group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Member] Account Name. |
Security_ID SID | [Member] Security ID. |
Group_Name UnicodeString | [Group] Group Name. |
Group_Domain UnicodeString | [Group] Group Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Group Name |
TargetDomainName UnicodeString | [Group] Group Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4786
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4786
Event ID 4787 — A non-member was added to a basic application group.
Description
A non-member was added to a basic application group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Member] Account Name. |
Security_ID SID | [Member] Security ID. |
Account_Name UnicodeString | [Group] Account Name. |
Account_Domain UnicodeString | [Group] Account Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. Is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4787
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4787
Event ID 4788 — A non-member was removed from a basic application group.
Description
A non-member was removed from a basic application group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Member] Account Name. |
Security_ID SID | [Member] Security ID. |
Account_Name UnicodeString | [Group] Account Name. |
Account_Domain UnicodeString | [Group] Account Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. Is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
MemberName UnicodeString | [Member] Account Name |
MemberSid SID | [Member] Security ID |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4788
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4788
Event ID 4789 — A basic application group was deleted.
Description
A basic application group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Group] Account Name. |
Account_Domain UnicodeString | [Group] Account Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4789
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4789
Event ID 4790 — An LDAP query group was created.
#Description
An LDAP query group was created.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Group] Account Name. |
Account_Domain UnicodeString | [Group] Account Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Attributes] SAM Account Name. |
SID_History UnicodeString | [Attributes] SID History. |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
Detection Patterns #
Persistence: Domain Account
Security-Auditing Event ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4744: A security-disabled local group was created.ANDEvent ID 4749: A security-disabled global group was created.ANDEvent ID 4754: A security-enabled universal group was created.ANDEvent ID 4756: A member was added to a security-enabled universal group.ANDEvent ID 4759: A security-disabled universal group was created.ANDEvent ID 4783: A basic application group was created.ANDEvent ID 4790: An LDAP query group was created.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4790
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4790
Event ID 4791 — A basic application group was changed.
Description
A basic application group was changed.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Group] Account Name. |
Account_Domain UnicodeString | [Group] Account Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
SAM_Account_Name UnicodeString | [Attributes] SAM Account Name. |
SID_History UnicodeString | [Attributes] SID History. |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SamAccountName UnicodeString | [Attributes] SAM Account Name |
SidHistory UnicodeString | [Attributes] SID History |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4791
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4791
Event ID 4792 — An LDAP query group was deleted.
Description
An LDAP query group was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Group] Account Name. |
Account_Domain UnicodeString | [Group] Account Domain. |
Security_ID SID | [Group] Security ID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Privileges UnicodeString | [Additional Information] Privileges. Privilege constants reference |
TargetUserName UnicodeString | [Group] Account Name |
TargetDomainName UnicodeString | [Group] Account Domain |
TargetSid SID | [Group] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4792
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4792
Event ID 4793 — The Password Policy Checking API was called.
Description
The Password Policy Checking API was called.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Caller_Workstation UnicodeString | [Additional Information] Caller Workstation. |
Provided_Account_Name_unauthenticated UnicodeString | [Additional Information] Provided Account Name (unauthenticated). |
Status_Code HexInt32 | [Additional Information] Status Code. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Workstation UnicodeString | [Additional Information] Caller Workstation |
TargetUserName UnicodeString | [Additional Information] Provided Account Name (unauthenticated) |
Status HexInt32 | [Additional Information] Status Code NTSTATUS reference |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793
Event ID 4794 — An attempt was made to set the Directory Services Restore Mode administrator password.
#Description
An attempt was made to set the Directory Services Restore Mode.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Caller_Workstation | [Additional Information] Caller Workstation. |
Status_Code | [Additional Information] Status Code. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4794,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2017-06-09T19:21:26.968669Z",
"event_record_id": 3139859,
"correlation": {
"#attributes": {
"ActivityID": "3B48C871-DFE6-0000-A5C8-483BE6DFD201"
}
},
"execution": {
"process_id": 792,
"thread_id": 1648
},
"channel": "Security",
"computer": "2016dc.hqcorp.local",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1913345275-1711810662-261465553-500",
"SubjectUserName": "administrator",
"SubjectDomainName": "HQCORP",
"SubjectLogonId": "0x2f336f",
"Workstation": "2016DC",
"Status": "0x0"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Password Change on Directory Service Restore Mode (DSRM) Account source high: Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Splunk # view in reference
- Windows AD DSRM Password Reset source: The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events where the DSRM password reset is attempted. This activity is significant because the DSRM account can be used similarly to a local administrator account, providing potential persistence for an attacker. If confirmed malicious, this could allow an attacker to maintain administrative access to the Domain Controller, posing a severe risk to the domain's security.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4794
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4797 — An attempt was made to query the existence of a blank password for an account.
#Description
An attempt was made to query the existence of a blank password for an account.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
Workstation UnicodeString | [Additional Information] Caller Workstation. |
TargetUserName UnicodeString | [Additional Information] Target Account Name. |
TargetDomainName UnicodeString | [Additional Information] Target Account Domain. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4797,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T00:43:39.992357+00:00",
"event_record_id": 184918,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 1928
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"Workstation": "WINDEV2310EVAL",
"TargetUserName": "WDAGUtilityAccount",
"TargetDomainName": "WINDEV2310EVAL"
},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4797
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4798 — A user's local group membership was enumerated.
#Description
A user's local group membership was enumerated.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [User] Account Name. |
TargetDomainName UnicodeString | [User] Account Domain. |
TargetSid SID | [User] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
CallerProcessId Pointer | [Process Information] Process ID. |
CallerProcessName UnicodeString | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4798,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:35.014146+00:00",
"event_record_id": 2785,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "User",
"TargetDomainName": "WINDEV2310EVAL",
"TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"CallerProcessId": "0x57c",
"CallerProcessName": "C:\\Windows\\System32\\rundll32.exe"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Enumerate Users Local Group Using Telegram source: The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device. This activity is significant as it may indicate an attempt to gather information on user accounts, a common precursor to further malicious actions. If confirmed malicious, this behavior could allow an attacker to map out user accounts, potentially leading to privilege escalation or lateral movement within the network.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4798
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4799 — A security-enabled local group membership was enumerated.
#Description
A security-enabled local group membership was enumerated.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserName UnicodeString | [Group] Group Name. |
TargetDomainName UnicodeString | [Group] Group Domain. |
TargetSid SID | [Group] Security ID. |
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
CallerProcessId Pointer | [Process Information] Process ID. |
CallerProcessName UnicodeString | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4799,
"version": 0,
"level": 0,
"task": 13826,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:50.749994+00:00",
"event_record_id": 2946,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "Backup Operators",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-551",
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"CallerProcessId": "0x138c",
"CallerProcessName": "C:\\Windows\\System32\\SearchIndexer.exe"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4799
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4800 — The workstation was locked.
#Description
The workstation was locked.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | [Subject] Security ID |
TargetUserName UnicodeString | [Subject] Account Name |
TargetDomainName UnicodeString | [Subject] Account Domain |
TargetLogonId HexInt64 | [Subject] Logon ID |
SessionId UInt32 | [Subject] Session ID |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Session_ID UInt32 | [Subject] Session ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4800,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T23:16:10.990860+00:00",
"event_record_id": 2684980,
"correlation": {
"ActivityID": "FA744C8F-80A0-4DBD-B165-8D96568C15CC"
},
"execution": {
"process_id": 720,
"thread_id": 3756
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserSid": "S-1-5-21-3407486967-1585450050-1838039599-1000",
"TargetUserName": "localuser",
"TargetDomainName": "LAB-WIN11",
"TargetLogonId": "0x1b1557",
"SessionId": 2
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Locked Workstation source informational: Detects locked workstation session events that occur automatically after a standard period of inactivity.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4800
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4800
Event ID 4801 — The workstation was unlocked.
#Description
The workstation was unlocked.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | [Subject] Security ID |
TargetUserName UnicodeString | [Subject] Account Name |
TargetDomainName UnicodeString | [Subject] Account Domain |
TargetLogonId HexInt64 | [Subject] Logon ID |
SessionId UInt32 | [Subject] Session ID |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Session_ID UInt32 | [Subject] Session ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4801,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-12T02:56:05.225999+00:00",
"event_record_id": 2752626,
"correlation": {
"ActivityID": "A84A27DD-91F0-42B5-B4DA-0B267CDC42CF"
},
"execution": {
"process_id": 720,
"thread_id": 4416
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserSid": "S-1-5-21-3407486967-1585450050-1838039599-1000",
"TargetUserName": "localuser",
"TargetDomainName": "LAB-WIN11",
"TargetLogonId": "0x1b1557",
"SessionId": 2
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4801
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4801
Event ID 4802 — The screen saver was invoked.
Description
The screen saver was invoked.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Session_ID UInt32 | [Subject] Session ID. |
TargetUserSid SID | [Subject] Security ID |
TargetUserName UnicodeString | [Subject] Account Name |
TargetDomainName UnicodeString | [Subject] Account Domain |
TargetLogonId HexInt64 | [Subject] Logon ID |
SessionId UInt32 | [Subject] Session ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4802
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4802
Event ID 4803 — The screen saver was dismissed.
Description
The screen saver was dismissed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Session_ID UInt32 | [Subject] Session ID. |
TargetUserSid SID | [Subject] Security ID |
TargetUserName UnicodeString | [Subject] Account Name |
TargetDomainName UnicodeString | [Subject] Account Domain |
TargetLogonId HexInt64 | [Subject] Logon ID |
SessionId UInt32 | [Subject] Session ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4803
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4803
Event ID 4816 — RPC detected an integrity violation while decrypting an incoming message.
Description
RPC detected an integrity violation while decrypting an incoming message.
Message #
Fields #
| Name | Description |
|---|---|
Peer_Name UnicodeString | — |
Protocol_Sequence UnicodeString | — |
Security_Error UInt32 | — |
PeerName UnicodeString | Peer Name |
ProtocolSequence UnicodeString | Protocol Sequence |
SecurityError UInt32 | Security Error |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4816
Event ID 4817 — Auditing settings on object were changed.
#Description
Auditing settings on object were changed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Object_Server UnicodeString | [Object] Object Server. |
Object_Type UnicodeString | [Object] Object Type. |
Object_Name UnicodeString | [Object] Object Name. |
Original_Security_Descriptor UnicodeString | [Auditing Settings] Original Security Descriptor. |
New_Security_Descriptor UnicodeString | [Auditing Settings] New Security Descriptor. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectServer UnicodeString | [Object] Object Server |
ObjectType UnicodeString | [Object] Object Type |
ObjectName UnicodeString | [Object] Object Name |
OldSd UnicodeString | [Auditing Settings] Original Security Descriptor |
NewSd UnicodeString | [Auditing Settings] New Security Descriptor |
Community Notes #
Attackers that wish to suppress object-access logging can clear/replace the global SACL.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4817
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4817
Event ID 4818 — Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
Description
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Object_Server UnicodeString | [Object] Object Server. |
Object_Type UnicodeString | [Object] Object Type. |
Object_Name UnicodeString | [Object] Object Name. |
Handle_ID Pointer | [Object] Handle ID. |
Process_ID Pointer | [Process Information] Process ID. |
Process_Name UnicodeString | [Process Information] Process Name. |
Access_Reasons UnicodeString | [Current Central Access Policy results] Access Reasons. |
Access_Reasons UnicodeString | [Proposed Central Access Policy results that differ from the current Central Access Policy results] Access Reasons. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectServer UnicodeString | [Object] Object Server |
ObjectType UnicodeString | [Object] Object Type |
ObjectName UnicodeString | [Object] Object Name |
HandleId Pointer | [Object] Handle ID |
ProcessId Pointer | [Process Information] Process ID |
ProcessName UnicodeString | [Process Information] Process Name |
AccessReason UnicodeString | [Current Central Access Policy results] Access Reasons Known values
|
StagingReason UnicodeString | [Proposed Central Access Policy results that differ from the current Central Access Policy results] Access Reasons |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4818
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-central-access-policy-staging
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4818
Event ID 4819 — Central Access Policies on the machine have been changed.
Description
Central Access Policies on the machine have been changed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Object_Server UnicodeString | [Object] Object Server. |
Object_Type UnicodeString | [Object] Object Type. |
CAPs_Added UnicodeString | [Object] CAPs Added. |
CAPs_Deleted UnicodeString | [Object] CAPs Deleted. |
CAPs_Modified UnicodeString | [Object] CAPs Modified. |
CAPs_AsIs UnicodeString | [Object] CAPs As-Is. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectServer UnicodeString | [Object] Object Server |
ObjectType UnicodeString | [Object] Object Type |
AddedCAPs UnicodeString | CAPs Added |
DeletedCAPs UnicodeString | CAPs Deleted |
ModifiedCAPs UnicodeString | CAPs Modified |
AsIsCAPs UnicodeString | CAPs As-Is |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4819
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4819
Event ID 4820 — A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.
Description
A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Account Information] Account Name. |
Supplied_Realm_Name UnicodeString | [Account Information] Supplied Realm Name. |
User_ID SID | [Account Information] User ID. |
Device_Name UnicodeString | [Device Information] Device Name. |
Service_Name UnicodeString | [Service Information] Service Name. |
Service_ID SID | [Service Information] Service ID. |
Ticket_Options HexInt32 | [Additional Information] Ticket Options. Bitmask flags
|
Result_Code HexInt32 | [Additional Information] Result Code. Known values
|
Ticket_Encryption_Type HexInt32 | [Additional Information] Ticket Encryption Type. Known values
|
PreAuthentication_Type UnicodeString | [Additional Information] Pre-Authentication Type. Known values
|
Client_Address UnicodeString | [Network Information] Client Address. |
Client_Port UnicodeString | [Network Information] Client Port. |
Certificate_Issuer_Name UnicodeString | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number UnicodeString | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint UnicodeString | [Certificate Information] Certificate Thumbprint. |
Silo_Name UnicodeString | [Authentication Policy Information] Silo Name. |
Policy_Name UnicodeString | [Authentication Policy Information] Policy Name. |
TGT_Lifetime UInt32 | [Authentication Policy Information] TGT Lifetime. |
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Supplied Realm Name |
TargetSid SID | [Account Information] User ID |
DeviceName UnicodeString | [Device Information] Device Name |
ServiceName UnicodeString | [Service Information] Service Name |
ServiceSid SID | [Service Information] Service ID |
TicketOptions HexInt32 | [Additional Information] Ticket Options Bitmask flags
|
Status HexInt32 | [Additional Information] Result Code NTSTATUS reference |
TicketEncryptionType HexInt32 | [Additional Information] Ticket Encryption Type Known values
|
PreAuthType UnicodeString | [Additional Information] Pre-Authentication Type Known values
|
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
CertIssuerName UnicodeString | [Certificate Information] Certificate Issuer Name |
CertSerialNumber UnicodeString | [Certificate Information] Certificate Serial Number |
CertThumbprint UnicodeString | [Certificate Information] Certificate Thumbprint |
SiloName UnicodeString | [Authentication Policy Information] Silo Name |
PolicyName UnicodeString | [Authentication Policy Information] Policy Name |
TGTLifetime UInt32 | [Authentication Policy Information] TGT Lifetime |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4820
Event ID 4821 — A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.
Description
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Account Information] Account Name. |
Account_Domain UnicodeString | [Account Information] Account Domain. |
Device_Name UnicodeString | [Device Information] Device Name. |
Service_Name UnicodeString | [Service Information] Service Name. Indicates the resource to which access was requested. |
Service_ID SID | [Service Information] Service ID. |
Ticket_Options HexInt32 | [Additional Information] Ticket Options. Bitmask flags
|
Ticket_Encryption_Type HexInt32 | [Additional Information] Ticket Encryption Type. Known values
|
Client_Address UnicodeString | [Network Information] Client Address. |
Client_Port UnicodeString | [Network Information] Client Port. |
Failure_Code HexInt32 | [Additional Information] Failure Code. NTSTATUS reference |
Logon_GUID GUID | [Account Information] Logon GUID. |
Transited_Services UnicodeString | [Additional Information] Transited Services. |
Silo_Name UnicodeString | [Authentication Policy Information] Silo Name. |
Policy_Name UnicodeString | [Authentication Policy Information] Policy Name. |
TargetUserName UnicodeString | [Account Information] Account Name |
TargetDomainName UnicodeString | [Account Information] Account Domain |
DeviceName UnicodeString | [Device Information] Device Name |
ServiceName UnicodeString | [Service Information] Service Name |
ServiceSid SID | [Service Information] Service ID |
TicketOptions HexInt32 | [Additional Information] Ticket Options Bitmask flags
|
TicketEncryptionType HexInt32 | [Additional Information] Ticket Encryption Type Known values
|
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
Status HexInt32 | [Additional Information] Failure Code NTSTATUS reference |
LogonGuid GUID | [Account Information] Logon GUID |
TransitedServices UnicodeString | [Additional Information] Transited Services |
SiloName UnicodeString | [Authentication Policy Information] Silo Name |
PolicyName UnicodeString | [Authentication Policy Information] Policy Name |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4821
Event ID 4822 — NTLM authentication failed because the account was a member of the Protected User group.
#Description
NTLM authentication failed because the account was a member of the Protected User group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | — |
Device_Name UnicodeString | — |
Error_Code HexInt32 | — |
AccountName UnicodeString | Account Name |
DeviceName UnicodeString | Device Name |
Status HexInt32 | Error Code NTSTATUS reference |
Community Notes #
NTLM authentication was blocked because the account is a member of the Protected Users group. Protected Users cannot authenticate via NTLM.
The Status field is an NTSTATUS code:
| Code | Name | Description |
|---|---|---|
| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure |
| 0xC000006E | STATUS_ACCOUNT_RESTRICTION | Protected User restriction prevented NTLM |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4822
Event ID 4823 — NTLM authentication failed because access control restrictions are required.
#Description
NTLM authentication failed because access control restrictions are required.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | — |
Device_Name UnicodeString | — |
Error_Code HexInt32 | — |
Silo_Name UnicodeString | [Authentication Policy Information] Silo Name. |
PolicyName UnicodeString | [Authentication Policy Information] PolicyName. |
AccountName UnicodeString | Account Name |
DeviceName UnicodeString | Device Name |
Status HexInt32 | Error Code NTSTATUS reference |
SiloName UnicodeString | [Authentication Policy Information] Silo Name |
Community Notes #
NTLM authentication was blocked by access control restrictions (authentication policy or silo).
The Status field is an NTSTATUS code:
| Code | Name | Description |
|---|---|---|
| 0xC000006D | STATUS_LOGON_FAILURE | Generic failure |
| 0xC0000413 | STATUS_AUTHENTICATION_FIREWALL_FAILED | Blocked by authentication policy/silo |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4823
Event ID 4824 — Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.
Description
Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name UnicodeString | [Account Information] Account Name. |
Security_ID SID | [Account Information] Security ID. |
Service_Name UnicodeString | [Service Information] Service Name. |
Ticket_Options HexInt32 | [Additional Information] Ticket Options. Was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. Bitmask flags
|
Failure_Code HexInt32 | [Additional Information] Failure Code. NTSTATUS reference |
PreAuthentication_Type UnicodeString | [Additional Information] Pre-Authentication Type. Known values
|
Client_Address UnicodeString | [Network Information] Client Address. |
Client_Port UnicodeString | [Network Information] Client Port. |
Certificate_Issuer_Name UnicodeString | [Certificate Information] Certificate Issuer Name. |
Certificate_Serial_Number UnicodeString | [Certificate Information] Certificate Serial Number. |
Certificate_Thumbprint UnicodeString | [Certificate Information] Certificate Thumbprint. |
TargetUserName UnicodeString | [Account Information] Account Name |
TargetSid SID | [Account Information] Security ID |
ServiceName UnicodeString | [Service Information] Service Name |
TicketOptions HexInt32 | [Additional Information] Ticket Options Bitmask flags
|
Status HexInt32 | [Additional Information] Failure Code NTSTATUS reference |
PreAuthType UnicodeString | [Additional Information] Pre-Authentication Type Known values
|
IpAddress UnicodeString | [Network Information] Client Address |
IpPort UnicodeString | [Network Information] Client Port |
CertIssuerName UnicodeString | [Certificate Information] Certificate Issuer Name |
CertSerialNumber UnicodeString | [Certificate Information] Certificate Serial Number |
CertThumbprint UnicodeString | [Certificate Information] Certificate Thumbprint |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4824
Event ID 4825 — A user was denied the access to Remote Desktop.
#Description
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.
Message #
Fields #
| Name | Description |
|---|---|
User_Name | [Subject] User Name. |
Domain | [Subject] Domain. |
Logon_ID | [Subject] Logon ID. |
Client_Address | [Additional Information] Client Address. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4825,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2020-07-12T05:27:05.579704Z",
"event_record_id": 1231498,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 992
},
"channel": "Security",
"computer": "fs02.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AccountName": "svc6test1",
"AccountDomain": "OFFSEC",
"LogonID": "0x3457272",
"ClientAddress": "10.23.23.9"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Denied Access To Remote Desktop source medium: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4826 — Boot Configuration Data loaded.
#Description
Boot Configuration Data loaded.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
LoadOptions UnicodeString | [General Settings] Load Options. |
AdvancedOptions UnicodeString | [General Settings] Advanced Options. |
ConfigAccessPolicy UnicodeString | [General Settings] Configuration Access Policy. |
RemoteEventLogging UnicodeString | [General Settings] System Event Logging. |
KernelDebug UnicodeString | [General Settings] Kernel Debugging. |
VsmLaunchType UnicodeString | [General Settings] VSM Launch Type. |
TestSigning UnicodeString | [Signature Settings] Test Signing. |
FlightSigning UnicodeString | [Signature Settings] Flight Signing. |
DisableIntegrityChecks UnicodeString | [Signature Settings] Disable Integrity Checks. |
HypervisorLoadOptions UnicodeString | [HyperVisor Settings] HyperVisor Load Options. |
HypervisorLaunchType UnicodeString | [HyperVisor Settings] HyperVisor Launch Type. |
HypervisorDebug UnicodeString | [HyperVisor Settings] HyperVisor Debugging. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4826,
"version": 0,
"level": 0,
"task": 13573,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:19.637649+00:00",
"event_record_id": 2743,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 96
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "-",
"SubjectDomainName": "-",
"SubjectLogonId": "0x3e7",
"LoadOptions": "-",
"AdvancedOptions": "%%1843",
"ConfigAccessPolicy": "%%1846",
"RemoteEventLogging": "%%1843",
"KernelDebug": "%%1843",
"VsmLaunchType": "%%1849",
"TestSigning": "%%1843",
"FlightSigning": "%%1843",
"DisableIntegrityChecks": "%%1843",
"HypervisorLoadOptions": "-",
"HypervisorLaunchType": "%%1849",
"HypervisorDebug": "%%1843"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4826
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4826
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4830 — SID History was removed from an account.
Description
SID History was removed from an account.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | — |
Account_Domain | — |
Security_ID | [Target Account] Account Name. |
Security_ID | [Target Account] Account Domain. |
Account_Name | [Target Account] Security ID. |
Account_Domain | [Subject] Security ID. |
Logon_ID | [Subject] Account Name. |
Privileges | [Subject] Account Domain. Privilege constants reference |
SID_List | [Subject] Logon ID. |
SourceUserName UnicodeString | — |
SourceSid SID | — |
TargetUserName UnicodeString | [Target Account] Account Name |
TargetDomainName UnicodeString | [Target Account] Account Domain |
TargetSid SID | [Target Account] Security ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PrivilegeList UnicodeString | [Additional Information] Privileges Privilege constants reference |
SidList UnicodeString | [Additional Information] SID List |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4830
Event ID 4864 — A namespace collision was detected.
Description
A namespace collision was detected.
Message #
Fields #
| Name | Description |
|---|---|
Target_Type UInt32 | — |
Target_Name UnicodeString | — |
Forest_Root UnicodeString | — |
Top_Level_Name UnicodeString | — |
DNS_Name UnicodeString | — |
NetBIOS_Name UnicodeString | — |
Security_ID SID | — |
New_Flags UInt32 | — |
CollisionTargetType UInt32 | Target Type |
CollisionTargetName UnicodeString | Target Name |
ForestRoot UnicodeString | Forest Root |
TopLevelName UnicodeString | Top Level Name |
DnsName UnicodeString | DNS Name |
NetbiosName UnicodeString | NetBIOS Name |
DomainSid SID | Security ID |
Flags UInt32 | New Flags |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4864
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4864
Event ID 4865 — A trusted forest information entry was added.
#Description
A trusted forest information entry was added.
Message #
Fields #
| Name | Description |
|---|---|
Forest_Root | [Trust Information] Forest Root. |
Forest_Root_SID | [Trust Information] Forest Root SID. |
Operation_ID | [Trust Information] Operation ID. |
Entry_Type | [Trust Information] Entry Type. |
Flags UInt32 | [Trust Information] Flags. |
Top_Level_Name | [Trust Information] Top Level Name. |
DNS_Name | [Trust Information] DNS Name. |
NetBIOS_Name | [Trust Information] NetBIOS Name. |
Domain_SID | [Trust Information] Domain SID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4865,
"version": 0,
"level": 0,
"task": 13569,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-06-22T14:02:41.749935Z",
"event_record_id": 3175613,
"correlation": {},
"execution": {
"process_id": 596,
"thread_id": 3360
},
"channel": "Security",
"computer": "CDCWTRDC01.mypartner.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"ForestRoot": "rootblue.lan",
"ForestRootSid": "S-1-5-21-392370121-190461309-2151315433",
"OperationId": "0xffadf358",
"EntryType": 0,
"Flags": 0,
"TopLevelName": "rootblue.lan",
"DnsName": "-",
"NetbiosName": "-",
"DomainSid": "S-1-0-0",
"SubjectUserSid": "S-1-5-21-1407145384-2259788832-4099636412-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "MYPARTNER",
"SubjectLogonId": "0xffad8559"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4865
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4865
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4866 — A trusted forest information entry was removed.
Description
A trusted forest information entry was removed.
Message #
Fields #
| Name | Description |
|---|---|
Forest_Root UnicodeString | [Trust Information] Forest Root. |
Forest_Root_SID SID | [Trust Information] Forest Root SID. |
Operation_ID HexInt64 | [Trust Information] Operation ID. |
Entry_Type UInt32 | [Trust Information] Entry Type. |
Flags UInt32 | [Trust Information] Flags. |
Top_Level_Name UnicodeString | [Trust Information] Top Level Name. |
DNS_Name UnicodeString | [Trust Information] DNS Name. |
NetBIOS_Name UnicodeString | [Trust Information] NetBIOS Name. |
Domain_SID SID | [Trust Information] Domain SID. |
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
ForestRoot UnicodeString | [Trust Information] Forest Root |
ForestRootSid SID | [Trust Information] Forest Root SID |
OperationId HexInt64 | [Trust Information] Operation ID |
EntryType UInt32 | [Trust Information] Entry Type |
TopLevelName UnicodeString | [Trust Information] Top Level Name |
DnsName UnicodeString | [Trust Information] DNS Name |
NetbiosName UnicodeString | [Trust Information] NetBIOS Name |
DomainSid SID | [Trust Information] Domain SID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4866
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4866
Event ID 4867 — A trusted forest information entry was modified.
Description
A trusted forest information entry was modified.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Forest_Root UnicodeString | [Trust Information] Forest Root. |
Forest_Root_SID SID | [Trust Information] Forest Root SID. |
Operation_ID HexInt64 | [Trust Information] Operation ID. |
Entry_Type UInt32 | [Trust Information] Entry Type. |
Flags UInt32 | [Trust Information] Flags. |
Top_Level_Name UnicodeString | [Trust Information] Top Level Name. |
DNS_Name UnicodeString | [Trust Information] DNS Name. |
NetBIOS_Name UnicodeString | [Trust Information] NetBIOS Name. |
Domain_SID SID | [Trust Information] Domain SID. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ForestRoot UnicodeString | [Trust Information] Forest Root |
ForestRootSid SID | [Trust Information] Forest Root SID |
OperationId HexInt64 | [Trust Information] Operation ID |
EntryType UInt32 | [Trust Information] Entry Type |
TopLevelName UnicodeString | [Trust Information] Top Level Name |
DnsName UnicodeString | [Trust Information] DNS Name |
NetbiosName UnicodeString | [Trust Information] NetBIOS Name |
DomainSid SID | [Trust Information] Domain SID |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4867
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4867
Event ID 4868 — The certificate manager denied a pending certificate request.
#Description
The certificate manager denied a pending certificate request.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Request_ID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4868,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.594746+00:00",
"event_record_id": 16623084,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "25",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4868
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4868
Event ID 4869 — Certificate Services received a resubmitted certificate request.
#Description
Certificate Services received a resubmitted certificate request.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Request_ID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4869,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.180321+00:00",
"event_record_id": 16623046,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "24",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4869
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4869
Event ID 4870 — Certificate Services revoked a certificate.
#Description
Certificate Services revoked a certificate.
Message #
Fields #
| Name | Description |
|---|---|
CertificateSerialNumber UnicodeString | Serial Number |
RevocationReason UnicodeString | Reason |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Serial_Number | — |
Reason | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4870,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:33:19.492410+00:00",
"event_record_id": 16716905,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10484
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"CertificateSerialNumber": "610000002bdea5d59e7a0734f300000000002b",
"RevocationReason": "1",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4870
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4870
Event ID 4871 — Certificate Services received a request to publish the certificate revocation list (CRL).
#Description
Certificate Services received a request to publish the certificate revocation list (CRL).
Message #
Fields #
| Name | Description |
|---|---|
NextUpdate UnicodeString | Next Update |
NextPublishForBaseCRL UnicodeString | Publish Base |
NextPublishForDeltaCRL UnicodeString | Publish Delta |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Next_Update | — |
Publish_Base | — |
Publish_Delta | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4871,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:22.125599+00:00",
"event_record_id": 16618007,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10928
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"NextUpdate": "0",
"NextPublishForBaseCRL": "Yes",
"NextPublishForDeltaCRL": "No",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4871
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4871
Event ID 4872 — Certificate Services published the certificate revocation list (CRL).
#Description
Certificate Services published the certificate revocation list (CRL).
Message #
Fields #
| Name | Description |
|---|---|
IsBaseCRL UnicodeString | Base CRL |
CRLNumber UnicodeString | CRL Number |
KeyContainer UnicodeString | Key Container |
NextPublish UnicodeString | Next Publish |
PublishURLs UnicodeString | Publish URLs |
Base_CRL UnicodeString | — |
CRL_Number UnicodeString | — |
Key_Container UnicodeString | — |
Next_Publish UnicodeString | — |
Publish_URLs UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4872,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:22.155871+00:00",
"event_record_id": 16618025,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11144
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"IsBaseCRL": "Yes",
"CRLNumber": "12",
"KeyContainer": "EvtGen-Root-CA",
"NextPublish": "3/20/2026 11:06 PM 22.125s",
"PublishURLs": "C:\\Windows\\system32\\CertSrv\\CertEnroll\\EvtGen-Root-CA.crl; ldap:///CN=EvtGen-Root-CA,CN=LAB-DC01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain; http://crl.ludus.domain/crldist/EvtGen-Root-CA.crl; "
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4872
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4872
Event ID 4873 — A certificate request extension changed.
#Description
A certificate request extension changed.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
ExtensionName UnicodeString | Name |
ExtensionDataType UnicodeString | Type |
ExtensionPolicyFlags UnicodeString | Flags |
ExtensionData UnicodeString | Data |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Request_ID | — |
Name | — |
Type | — |
Flags | — |
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4873,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:33:40.140844+00:00",
"event_record_id": 16717578,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 13880
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "44",
"ExtensionName": "2.5.29.17",
"ExtensionDataType": "4",
"ExtensionPolicyFlags": "0",
"ExtensionData": "MwAwADIAMAA4ADIAMQAyADYAZAA2AGYANgA0ADYAOQA2ADYANgA5ADYANQA2ADQA\r\nMgBlADYAYwA3ADUANgA0ADcANQA3ADMAMgBlADYANAA2AGYANgBkADYAMQA2ADkA\r\nNgBlAAAA\r\n",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4873
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4873
Event ID 4874 — One or more certificate request attributes changed.
#Description
One or more certificate request attributes changed.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Attributes UnicodeString | Attributes |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Request_ID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4874,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:33:40.086555+00:00",
"event_record_id": 16717575,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 13880
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "44",
"Attributes": "CertificateTemplate:WebServer\nSAN:dns=modified.ludus.domain",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4874
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4874
Event ID 4875 — Certificate Services received a request to shut down.
Description
Certificate Services received a request to shut down.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4875
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4875
Event ID 4876 — Certificate Services backup started.
#Description
Certificate Services backup started.
Message #
Fields #
| Name | Description |
|---|---|
Backup_Type | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4876,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-09-03T10:41:30.959534Z",
"event_record_id": 376329,
"correlation": {
"#attributes": {
"ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
}
},
"execution": {
"process_id": 640,
"thread_id": 4156
},
"channel": "Security",
"computer": "CDCWPKI01.rootblue.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"BackupType": "1",
"SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
"SubjectUserName": "domadm",
"SubjectDomainName": "ROOTBLUE",
"SubjectLogonId": "0x91861a6"
}
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Steal Authentication Certificates CS Backup source: The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB command. Monitoring this activity is crucial as unauthorized backups can indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, this activity could allow an attacker to impersonate users, escalate privileges, or access sensitive information, severely compromising the security of the environment.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4876
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4876
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4877 — Certificate Services backup completed.
#Description
Certificate Services backup completed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4877,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-09-03T10:41:31.145540Z",
"event_record_id": 376330,
"correlation": {
"#attributes": {
"ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
}
},
"execution": {
"process_id": 640,
"thread_id": 4156
},
"channel": "Security",
"computer": "CDCWPKI01.rootblue.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
"SubjectUserName": "domadm",
"SubjectDomainName": "ROOTBLUE",
"SubjectLogonId": "0x91861a6"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4877
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4877
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4878 — Certificate Services restore started.
#Description
Certificate Services restore started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4878,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:07:16.319460+00:00",
"event_record_id": 16620403,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4878
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4878
Event ID 4879 — Certificate Services restore completed.
#Description
Certificate Services restore completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4879,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:07:16.488901+00:00",
"event_record_id": 16620407,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10556
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4879
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4879
Event ID 4880 — Certificate Services started.
#Description
Certificate Services started.
Message #
Fields #
| Name | Description |
|---|---|
CertificateDatabaseHash UnicodeString | Certificate Database Hash |
PrivateKeyUsageCount UnicodeString | Private Key Usage Count |
CACertificateHash UnicodeString | CA Certificate Hash |
CAPublicKeyHash UnicodeString | CA Public Key Hash |
Certificate_Database_Hash UnicodeString | — |
Private_Key_Usage_Count UnicodeString | — |
CA_Certificate_Hash UnicodeString | — |
CA_Public_Key_Hash UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4880,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:16.234546+00:00",
"event_record_id": 16617450,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11176
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"CertificateDatabaseHash": "39 e5 71 24 c8 5b 7c 70 eb b5 fe f2 ad a7 5a 6e 86 f3 07 b7 31 99 8a b1 58 99 bd e2 05 c3 cf d8",
"PrivateKeyUsageCount": "0",
"CACertificateHash": "8e ae 36 d1 31 a0 5b f0 26 c6 a5 88 f9 49 6a 8a 61 7a f2 47",
"CAPublicKeyHash": "10 fd 42 f3 9a b3 ca e2 96 a8 46 58 af 42 91 9d 14 c5 0f 27"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4880
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4880
Event ID 4881 — Certificate Services stopped.
#Description
Certificate Services stopped.
Message #
Fields #
| Name | Description |
|---|---|
CertificateDatabaseHash UnicodeString | Certificate Database Hash |
PrivateKeyUsageCount UnicodeString | Private Key Usage Count |
CACertificateHash UnicodeString | CA Certificate Hash |
CAPublicKeyHash UnicodeString | CA Public Key Hash |
Certificate_Database_Hash UnicodeString | — |
Private_Key_Usage_Count UnicodeString | — |
CA_Certificate_Hash UnicodeString | — |
CA_Public_Key_Hash UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4881,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:22.990852+00:00",
"event_record_id": 16618219,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"CertificateDatabaseHash": "a0 ab 10 37 23 dd ba cf 3c 7d 38 4e dd 3a 27 c3 10 39 c7 cb 54 17 10 36 45 3a 7c 3d 63 42 83 55",
"PrivateKeyUsageCount": "0",
"CACertificateHash": "8e ae 36 d1 31 a0 5b f0 26 c6 a5 88 f9 49 6a 8a 61 7a f2 47",
"CAPublicKeyHash": "10 fd 42 f3 9a b3 ca e2 96 a8 46 58 af 42 91 9d 14 c5 0f 27"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4881
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4881
Event ID 4882 — The security permissions for Certificate Services changed.
#Description
The security permissions for Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
SecuritySettings UnicodeString | — |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Community Notes #
Records changes to a CA ACL, may indicate privilege escalation via addition of rogue accounts. Critical for detecting AD CS abuse.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4882
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4882
Event ID 4883 — Certificate Services retrieved an archived key.
Description
Certificate Services retrieved an archived key.
Message #
Fields #
| Name | Description |
|---|---|
Request_ID | — |
RequestId UnicodeString | Request ID |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4883
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4883
Event ID 4884 — Certificate Services imported a certificate into its database.
Description
Certificate Services imported a certificate into its database.
Message #
Fields #
| Name | Description |
|---|---|
Certificate UnicodeString | Certificate |
Request_ID | — |
RequestId UnicodeString | Request ID |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4884
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4884
Event ID 4885 — The audit filter for Certificate Services changed.
#Description
The audit filter for Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
Filter | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4885,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2024-09-03T10:42:09.373562Z",
"event_record_id": 376331,
"correlation": {
"#attributes": {
"ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
}
},
"execution": {
"process_id": 640,
"thread_id": 4156
},
"channel": "Security",
"computer": "CDCWPKI01.rootblue.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AuditFilter": "111",
"SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
"SubjectUserName": "domadm",
"SubjectDomainName": "ROOTBLUE",
"SubjectLogonId": "0x91861a6"
}
}
Community Notes #
May be a prelude to AD CS abuse, ie, ESC1/ESC5.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4885
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4885
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4886 — Certificate Services received a certificate request.
#Description
Certificate Services received a certificate request.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Requester UnicodeString | Requester |
Attributes UnicodeString | Attributes |
Request_ID UnicodeString | — |
Subject UnicodeString | — |
SubjectAlternativeName UnicodeString | — |
CertificateTemplate UnicodeString | — |
RequestOSVersion UnicodeString | — |
RequestCSPProvider UnicodeString | — |
RequestClientInfo UnicodeString | — |
AuthenticationService UnicodeString | — |
AuthenticationLevel UnicodeString | — |
DCOMorRPC UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4886,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.051496+00:00",
"event_record_id": 16623040,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10928
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "24",
"Requester": "ludus\\domainadmin",
"Attributes": "\nccm:LAB-DC01.ludus.domain"
},
"message": ""
}
Detection Patterns #
Credential Access: Steal or Forge Authentication Certificates
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Steal Authentication Certificates Certificate Request source: The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because unauthorized certificate requests can be part of credential theft or lateral movement tactics. If confirmed malicious, an attacker could use the certificate to impersonate users, gain unauthorized access to resources, or establish persistent access within the environment. Monitoring and correlating this event with other suspicious activities is crucial for identifying potential security incidents.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4886
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4886
Event ID 4887 — Certificate Services approved a certificate request and issued a certificate.
#Description
Certificate Services approved a certificate request and issued a certificate.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Requester UnicodeString | Requester |
Attributes UnicodeString | Attributes |
Disposition UnicodeString | Disposition |
SubjectKeyIdentifier UnicodeString | SKI |
Subject UnicodeString | Subject |
Request_ID UnicodeString | — |
SKI UnicodeString | — |
SubjectAlternativeName UnicodeString | — |
CertificateTemplate UnicodeString | — |
SerialNumber UnicodeString | — |
AuthenticationService UnicodeString | — |
AuthenticationLevel UnicodeString | — |
DCOMorRPC UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4887,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.177448+00:00",
"event_record_id": 16623045,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "24",
"Requester": "ludus\\domainadmin",
"Attributes": "",
"Disposition": "3",
"SubjectKeyIdentifier": "9d 2a 4f df 25 5d c3 a7 d9 77 60 94 ce 67 60 01 e3 b3 d2 5a",
"Subject": "CN=pending-test.ludus.domain"
},
"message": ""
}
Detection Patterns #
Credential Access: Steal or Forge Authentication Certificates
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Steal Authentication Certificates Certificate Issued source: The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time. Monitoring this activity is crucial as it can indicate potential misuse of authentication certificates. If confirmed malicious, an attacker could use the issued certificate to impersonate users, escalate privileges, or maintain persistence within the environment. This detection helps in identifying and correlating suspicious certificate-related activities for further investigation.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4887
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4887
Event ID 4888 — Certificate Services denied a certificate request.
#Description
Certificate Services denied a certificate request.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Requester UnicodeString | Requester |
Attributes UnicodeString | Attributes |
Disposition UnicodeString | Disposition |
SubjectKeyIdentifier UnicodeString | SKI |
Subject UnicodeString | Subject |
Request_ID UnicodeString | — |
SKI UnicodeString | — |
AuthenticationService UnicodeString | — |
AuthenticationLevel UnicodeString | — |
DCOMorRPC UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4888,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T23:08:24.592652+00:00",
"event_record_id": 16623083,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "25",
"Requester": "ludus\\domainadmin",
"Attributes": "",
"Disposition": "2",
"SubjectKeyIdentifier": "4b ac 66 32 5d 08 03 7f ab f7 57 ef c3 3d 27 1f 3b e0 3b 01",
"Subject": ""
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4888
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4888
Event ID 4889 — Certificate Services set the status of a certificate request to pending.
#Description
Certificate Services set the status of a certificate request to pending.
Message #
Fields #
| Name | Description |
|---|---|
RequestId UnicodeString | Request ID |
Requester UnicodeString | Requester |
Attributes UnicodeString | Attributes |
Disposition UnicodeString | Disposition |
SubjectKeyIdentifier UnicodeString | SKI |
Subject UnicodeString | Subject |
Request_ID UnicodeString | — |
SKI UnicodeString | — |
AuthenticationService UnicodeString | — |
AuthenticationLevel UnicodeString | — |
DCOMorRPC UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4889,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.070591+00:00",
"event_record_id": 16623042,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 7996
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestId": "24",
"Requester": "ludus\\domainadmin",
"Attributes": "\nccm:LAB-DC01.ludus.domain",
"Disposition": "5",
"SubjectKeyIdentifier": "9d 2a 4f df 25 5d c3 a7 d9 77 60 94 ce 67 60 01 e3 b3 d2 5a",
"Subject": ""
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4889
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4889
Event ID 4890 — The certificate manager settings for Certificate Services changed.
#Description
The certificate manager settings for Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
Enable | — |
EnableRestrictedPermissions UnicodeString | Enable |
RestrictedPermissions UnicodeString | — |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Community Notes #
May indicate tampering with permissions to issue trusted certificates and impersonate any domain principal. Can detect AD CS abuse techniques, ie ESC1. Any Subject SID that is not NT AUTHORITY\SYSTEM or approved service identity indicates unauthorized privilege abuse.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4890
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4890
Event ID 4891 — A configuration entry changed in Certificate Services.
Description
A configuration entry changed in Certificate Services.
Message #
Fields #
| Name | Description |
|---|---|
Node UnicodeString | Node |
Entry UnicodeString | Entry |
Value UnicodeString | Value |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4891
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4891
Event ID 4892 — A property of Certificate Services changed.
#Description
A property of Certificate Services changed.
Message #
Fields #
| Name | Description |
|---|---|
PropertyName UnicodeString | Property |
PropertyIndex UnicodeString | Index |
PropertyType UnicodeString | Type |
PropertyValue UnicodeString | Value |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Property | — |
Index | — |
Type | — |
Value | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4892,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:17:14.657793+00:00",
"event_record_id": 16671442,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 13940
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"PropertyName": "29",
"PropertyIndex": "0",
"PropertyType": "4",
"PropertyValue": "EvtGen-CustomWebServer\n1.3.6.1.4.1.311.21.8.1810730.5534\nEvtGen-CustomUser\n1.3.6.1.4.1.311.21.8.7512348.7121\nDirectoryEmailReplication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.29\nDomainControllerAuthentication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.28\nKerberosAuthentication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.33\nEFSRecovery\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.8\nEFS\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.6\nDomainController\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.15\nWebServer\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.16\nMachine\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.14\nUser\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.1\nSubCA\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.18\nAdministrator\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.7\nCodeSigning\n\n",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4892
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4892
Event ID 4893 — Certificate Services archived a key.
Description
Certificate Services archived a key.
Message #
Fields #
| Name | Description |
|---|---|
Request_ID UnicodeString | — |
Requester UnicodeString | Requester |
KRA_Hashes UnicodeString | — |
RequestId UnicodeString | Request ID |
KRAHashes UnicodeString | KRA Hashes |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4893
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4893
Event ID 4894 — Certificate Services imported and archived a key.
Description
Certificate Services imported and archived a key.
Message #
Fields #
| Name | Description |
|---|---|
Request_ID | — |
RequestId UnicodeString | Request ID |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4894
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4894
Event ID 4895 — Certificate Services published the CA certificate to Active Directory Domain Services.
Description
Certificate Services published the CA certificate to Active Directory Domain Services.
Message #
Fields #
| Name | Description |
|---|---|
Certificate_Hash UnicodeString | — |
Valid_From UnicodeString | — |
Valid_To UnicodeString | — |
CertificateHash UnicodeString | Certificate Hash |
ValidFrom UnicodeString | Valid From |
ValidTo UnicodeString | Valid To |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4895
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4895
Event ID 4896 — One or more rows have been deleted from the certificate database.
#Description
One or more rows have been deleted from the certificate database.
Message #
Fields #
| Name | Description |
|---|---|
TableId UnicodeString | Table ID |
Filter UnicodeString | Filter |
RowsDeleted UnicodeString | Rows Deleted |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Table_ID | — |
Rows_Deleted | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4896,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:33:29.866256+00:00",
"event_record_id": 16717272,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11540
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TableId": "0",
"Filter": "2",
"RowsDeleted": "1",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4896
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4896
Event ID 4897 — Role separation enabled: RoleSeparationEnabled.
#Description
Role separation enabled: RoleSeparationEnabled.
Message #
Fields #
| Name | Description |
|---|---|
RoleSeparationEnabled UnicodeString | Role separation enabled |
Role_separation_enabled UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4897,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:06:16.234615+00:00",
"event_record_id": 16617451,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 11176
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"RoleSeparationEnabled": "No"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4897
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4897
Event ID 4898 — Certificate Services loaded a template.
#Description
Certificate Services loaded a template.
Message #
Fields #
| Name | Description |
|---|---|
TemplateInternalName UnicodeString | — |
TemplateVersion UnicodeString | v |
TemplateSchemaVersion UnicodeString | (Schema V |
TemplateOID UnicodeString | — |
TemplateDSObjectFQDN UnicodeString | — |
DCDNSName UnicodeString | [Additional Information] Domain Controller |
TemplateContent UnicodeString | [Template Information] Template Content |
SecurityDescriptor UnicodeString | [Template Information] Security Descriptor |
Domain_Controller | — |
Template_Content | — |
Security_Descriptor | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4898,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:08:24.061177+00:00",
"event_record_id": 16623041,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10928
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"TemplateInternalName": "WebServer",
"TemplateVersion": "4.1",
"TemplateSchemaVersion": "1",
"TemplateOID": " ",
"TemplateDSObjectFQDN": "CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain",
"DCDNSName": "LAB-DC01.ludus.domain",
"TemplateContent": "\nflags = 0x10241 (66113)\n CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1\n CT_FLAG_MACHINE_TYPE -- 0x40 (64)\n CT_FLAG_ADD_TEMPLATE_NAME -- 0x200 (512)\n CT_FLAG_IS_DEFAULT -- 0x10000 (65536)\n\nmsPKI-Private-Key-Flag = 0x0 (0)\n CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0x0\n TEMPLATE_SERVER_VER_NONE<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 0x0\n TEMPLATE_CLIENT_VER_NONE<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 0x0\n\nmsPKI-Certificate-Name-Flag = 0x1 (1)\n CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1\n\nmsPKI-Enrollment-Flag = 0x0 (0)\n\nmsPKI-Template-Schema-Version = 1\n\nrevision = 4\n\nmsPKI-Template-Minor-Revision = 1\n\npKIDefaultKeySpec = 1\n\npKIExpirationPeriod = 2 Years\n\npKIOverlapPeriod = 6 Weeks\n\ncn = WebServer\n\ndistinguishedName = WebServer\n\npKIKeyUsage = a0\n\ndisplayName = Web Server\n\ntemplateDescription = Computer\n\npKIExtendedKeyUsage =\n 1.3.6.1.5.5.7.3.1 Server Authentication\n\npKIDefaultCSPs =\n Microsoft RSA SChannel Cryptographic Provider\n Microsoft DH SChannel Cryptographic Provider\n\nmsPKI-Supersede-Templates =\n\nmsPKI-RA-Policies =\n\nmsPKI-RA-Application-Policies =\n\nmsPKI-Certificate-Policy =\n\nmsPKI-Certificate-Application-Policy =\n\npKICriticalExtensions =\n 2.5.29.15 Key Usage\n",
"SecurityDescriptor": "O:S-1-5-21-1006758700-2167138679-1475694448-519G:S-1-5-21-1006758700-2167138679-1475694448-519D:PAI(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1006758700-2167138679-1475694448-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1006758700-2167138679-1475694448-519)(A;;LCRPLORC;;;AU)\n\nAllow\tludus\\Domain Admins\n\tEnroll\nAllow\tludus\\Enterprise Admins\n\tEnroll\nAllow(0x000f00ff)\tludus\\Domain Admins\n\tFull Control\nAllow(0x000f00ff)\tludus\\Enterprise Admins\n\tFull Control\nAllow(0x00020094)\tNT AUTHORITY\\Authenticated Users\n\tRead\n"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- ADCS Certificate Template Configuration Vulnerability source low: Detects certificate creation with template allowing risk permission subject↳ also matches:Event ID 4899: A Certificate Services template was updated.
- ADCS Certificate Template Configuration Vulnerability with Risky EKU source high: Detects certificate creation with template allowing risk permission subject and risky EKU↳ also matches:Event ID 4899: A Certificate Services template was updated.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4898
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4898
Event ID 4899 — A Certificate Services template was updated.
#Description
A Certificate Services template was updated.
Message #
Fields #
| Name | Description |
|---|---|
Domain_Controller | — |
New_Template_Content | — |
Old_Template_Content | — |
TemplateInternalName UnicodeString | — |
TemplateVersion UnicodeString | v |
TemplateSchemaVersion UnicodeString | (Schema V |
TemplateOID UnicodeString | — |
TemplateDSObjectFQDN UnicodeString | — |
DCDNSName UnicodeString | [Additional Information] Domain Controller |
NewTemplateContent UnicodeString | [Template Change Information] New Template Content |
OldTemplateContent UnicodeString | [Template Change Information] Old Template Content |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- ADCS Certificate Template Configuration Vulnerability source low: Detects certificate creation with template allowing risk permission subject↳ also matches:Event ID 4898: Certificate Services loaded a template.
- ADCS Certificate Template Configuration Vulnerability with Risky EKU source high: Detects certificate creation with template allowing risk permission subject and risky EKU↳ also matches:Event ID 4898: Certificate Services loaded a template.
References #
Event ID 4900 — Certificate Services template security was updated.
Description
Certificate Services template security was updated.
Message #
Fields #
| Name | Description |
|---|---|
Domain_Controller | — |
New_Template_Content | — |
New_Security_Descriptor | — |
Old_Template_Content | — |
Old_Security_Descriptor | — |
TemplateInternalName UnicodeString | — |
TemplateVersion UnicodeString | v |
TemplateSchemaVersion UnicodeString | (Schema V |
TemplateOID UnicodeString | — |
TemplateDSObjectFQDN UnicodeString | — |
DCDNSName UnicodeString | [Additional Information] Domain Controller |
NewTemplateContent UnicodeString | [Template Change Information] New Template Content |
NewSecurityDescriptor UnicodeString | [Template Change Information] New Security Descriptor |
OldTemplateContent UnicodeString | [Template Change Information] Old Template Content |
OldSecurityDescriptor UnicodeString | [Template Change Information] Old Security Descriptor |
References #
Event ID 4902 — The Per-user audit policy table was created.
#Description
The Per-user audit policy table was created.
Message #
Fields #
| Name | Description |
|---|---|
PuaCount UInt32 | Number of Elements. |
PuaPolicyId HexInt64 | Policy ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4902,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:28.032941+00:00",
"event_record_id": 2756,
"correlation": {},
"execution": {
"process_id": 808,
"thread_id": 860
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"PuaCount": 0,
"PuaPolicyId": "0xa128"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4902
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4902
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4904 — An attempt was made to register a security event source.
#Description
An attempt was made to register a security event source.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
AuditSourceName UnicodeString | [Event Source] Source Name. |
EventSourceId HexInt64 | [Event Source] Event Source ID. |
ProcessId Pointer | [Process] Process ID. |
ProcessName UnicodeString | [Process] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4904,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:19.368595+00:00",
"event_record_id": 25620,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 664
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WIN-TKC15D7KHUR$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"AuditSourceName": "IIS-METABASE",
"EventSourceId": "0x21062",
"ProcessId": "0x648",
"ProcessName": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe"
},
"message": ""
}
Detection Patterns #
Credential Access: Security Account Manager
Security-Auditing Event ID 4904: An attempt was made to register a security event source.OREvent ID 4905: An attempt was made to unregister a security event source.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4904
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4904
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4905 — An attempt was made to unregister a security event source.
#Description
An attempt was made to unregister a security event source.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID | — |
Account_Name | — |
Account_Domain | — |
Logon_ID | — |
Source_Name | [Event Source] Source Name. |
Event_Source_ID | [Event Source] Event Source ID. |
Process_ID | [Process] Process ID. |
Process_Name | [Process] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4905,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2013-10-23T16:26:16.473750Z",
"event_record_id": 135,
"correlation": {},
"execution": {
"process_id": 508,
"thread_id": 1032
},
"channel": "Security",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WIN-QALA5Q3KJ43$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"AuditSourceName": "VSSAudit",
"EventSourceId": "0xe5eb0",
"ProcessId": "0x9fc",
"ProcessName": "C:\\Windows\\System32\\VSSVC.exe"
}
}
Detection Patterns #
Credential Access: Security Account Manager
Security-Auditing Event ID 4904: An attempt was made to register a security event source.OREvent ID 4905: An attempt was made to unregister a security event source.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4905
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4905
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4906 — The CrashOnAuditFail value has changed.
Description
The CrashOnAuditFail value has changed.
Message #
Fields #
| Name | Description |
|---|---|
CrashOnAuditFailValue UInt32 | New Value of CrashOnAuditFail |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4906
Event ID 4907 — Auditing settings on object were changed.
#Description
Auditing settings on object were changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | [Object] Object Type. |
ObjectName UnicodeString | [Object] Object Name. |
HandleId Pointer | [Object] Handle ID. |
OldSd UnicodeString | [Auditing Settings] Original Security Descriptor. |
NewSd UnicodeString | [Auditing Settings] New Security Descriptor. |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4907,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:39.659624+00:00",
"event_record_id": 2879,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 228
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "File",
"ObjectName": "C:\\Windows\\Temp\\winre\\ExtractedFromWim",
"HandleId": "0x5e0",
"OldSd": "",
"NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)",
"ProcessId": "0x590",
"ProcessName": "C:\\Windows\\System32\\oobe\\msoobe.exe"
},
"message": ""
}
Community Notes #
Captures SACL changes to files, registry keys, and services.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4907
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4907
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4908 — Special Groups Logon table modified.
#Description
Special Groups Logon table modified.
Message #
Fields #
| Name | Description |
|---|---|
Special_Groups | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4908,
"version": 0,
"level": 0,
"task": 13568,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-12T06:01:51.798027Z",
"event_record_id": 16088364,
"correlation": {},
"execution": {
"process_id": 528,
"thread_id": 548
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SidList": "-"
}
}
Community Notes #
Deleting privileged SIDs will prevent Event ID 4964 from firing. Also appears at every reboot, so IR can compare boot-time record against later changes.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4908
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4908
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4909 — The local policy settings for the TBS were changed.
Description
The local policy settings for the TBS were changed.
Message #
Fields #
| Name | Description |
|---|---|
Old_Blocked_Ordinals UnicodeString | — |
New_Blocked_Ordinals UnicodeString | — |
OldBlockedOrdinals UnicodeString | Old Blocked Ordinals |
NewBlockedOrdinals UnicodeString | New Blocked Ordinals |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4909
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4909
Event ID 4910 — The group policy settings for the TBS were changed.
Description
The group policy settings for the TBS were changed.
Message #
Fields #
| Name | Description |
|---|---|
Old_Value UInt32 | — |
New_Value UInt32 | — |
Old_Value UInt32 | — |
New_Value UInt32 | — |
Old_Blocked_Ordinals UnicodeString | — |
New_Blocked_Ordinals UnicodeString | — |
OldIgnoreDefaultSettings UInt32 | Old Value |
NewIgnoreDefaultSettings UInt32 | New Value |
OldIgnoreLocalSettings UInt32 | Old Value |
NewIgnoreLocalSettings UInt32 | New Value |
OldBlockedOrdinals UnicodeString | Old Blocked Ordinals |
NewBlockedOrdinals UnicodeString | New Blocked Ordinals |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4910
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4910
Event ID 4911 — Resource attributes of the object were changed.
#Description
Resource attributes of the object were changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | [Object] Object Type. |
ObjectName UnicodeString | [Object] Object Name. |
HandleId Pointer | [Object] Handle ID. |
OldSd UnicodeString | [Resource Attributes] Original Security Descriptor. |
NewSd UnicodeString | [Resource Attributes] New Security Descriptor. |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4911,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:51:41.950925+00:00",
"event_record_id": 300251,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 5816
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"ObjectServer": "Security",
"ObjectType": "File",
"ObjectName": "C:\\Users\\User\\AppData\\Local\\Temp\\763cba47-20ad-4480-91e6-3dc02233f103.tmp",
"HandleId": "0x1d6c",
"OldSd": "",
"NewSd": "S:ARAI(RA;;;;;WD;(\"IMAGELOAD\",TU,0x0,1))",
"ProcessId": "0x33f0",
"ProcessName": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4911
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4911
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4912 — Per User Audit Policy was changed.
#Description
Per User Audit Policy was changed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Security_ID SID | [Policy For Account] Security ID. |
Category UnicodeString | [Policy Change Details] Category. |
Subcategory UnicodeString | [Policy Change Details] Subcategory. |
Subcategory_GUID GUID | [Policy Change Details] Subcategory GUID. |
Changes UnicodeString | [Policy Change Details] Changes. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
TargetUserSid SID | [Policy For Account] Security ID |
CategoryId UnicodeString | [Policy Change Details] Category Known values
|
SubcategoryId UnicodeString | [Policy Change Details] Subcategory Known values
|
SubcategoryGuid GUID | [Policy Change Details] Subcategory GUID Known values
|
AuditPolicyChanges UnicodeString | [Policy Change Details] Changes Known values
|
Community Notes #
If Changes is set to None or Failure include removed, this may be an attempt to hide activity. Pair with 4719, 4902, and 4624 to reconstruct a timeline.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4912
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4912
Event ID 4913 — Central Access Policy on the object was changed.
Description
Central Access Policy on the object was changed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Object_Server UnicodeString | [Object] Object Server. |
Object_Type UnicodeString | [Object] Object Type. |
Object_Name UnicodeString | [Object] Object Name. |
Handle_ID Pointer | [Object] Handle ID. |
Original_Security_Descriptor UnicodeString | [Central Policy ID] Original Security Descriptor. |
New_Security_Descriptor UnicodeString | [Central Policy ID] New Security Descriptor. |
Process_ID Pointer | [Process Information] Process ID. |
Process_Name UnicodeString | [Process Information] Process Name. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectServer UnicodeString | [Object] Object Server |
ObjectType UnicodeString | [Object] Object Type |
ObjectName UnicodeString | [Object] Object Name |
HandleId Pointer | [Object] Handle ID |
OldSd UnicodeString | [Central Policy ID] Original Security Descriptor |
NewSd UnicodeString | [Central Policy ID] New Security Descriptor |
ProcessId Pointer | [Process Information] Process ID |
ProcessName UnicodeString | [Process Information] Process Name |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4913
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4913
Event ID 4928 — An Active Directory replica source naming context was established.
Description
An Active Directory replica source naming context was established.
Message #
Fields #
| Name | Description |
|---|---|
Destination_DRA UnicodeString | — |
Source_DRA UnicodeString | — |
Source_Address UnicodeString | — |
Naming_Context UnicodeString | — |
Options UInt64 | Options |
Status_Code UInt32 | — |
DestinationDRA UnicodeString | Destination DRA |
SourceDRA UnicodeString | Source DRA |
SourceAddr UnicodeString | Source Address |
NamingContext UnicodeString | Naming Context |
StatusCode UInt32 | Status Code |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4928
Event ID 4929 — An Active Directory replica source naming context was removed.
#Description
An Active Directory replica source naming context was removed.
Message #
Fields #
| Name | Description |
|---|---|
Destination_DRA | — |
Source_DRA | — |
Source_Address | — |
Naming_Context | — |
Options UInt64 | Options |
Status_Code | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4929,
"version": 1,
"level": 0,
"task": 14083,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2021-04-27T11:04:45.557748Z",
"event_record_id": 138520244,
"correlation": {
"#attributes": {
"ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
}
},
"execution": {
"process_id": 548,
"thread_id": 5276
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"DestinationDRA": "CN=NTDS Settings,CN=ROOTDC1,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan",
"SourceDRA": "-",
"SourceAddr": "jump01.offsec.lan",
"NamingContext": "DC=offsec,DC=lan",
"Options": 16,
"StatusCode": 8452
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4929
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4929
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4930 — An Active Directory replica source naming context was modified.
Description
An Active Directory replica source naming context was modified.
Message #
Fields #
| Name | Description |
|---|---|
Destination_DRA UnicodeString | — |
Source_DRA UnicodeString | — |
Source_Address UnicodeString | — |
Naming_Context UnicodeString | — |
Options UInt64 | Options |
Status_Code UInt32 | — |
DestinationDRA UnicodeString | Destination DRA |
SourceDRA UnicodeString | Source DRA |
SourceAddr UnicodeString | Source Address |
NamingContext UnicodeString | Naming Context |
StatusCode UInt32 | Status Code |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4930
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4930
Event ID 4931 — An Active Directory replica destination naming context was modified.
Description
An Active Directory replica destination naming context was modified.
Message #
Fields #
| Name | Description |
|---|---|
Destination_DRA UnicodeString | — |
Source_DRA UnicodeString | — |
Destination_Address UnicodeString | — |
Naming_Context UnicodeString | — |
Options UInt64 | Options |
Status_Code UInt32 | — |
DestinationDRA UnicodeString | Destination DRA |
SourceDRA UnicodeString | Source DRA |
SourceAddr UnicodeString | Destination Address |
NamingContext UnicodeString | Naming Context |
StatusCode UInt32 | Status Code |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4931
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4931
Event ID 4932 — Synchronization of a replica of an Active Directory naming context has begun.
Description
Synchronization of a replica of an Active Directory naming context has begun.
Message #
Fields #
| Name | Description |
|---|---|
Destination_DRA UnicodeString | — |
Source_DRA UnicodeString | — |
Naming_Context UnicodeString | — |
Options UInt64 | Options |
Session_ID UInt32 | — |
Start_USN UnicodeString | — |
DestinationDRA UnicodeString | Destination DRA |
SourceDRA UnicodeString | Source DRA |
NamingContext UnicodeString | Naming Context |
SessionID UInt32 | Session ID |
StartUSN UnicodeString | Start USN |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4932
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4932
Event ID 4933 — Synchronization of a replica of an Active Directory naming context has ended.
Description
Synchronization of a replica of an Active Directory naming context has ended.
Message #
Fields #
| Name | Description |
|---|---|
Destination_DRA UnicodeString | — |
Source_DRA UnicodeString | — |
Naming_Context UnicodeString | — |
Options UInt64 | Options |
Session_ID UInt32 | — |
End_USN UnicodeString | — |
Status_Code UInt32 | — |
DestinationDRA UnicodeString | Destination DRA |
SourceDRA UnicodeString | Source DRA |
NamingContext UnicodeString | Naming Context |
SessionID UInt32 | Session ID |
EndUSN UnicodeString | End USN |
StatusCode UInt32 | Status Code |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4933
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4933
Event ID 4934 — Attributes of an Active Directory object were replicated.
Description
Attributes of an Active Directory object were replicated.
Message #
Fields #
| Name | Description |
|---|---|
SessionID UInt32 | Session ID |
Object UnicodeString | Object |
Attribute UnicodeString | Attribute |
TypeOfChange UInt32 | Type of change |
NewValue UnicodeString | New Value |
USN UnicodeString | USN |
StatusCode UInt32 | Status Code |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4934
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4934
Event ID 4935 — Replication failure begins.
#Description
Replication failure begins.
Message #
Fields #
| Name | Description |
|---|---|
Replication_Event | — |
Audit_Status_Code | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4935,
"version": 0,
"level": 0,
"task": 14083,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2021-04-27T11:04:03.510255Z",
"event_record_id": 138520219,
"correlation": {
"#attributes": {
"ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
}
},
"execution": {
"process_id": 548,
"thread_id": 5276
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"ReplicationEvent": 1,
"AuditStatusCode": 8419
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4935
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4935
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4936 — Replication failure ends.
#Description
Replication failure ends.
Message #
Fields #
| Name | Description |
|---|---|
Replication_Event | — |
Audit_Status_Code | — |
Replication_Status_Code | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4936,
"version": 0,
"level": 0,
"task": 14083,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2021-04-27T11:04:45.556800Z",
"event_record_id": 138520242,
"correlation": {
"#attributes": {
"ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
}
},
"execution": {
"process_id": 548,
"thread_id": 5276
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"ReplicationEvent": 1,
"AuditStatusCode": 8419,
"ReplicationStatusCode": 1722
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4936
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4936
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4937 — A lingering object was removed from a replica.
Description
A lingering object was removed from a replica.
Message #
Fields #
| Name | Description |
|---|---|
Destination_DRA UnicodeString | — |
Source_DRA UnicodeString | — |
Object UnicodeString | Object |
Options UInt64 | Options |
Status_Code UInt32 | — |
DestinationDRA UnicodeString | Destination DRA |
SourceDRA UnicodeString | Source DRA |
StatusCode UInt32 | Status Code |
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4937
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4937
Event ID 4944 — The following policy was active when the Windows Firewall started.
#Description
The following policy was active when the Windows Firewall started.
Message #
Fields #
| Name | Description |
|---|---|
GroupPolicyApplied UnicodeString | Group Policy Applied |
Profile UnicodeString | Profile Used |
OperationMode UnicodeString | Operational mode |
RemoteAdminEnabled UnicodeString | Allow Remote Administration |
MulticastFlowsEnabled UnicodeString | Allow Unicast Responses to Multicast/Broadcast Traffic |
LogDroppedPacketsEnabled UnicodeString | [Security Logging] Log Dropped Packets |
LogSuccessfulConnectionsEnabled UnicodeString | [Security Logging] Log Successful Connections |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4944,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:21.036853+00:00",
"event_record_id": 26014,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 664
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"GroupPolicyApplied": "No",
"Profile": "(null)",
"OperationMode": "On",
"RemoteAdminEnabled": "Disabled",
"MulticastFlowsEnabled": "Enabled",
"LogDroppedPacketsEnabled": "Disabled",
"LogSuccessfulConnectionsEnabled": "Disabled"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4944
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4944
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4945 — A rule was listed when the Windows Firewall started.
#Description
A rule was listed when the Windows Firewall started.
Message #
Fields #
| Name | Description |
|---|---|
ProfileUsed UnicodeString | Profile used |
RuleId UnicodeString | [Rule] Rule ID |
RuleName UnicodeString | [Rule] Rule Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4945,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:21.045018+00:00",
"event_record_id": 26315,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 664
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileUsed": "(null)",
"RuleId": "IIS-WebServerRole-FTP-Passive-In-TCP",
"RuleName": "FTP Server Passive (FTP Passive Traffic-In)"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4945
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4945
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4946 — A change has been made to Windows Firewall exception list. A rule was added.
#Description
A change was made to the Windows Firewall exception list. A rule was added.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
RuleId UnicodeString | [Added Rule] Rule ID |
RuleName UnicodeString | [Added Rule] Rule Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4946,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T19:32:55.589972+00:00",
"event_record_id": 2601879,
"correlation": {
"ActivityID": "83C0A038-97BF-4A37-B9EE-DBA4C42967DF"
},
"execution": {
"process_id": 720,
"thread_id": 1048
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "(null),(null)",
"RuleId": "{DC92C56C-4138-4D46-B25D-97D3C349B695}",
"RuleName": "@{Microsoft.DesktopAppInstaller_1.28.220.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}"
},
"message": ""
}
Community Notes #
Logs rules that open ports or disable filtering. Attackers may add rules to enable implants to communicate with external servers.
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Firewall Rule Added source: This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal unauthorized changes, misconfigurations, or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms. By analyzing fields like RuleName, RuleId, Computer, and ProfileChanged, security teams can determine whether the change aligns with expected behavior. Correlating with user activity and process execution can help distinguish false positives from real threats, ensuring better visibility into potential security risks.
References #
Event ID 4947 — A change has been made to Windows Firewall exception list. A rule was modified.
#Description
A change was made to the Windows Firewall exception list. A rule was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
RuleId UnicodeString | [Modified Rule] Rule ID |
RuleName UnicodeString | [Modified Rule] Rule Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4947,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:32:02.846637+00:00",
"event_record_id": 2461332,
"correlation": {
"ActivityID": "25EC58BA-8E8B-49D4-8250-F380547FF3D0"
},
"execution": {
"process_id": 720,
"thread_id": 1048
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"RuleId": "WSLCore-SharedAccess-Allow-Rule",
"RuleName": "WSLCore SharedAccess Allow Rule"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Firewall Rule Modification source: This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or preventing legitimate communications. The event logs details such as the modified rule name, protocol, ports, application path, and the user responsible for the change. Security teams should monitor unexpected modifications, correlate them with related events, and investigate anomalies to prevent unauthorized access and maintain network security integrity.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Event ID 4948 — A change has been made to Windows Firewall exception list. A rule was deleted.
#Description
A change was made to the Windows Firewall exception list. A rule was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
RuleId UnicodeString | [Deleted Rule] Rule ID |
RuleName UnicodeString | [Deleted Rule] Rule Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4948,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T19:32:55.554379+00:00",
"event_record_id": 2601866,
"correlation": {
"ActivityID": "426D61B7-B34A-40F7-B81E-D2D13DCDAEDA"
},
"execution": {
"process_id": 720,
"thread_id": 1048
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "(null),(null),(null)",
"RuleId": "{760971F9-D380-483D-AEA7-31795C69819A}",
"RuleName": "@{Microsoft.DesktopAppInstaller_1.27.470.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Firewall Rule Deletion source: This detection identifies instances where a Windows Firewall rule has been deleted, potentially exposing the system to security risks. Unauthorized removal of firewall rules can indicate an attacker attempting to bypass security controls or malware disabling protections for persistence and command-and-control communication. The event logs details such as the deleted rule name, protocol, port, and the user responsible for the action. Security teams should monitor for unexpected deletions, correlate with related events, and investigate anomalies to prevent unauthorized access and maintain network security posture.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Event ID 4949 — Windows Firewall settings were restored to the default values.
#Description
Windows Firewall settings were restored to the default values.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4949,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:28:37.812998+00:00",
"event_record_id": 16710980,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 10484
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Event ID 4950 — A Windows Firewall setting has changed.
#Description
A Windows Firewall setting was changed.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Changed Profile Known values
|
SettingType UnicodeString | [New Setting] Type |
SettingValue UnicodeString | [New Setting] Value |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_source_name": "",
"event_id": 4950,
"version": "0",
"level": "0",
"task": "13571",
"opcode": "0",
"keywords": 9232379236109516800,
"time_created": "2021-06-03T19:39:52.893115500Z",
"event_record_id": "1974770",
"correlation": {
"#attributes": {
"ActivityID": "{38068009-512D-0000-1D80-06382D51D701}"
}
},
"execution": {
"process_id": "556",
"thread_id": "2532"
},
"channel": "Security",
"computer": "fs01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "Domain",
"SettingType": "Enable Windows Firewall",
"SettingValue": "Yes"
}
}
Community Notes #
Tracks changes to core settings such as disabling a profile (domain, private, public), or default block/allow behavior.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4950
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4951 — A rule has been ignored because its major version number was not recognized by Windows Firewall.
Event ID 4952 — Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
Description
Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.
Message #
Fields #
| Name | Description |
|---|---|
Profile UnicodeString | Profile |
RuleId UnicodeString | [Partially Ignored Rule] ID |
RuleName UnicodeString | [Partially Ignored Rule] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Event ID 4953 — A rule has been ignored by Windows Firewall because it could not parse the rule.
#Description
Windows Firewall ignored a rule because it could not be parsed.
Message #
Fields #
| Name | Description |
|---|---|
Profile UnicodeString | Profile |
ReasonForRejection UnicodeString | Reason for Rejection |
RuleId UnicodeString | [Rule] ID |
RuleName UnicodeString | [Rule] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4953,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2022-04-04T13:11:19.737706+00:00",
"event_record_id": 25625,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 668
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"Profile": "All",
"ReasonForRejection": "An error occurred.",
"RuleId": "MDEServer-1",
"RuleName": "-"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4953
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4953
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4954 — Windows Firewall Group Policy settings has changed.
#Description
Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4954,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-09T00:56:52.595949+00:00",
"event_record_id": 1628305,
"correlation": {
"ActivityID": "96A9D96E-AF5F-0001-F1D9-A9965FAFDC01"
},
"execution": {
"process_id": 828,
"thread_id": 844
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Event ID 4956 — Windows Firewall has changed the active profile.
#Description
Windows Firewall changed the active profile.
Message #
Fields #
| Name | Description |
|---|---|
ActiveProfile UnicodeString | New Active Profile |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4956,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:27:32.278889+00:00",
"event_record_id": 2454199,
"correlation": {
"ActivityID": "164E10E5-B120-0003-FC10-4E1620B1DC01"
},
"execution": {
"process_id": 720,
"thread_id": 6464
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ActiveProfile": "(null)"
},
"message": ""
}
References #
Event ID 4957 — Windows Firewall did not apply the following rule.
#Description
Windows Firewall did not apply the following rule.
Message #
Fields #
| Name | Description |
|---|---|
RuleId UnicodeString | [Rule Information] ID |
RuleName UnicodeString | [Rule Information] Name |
RuleAttr UnicodeString | [Error Information] Reason |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4957,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2022-04-04T13:13:38.719617+00:00",
"event_record_id": 29324,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 664
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"RuleId": "CoreNet-IPHTTPS-In",
"RuleName": "Core Networking - IPHTTPS (TCP-In)",
"RuleAttr": "Local Port"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4957
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4957
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4958 — Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
Description
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
Message #
Fields #
| Name | Description |
|---|---|
RuleId UnicodeString | [Rule Information] ID |
RuleName UnicodeString | [Rule Information] Name |
Error UnicodeString | [Error Information] Error |
Reason UnicodeString | [Error Information] Reason |
References #
Event ID 4960 — IPsec dropped an inbound packet that failed an integrity check.
Event ID 4961 — IPsec dropped an inbound packet that failed a replay check.
Description
IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 4962 — IPsec dropped an inbound packet that failed a replay check.
Description
IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 4963 — IPsec dropped an inbound clear text packet that should have been secured.
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 4964 — Special groups have been assigned to a new logon.
#Description
Special groups have been assigned to a new logon.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
LogonGuid GUID | [Subject] Logon GUID |
TargetUserSid SID | [New Logon] Security ID |
TargetUserName UnicodeString | [New Logon] Account Name |
TargetDomainName UnicodeString | [New Logon] Account Domain |
TargetLogonId HexInt64 | [New Logon] Logon ID |
TargetLogonGuid GUID | [New Logon] Logon GUID |
SidList UnicodeString | [New Logon] Special Groups Assigned |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4964,
"version": 0,
"level": 0,
"task": 12548,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-04-22T08:51:04.686763Z",
"event_record_id": 435111,
"correlation": {},
"execution": {
"process_id": 480,
"thread_id": 2416
},
"channel": "Security",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "FS03VULN$",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x3e7",
"LogonGuid": "00000000-0000-0000-0000-000000000000",
"TargetUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"TargetUserName": "admmig",
"TargetDomainName": "OFFSEC",
"TargetLogonId": "0x74872",
"TargetLogonGuid": "00000000-0000-0000-0000-000000000000",
"SidList": "\r\n\t\t%{S-1-5-21-4230534742-2542757381-3142984815-1613}"
}
}
Community Notes #
Detects Domain Admins or other high-value SIDs logging onto non-DC hosts.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4964
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4965 — IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).
Message #
Fields #
| Name | Description |
|---|---|
RemoteAddress UnicodeString | Remote Network Address |
SPI UInt32 | Inbound SA SPI |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 4976 — During Main Mode negotiation, IPsec received an invalid negotiation packet.
Description
During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | Local Network Address |
RemoteAddress UnicodeString | Remote Network Address |
KeyModName UnicodeString | Keying Module Name |
References #
Event ID 4977 — During Quick Mode negotiation, IPsec received an invalid negotiation packet.
Description
During quick mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | Local Network Address |
RemoteAddress UnicodeString | Remote Network Address |
KeyModName UnicodeString | Keying Module Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode
Event ID 4978 — During Extended Mode negotiation, IPsec received an invalid negotiation packet.
Description
During extended mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | Local Network Address |
RemoteAddress UnicodeString | Remote Network Address |
KeyModName UnicodeString | Keying Module Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode
Event ID 4979 — IPsec Main Mode and Extended Mode security associations were established.
Description
IPsec main mode and extended mode security associations were established.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Main Mode Local Endpoint] Principal Name |
RemoteMMPrincipalName UnicodeString | [Main Mode Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Main Mode Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Main Mode Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Main Mode Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Main Mode Remote Endpoint] Keying Module Port |
MMAuthMethod UnicodeString | [Main Mode Additional Information] Authentication Method |
MMCipherAlg UnicodeString | [Main Mode Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Main Mode Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Main Mode Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Main Mode Security Association] Lifetime (minutes) |
QMLimit UInt32 | [Main Mode Security Association] Quick Mode Limit |
Role UnicodeString | [Main Mode Additional Information] Role |
MMImpersonationState UnicodeString | [Main Mode Additional Information] Impersonation State |
MMFilterID UInt64 | [Main Mode Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Main Mode Security Association] Main Mode SA ID |
LocalEMPrincipalName UnicodeString | [Extended Mode Information] Local Principal Name |
RemoteEMPrincipalName UnicodeString | [Extended Mode Information] Remote Principal Name |
EMAuthMethod UnicodeString | [Extended Mode Information] Authentication Method |
EMImpersonationState UnicodeString | [Extended Mode Information] Impersonation State |
QMFilterID UInt64 | [Extended Mode Information] Quick Mode Filter ID |
References #
Event ID 4980 — IPsec Main Mode and Extended Mode security associations were established.
Description
IPsec main mode and extended mode security associations were established.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Main Mode Local Endpoint] Principal Name |
RemoteMMPrincipalName UnicodeString | [Main Mode Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Main Mode Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Main Mode Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Main Mode Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Main Mode Remote Endpoint] Keying Module Port |
MMAuthMethod UnicodeString | [Main Mode Additional Information] Authentication Method |
MMCipherAlg UnicodeString | [Main Mode Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Main Mode Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Main Mode Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Main Mode Security Association] Lifetime (minutes) |
QMLimit UInt32 | [Main Mode Security Association] Quick Mode Limit |
Role UnicodeString | [Main Mode Additional Information] Role |
MMImpersonationState UnicodeString | [Main Mode Additional Information] Impersonation State |
MMFilterID UInt64 | [Main Mode Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Main Mode Security Association] Main Mode SA ID |
LocalEMPrincipalName UnicodeString | [Extended Mode Local Endpoint] Principal Name |
LocalEMCertHash UnicodeString | [Extended Mode Local Endpoint] Certificate SHA Thumbprint |
LocalEMIssuingCA UnicodeString | [Extended Mode Local Endpoint] Certificate Issuing CA |
LocalEMRootCA UnicodeString | [Extended Mode Local Endpoint] Certificate Root CA |
RemoteEMPrincipalName UnicodeString | [Extended Mode Remote Endpoint] Principal Name |
RemoteEMCertHash UnicodeString | [Extended Mode Remote Endpoint] Certificate SHA Thumbprint |
RemoteEMIssuingCA UnicodeString | [Extended Mode Remote Endpoint] Certificate Issuing CA |
RemoteEMRootCA UnicodeString | [Extended Mode Remote Endpoint] Certificate Root CA |
EMImpersonationState UnicodeString | [Extended Mode Additional Information] Impersonation State |
QMFilterID UInt64 | [Extended Mode Additional Information] Quick Mode Filter ID |
References #
Event ID 4981 — IPsec Main Mode and Extended Mode security associations were established.
Description
IPsec main mode and extended mode security associations were established.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalMMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalMMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalMMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteMMCertHash UnicodeString | [Remote Certificate] SHA Thumbprint |
RemoteMMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteMMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
MMCipherAlg UnicodeString | [Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Security Association Information] Lifetime (minutes) |
QMLimit UInt32 | [Security Association Information] Quick Mode Limit |
Role UnicodeString | [Additional Information] Role |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Security Association Information] Main Mode SA ID |
LocalEMPrincipalName UnicodeString | [Extended Mode Information] Local Principal Name |
RemoteEMPrincipalName UnicodeString | [Extended Mode Information] Remote Principal Name |
EMAuthMethod UnicodeString | [Extended Mode Information] Authentication Method |
EMImpersonationState UnicodeString | [Extended Mode Information] Impersonation State |
QMFilterID UInt64 | [Extended Mode Information] Quick Mode Filter ID |
References #
Event ID 4982 — IPsec Main Mode and Extended Mode security associations were established.
Description
IPsec main mode and extended mode security associations were established.
Message #
Fields #
| Name | Description |
|---|---|
LocalMMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalMMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalMMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalMMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteMMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteMMCertHash UnicodeString | [Remote Certificate] SHA Thumbprint |
RemoteMMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteMMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalKeyModPort UInt32 | [Network Address] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
MMCipherAlg UnicodeString | [Cryptographic Information] Cipher Algorithm |
MMIntegrityAlg UnicodeString | [Cryptographic Information] Integrity Algorithm |
DHGroup UnicodeString | [Cryptographic Information] Diffie-Hellman Group |
MMLifetime UInt32 | [Security Association Information] Lifetime (minutes) |
QMLimit UInt32 | [Security Association Information] Quick Mode Limit |
Role UnicodeString | [Additional Information] Role |
MMImpersonationState UnicodeString | [Additional Information] Impersonation State |
MMFilterID UInt64 | [Additional Information] Main Mode Filter ID |
MMSAID UInt64 | [Security Association Information] Main Mode SA ID |
LocalEMPrincipalName UnicodeString | [Extended Mode Local Endpoint] Principal Name |
LocalEMCertHash UnicodeString | [Extended Mode Local Endpoint] Certificate SHA Thumbprint |
LocalEMIssuingCA UnicodeString | [Extended Mode Local Endpoint] Certificate Issuing CA |
LocalEMRootCA UnicodeString | [Extended Mode Local Endpoint] Certificate Root CA |
RemoteEMPrincipalName UnicodeString | [Extended Mode Remote Endpoint] Principal Name |
RemoteEMCertHash UnicodeString | [Extended Mode Remote Endpoint] Certificate SHA Thumbprint |
RemoteEMIssuingCA UnicodeString | [Extended Mode Remote Endpoint] Certificate Issuing CA |
RemoteEMRootCA UnicodeString | [Extended Mode Remote Endpoint] Certificate Root CA |
EMImpersonationState UnicodeString | [Extended Mode Additional Information] Impersonation State |
QMFilterID UInt64 | [Extended Mode Additional Information] Quick Mode Filter ID |
References #
Event ID 4983 — An IPsec Extended Mode negotiation failed.
Description
An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.
Message #
Fields #
| Name | Description |
|---|---|
LocalEMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
LocalEMCertHash UnicodeString | [Local Certificate] SHA Thumbprint |
LocalEMIssuingCA UnicodeString | [Local Certificate] Issuing CA |
LocalEMRootCA UnicodeString | [Local Certificate] Root CA |
RemoteEMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
RemoteEMCertHash UnicodeString | [Remote Certificate] SHA Thumbprint |
RemoteEMIssuingCA UnicodeString | [Remote Certificate] Issuing CA |
RemoteEMRootCA UnicodeString | [Remote Certificate] Root CA |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
State UnicodeString | [Failure Information] State |
Role UnicodeString | [Additional Information] Role |
EMImpersonationState UnicodeString | [Additional Information] Impersonation State |
QMFilterID UInt64 | [Additional Information] Quick Mode Filter ID |
References #
Event ID 4984 — An IPsec Extended Mode negotiation failed.
Description
An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.
Message #
Fields #
| Name | Description |
|---|---|
LocalEMPrincipalName UnicodeString | [Local Endpoint] Principal Name |
RemoteEMPrincipalName UnicodeString | [Remote Endpoint] Principal Name |
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalKeyModPort UInt32 | [Local Endpoint] Keying Module Port |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteKeyModPort UInt32 | [Remote Endpoint] Keying Module Port |
FailurePoint UnicodeString | [Failure Information] Failure Point |
FailureReason UnicodeString | [Failure Information] Failure Reason Known values
|
EMAuthMethod UnicodeString | [Additional Information] Authentication Method |
State UnicodeString | [Failure Information] State |
Role UnicodeString | [Additional Information] Role |
EMImpersonationState UnicodeString | [Additional Information] Impersonation State |
QMFilterID UInt64 | [Additional Information] Quick Mode Filter ID |
References #
Event ID 4985 — The state of a transaction has changed.
#Description
The state of a transaction has changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
TransactionId GUID | [Transaction Information] RM Transaction ID |
NewState UInt32 | [Transaction Information] New State |
ResourceManager GUID | [Transaction Information] Resource Manager |
ProcessId Pointer | [Process Information] Process ID |
ProcessName UnicodeString | [Process Information] Process Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4985,
"version": 0,
"level": 0,
"task": 12800,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T14:08:17.810656+00:00",
"event_record_id": 34392,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3104
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1958040314-2592322477-2606035944-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "WIN-TKC15D7KHUR",
"SubjectLogonId": "0x33bf51",
"TransactionId": "B1B0A54B-B418-11EC-8F27-080027EAB5C7",
"NewState": 52,
"ResourceManager": "64ED659C-9BDD-11EC-AFD4-9083472C0AE8",
"ProcessId": "0x12c8",
"ProcessName": "C:\\Windows\\System32\\inetsrv\\InetMgr.exe"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4985
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5024 — The Windows Firewall Service has started successfully.
#Description
The Windows Firewall service started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5024,
"version": 0,
"level": 0,
"task": 12292,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:51.345615+00:00",
"event_record_id": 2947,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5024
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5024
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5025 — The Windows Firewall Service has been stopped.
Description
The Windows Firewall service was stopped.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5027 — The Windows Firewall Service was unable to retrieve the security policy from the local storage.
Event ID 5028 — The Windows Firewall Service was unable to parse the new security policy.
Description
Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5029 — The Windows Firewall Service failed to initialize the driver.
Description
The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5030 — The Windows Firewall Service failed to start.
Description
The Windows Firewall service failed to start.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5031 — The Windows Firewall Service blocked an application from accepting incoming connections on the network.
#Description
Windows Firewall blocked an application from accepting incoming connections on the network.
Message #
Fields #
| Name | Description |
|---|---|
Profiles UnicodeString | Profiles Bitmask flags
|
Application UnicodeString | Application |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5031,
"version": 0,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T22:02:00.253205+00:00",
"event_record_id": 16477825,
"correlation": {
"ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
},
"execution": {
"process_id": 936,
"thread_id": 5688
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Profiles": "(null)",
"Application": "C:\\windows\\system32\\wbem\\wmiprvse.exe"
},
"message": ""
}
References #
Event ID 5032 — Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Description
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5033 — The Windows Firewall Driver has started successfully.
#Description
The Windows Firewall Driver started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5033,
"version": 0,
"level": 0,
"task": 12292,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:42.319074+00:00",
"event_record_id": 2907,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 224
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5033
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5033
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5034 — The Windows Firewall Driver has been stopped.
Description
The Windows Firewall Driver was stopped.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5035 — The Windows Firewall Driver failed to start.
Description
The Windows Firewall Driver failed to start.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5037 — The Windows Firewall Driver detected critical runtime error.
Description
The Windows Firewall Driver detected a critical runtime error, terminating.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 5038 — Code integrity determined that the image hash of a file is not valid.
#Description
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5038,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-08T23:22:33.111223+00:00",
"event_record_id": 1559738,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4964
},
"channel": "Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\145.0.3800.97\\prefs_enclave_x64.dll"
},
"message": ""
}
Community Notes #
May indicate that malware attempted to load an unsigned or tampered driver/system file.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Event ID 5039 — A registry key was virtualized.
Description
A registry key was virtualized.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectPath UnicodeString | [Object] Key Name |
ObjectVirtualPath UnicodeString | [Object] Virtual Key Name |
ProcessId Pointer | [Process Information] Process ID |
ProcessName UnicodeString | [Process Information] Process Name |
References #
Event ID 5040 — A change has been made to IPsec settings. An Authentication Set was added.
Description
A change was made to IPsec settings. An authentication set was added.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
AuthenticationSetId UnicodeString | [Added Authentication Set] ID |
AuthenticationSetName UnicodeString | [Added Authentication Set] Name |
References #
Event ID 5041 — A change has been made to IPsec settings. An Authentication Set was modified.
Description
A change was made to IPsec settings. An authentication set was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
AuthenticationSetId UnicodeString | [Modified Authentication Set] ID |
AuthenticationSetName UnicodeString | [Modified Authentication Set] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5042 — A change has been made to IPsec settings. An Authentication Set was deleted.
Description
A change was made to IPsec settings. An authentication set was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
AuthenticationSetId UnicodeString | [Deleted Authentication Set] ID |
AuthenticationSetName UnicodeString | [Deleted Authentication Set] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5043 — A change has been made to IPsec settings. A Connection Security Rule was added.
#Description
A change was made to IPsec settings. A connection security rule was added.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
ConnectionSecurityRuleId UnicodeString | [Added Connection Security Rule] ID |
ConnectionSecurityRuleName UnicodeString | [Added Connection Security Rule] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5043,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:50.849068+00:00",
"event_record_id": 16258903,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 8880
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"ConnectionSecurityRuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
"ConnectionSecurityRuleName": "EvtGen-IPsec-Test"
},
"message": ""
}
References #
Event ID 5044 — A change has been made to IPsec settings. A Connection Security Rule was modified.
Description
A change was made to IPsec settings. A connection security rule was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
ConnectionSecurityRuleId UnicodeString | [Modified Connection Security Rule] ID |
ConnectionSecurityRuleName UnicodeString | [Modified Connection Security Rule] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5045 — A change has been made to IPsec settings. A Connection Security Rule was deleted.
#Description
A change was made to IPsec settings. A connection security rule was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
ConnectionSecurityRuleId UnicodeString | [Deleted Connection Security Rule] ID |
ConnectionSecurityRuleName UnicodeString | [Deleted Connection Security Rule] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5045,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:19:58.877712+00:00",
"event_record_id": 16285930,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 1100
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"ConnectionSecurityRuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
"ConnectionSecurityRuleName": "EvtGen-IPsec-Test"
},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5046 — A change has been made to IPsec settings. A Crypto Set was added.
Description
A change was made to IPsec settings. A crypto set was added.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
CryptographicSetId UnicodeString | [Added Crypto Set] ID |
CryptographicSetName UnicodeString | [Added Crypto Set] Name |
References #
Event ID 5047 — A change has been made to IPsec settings. A Crypto Set was modified.
Description
A change was made to IPsec settings. A crypto set was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
CryptographicSetId UnicodeString | [Modified Crypto Set] ID |
CryptographicSetName UnicodeString | [Modified Crypto Set] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5048 — A change has been made to IPsec settings. A Crypto Set was deleted.
Description
A change was made to IPsec settings. A crypto set was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
CryptographicSetId UnicodeString | [Deleted Crypto Set] ID |
CryptographicSetName UnicodeString | [Deleted Crypto Set] Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5049 — An IPsec Security Association was deleted.
Description
An IPsec security association was deleted.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
IpSecSecurityAssociationId UnicodeString | [Deleted SA] ID |
IpSecSecurityAssociationName UnicodeString | [Deleted SA] Name |
References #
Event ID 5050 — An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected.
Event ID 5051 — A file was virtualized.
Description
A file was virtualized.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
FileName UnicodeString | [Object] File Name |
VirtualFileName UnicodeString | [Object] Virtual File Name |
ProcessId Pointer | [Process Information] Process ID |
ProcessName UnicodeString | [Process Information] Process Name |
References #
Event ID 5056 — A cryptographic self test was performed.
Description
A cryptographic self test was performed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Module UnicodeString | Module |
ReturnCode HexInt32 | Return Code |
References #
Event ID 5057 — A cryptographic primitive operation failed.
Description
A cryptographic primitive operation failed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name |
AlgorithmName UnicodeString | [Cryptographic Parameters] Algorithm Name |
Reason UnicodeString | [Failure Information] Reason |
ReturnCode HexInt32 | [Failure Information] Return Code |
References #
Event ID 5058 — Key file operation.
#Description
Key file operation.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ClientProcessId UInt32 | [Process Information] Process ID |
ClientCreationTime FILETIME | [Process Information] Process Creation Time |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name |
AlgorithmName UnicodeString | [Cryptographic Parameters] Algorithm Name |
KeyName UnicodeString | [Cryptographic Parameters] Key Name |
KeyType UnicodeString | [Cryptographic Parameters] Key Type Known values
|
KeyFilePath UnicodeString | [Key File Operation Information] File Path |
Operation UnicodeString | [Key File Operation Information] Operation Known values
|
ReturnCode HexInt32 | [Key File Operation Information] Return Code |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5058,
"version": 1,
"level": 0,
"task": 12292,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:39.883187+00:00",
"event_record_id": 2882,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ClientProcessId": 1612,
"ClientCreationTime": "2023-11-06T06:25:38.635483Z",
"ProviderName": "Microsoft Software Key Storage Provider",
"AlgorithmName": "UNKNOWN",
"KeyName": "b87f845a-3278-6909-ee85-d3025f077fea",
"KeyType": "%%2500",
"KeyFilePath": "C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\fb28f36d176f9b9a964a506f1b386c99_31383106-803d-411b-9763-a28cdc0f0c3f",
"Operation": "%%2458",
"ReturnCode": "0x0"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Kusto Query Language # view in reference
- Certified Pre-Owned - backup of CA private key - rule 1 source medium: This query identifies someone that performs a read operation of they CA key from the file.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5058
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5058
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5059 — Key migration operation.
#Description
Key migration operation.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ClientProcessId UInt32 | [Process Information] Process ID |
ClientCreationTime FILETIME | [Process Information] Process Creation Time |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name |
AlgorithmName UnicodeString | [Cryptographic Parameters] Algorithm Name |
KeyName UnicodeString | [Cryptographic Parameters] Key Name |
KeyType UnicodeString | [Cryptographic Parameters] Key Type Known values
|
Operation UnicodeString | [Additional Information] Operation Known values
|
ReturnCode HexInt32 | [Additional Information] Return Code |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5059,
"version": 1,
"level": 0,
"task": 12292,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:39.884224+00:00",
"event_record_id": 2884,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ClientProcessId": 1612,
"ClientCreationTime": "2023-11-06T06:25:38.635483Z",
"ProviderName": "Microsoft Software Key Storage Provider",
"AlgorithmName": "RSA",
"KeyName": "b87f845a-3278-6909-ee85-d3025f077fea",
"KeyType": "%%2500",
"Operation": "%%2464",
"ReturnCode": "0x0"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Kusto Query Language # view in reference
- Certified Pre-Owned - backup of CA private key - rule 2 source medium: This query identifies someone that performs a backup of they CA key.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5059
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5059
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5060 — Verification operation failed.
Description
Verification operation failed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name |
AlgorithmName UnicodeString | [Cryptographic Parameters] Algorithm Name |
KeyName UnicodeString | [Cryptographic Parameters] Key Name |
KeyType UnicodeString | [Cryptographic Parameters] Key Type Known values
|
Reason UnicodeString | [Failure Information] Reason |
ReturnCode HexInt32 | [Failure Information] Return Code |
References #
Event ID 5061 — Cryptographic operation.
#Description
Cryptographic operation.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name |
AlgorithmName UnicodeString | [Cryptographic Parameters] Algorithm Name |
KeyName UnicodeString | [Cryptographic Parameters] Key Name |
KeyType UnicodeString | [Cryptographic Parameters] Key Type Known values
|
Operation UnicodeString | [Cryptographic Operation] Operation Known values
|
ReturnCode HexInt32 | [Cryptographic Operation] Return Code |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5061,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:39.884031+00:00",
"event_record_id": 2883,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ProviderName": "Microsoft Software Key Storage Provider",
"AlgorithmName": "RSA",
"KeyName": "b87f845a-3278-6909-ee85-d3025f077fea",
"KeyType": "%%2500",
"Operation": "%%2480",
"ReturnCode": "0x0"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5061
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5062 — A kernel-mode cryptographic self test was performed.
Event ID 5063 — A cryptographic provider operation was attempted.
Description
A cryptographic provider operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
ProviderName UnicodeString | [Cryptographic Provider] Name |
ModuleName UnicodeString | [Cryptographic Provider] Module |
Operation UnicodeString | Operation Known values
|
ReturnCode UInt32 | Return Code |
References #
Event ID 5064 — A cryptographic context operation was attempted.
Description
A cryptographic context operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
Operation UnicodeString | Operation Known values
|
ReturnCode UInt32 | Return Code |
References #
Event ID 5065 — A cryptographic context modification was attempted.
Description
A cryptographic context modification was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
OldValue UInt32 | [Change Information] Old Value |
NewValue UInt32 | [Change Information] New Value |
ReturnCode UInt32 | Return Code |
References #
Event ID 5066 — A cryptographic function operation was attempted.
Description
A cryptographic function operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
Position UInt32 | [Configuration Parameters] Position |
Operation UnicodeString | Operation Known values
|
ReturnCode UInt32 | Return Code |
References #
Event ID 5067 — A cryptographic function modification was attempted.
Description
A cryptographic function modification was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
OldValue UInt32 | [Change Information] Old Value |
NewValue UInt32 | [Change Information] New Value |
ReturnCode UInt32 | Return Code |
References #
Event ID 5068 — A cryptographic function provider operation was attempted.
Description
A cryptographic function provider operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
ProviderName UnicodeString | [Configuration Parameters] Provider |
Position UInt32 | [Configuration Parameters] Position |
Operation UnicodeString | Operation Known values
|
ReturnCode UInt32 | Return Code |
References #
Event ID 5069 — A cryptographic function property operation was attempted.
Description
A cryptographic function property operation was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
PropertyName UnicodeString | [Configuration Parameters] Property |
Operation UnicodeString | Operation Known values
|
Value UnicodeString | Value |
ReturnCode UInt32 | Return Code |
References #
Event ID 5070 — A cryptographic function property modification was attempted.
Description
A cryptographic function property modification was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
Scope UnicodeString | [Configuration Parameters] Scope |
ContextName UnicodeString | [Configuration Parameters] Context |
InterfaceId UnicodeString | [Configuration Parameters] Interface |
FunctionName UnicodeString | [Configuration Parameters] Function |
PropertyName UnicodeString | [Configuration Parameters] Property |
OldValue UnicodeString | [Change Information] Old Value |
NewValue UnicodeString | [Change Information] New Value |
ReturnCode UInt32 | Return Code |
References #
Event ID 5071 — Key access denied by Microsoft key distribution service.
Description
Key access denied by Microsoft key distribution service.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
SecurityDescriptor UnicodeString | Security Descriptor |
Event ID 5120 — OCSP Responder Service Started.
#Description
OCSP Responder Service Started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5120,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T09:20:46.158376Z",
"event_record_id": 1207920,
"correlation": {
"#attributes": {
"ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
}
},
"execution": {
"process_id": 576,
"thread_id": 3212
},
"channel": "Security",
"computer": "pki01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5121 — OCSP Responder Service Stopped.
#Description
OCSP Responder Service Stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5121,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T09:20:43.401378Z",
"event_record_id": 1207901,
"correlation": {
"#attributes": {
"ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
}
},
"execution": {
"process_id": 576,
"thread_id": 3212
},
"channel": "Security",
"computer": "pki01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5122 — A Configuration entry changed in the OCSP Responder Service.
Description
A Configuration entry changed in the OCSP Responder Service.
Message #
Fields #
| Name | Description |
|---|---|
CAConfigurationId UnicodeString | CA Configuration ID |
NewValue UnicodeString | New Value |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
References #
Event ID 5123 — A configuration entry changed in the OCSP Responder Service.
#Description
A configuration entry changed in the OCSP Responder Service.
Message #
Fields #
| Name | Description |
|---|---|
PropertyName UnicodeString | Property Name |
NewValue UnicodeString | New Value |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5123,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T09:21:24.702958Z",
"event_record_id": 1207931,
"correlation": {
"#attributes": {
"ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
}
},
"execution": {
"process_id": 576,
"thread_id": 3544
},
"channel": "Security",
"computer": "pki01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"PropertyName": "MaxNumOfCacheEntries",
"NewValue": "5000",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x477ac56"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5123
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5124 — A security setting was updated on OCSP Responder Service.
#Description
A security setting was updated on OCSP Responder Service.
Message #
Fields #
| Name | Description |
|---|---|
NewSecuritySettings UnicodeString | New Value |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5124,
"version": 0,
"level": 0,
"task": 12805,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T09:21:50.109681Z",
"event_record_id": 1207947,
"correlation": {
"#attributes": {
"ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
}
},
"execution": {
"process_id": 576,
"thread_id": 3544
},
"channel": "Security",
"computer": "pki01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"NewSecuritySettings": "\nAllow(0x00000101)\tBUILTIN\\Administrators\n\tOCSP Administrator\n\tRead\nAllow(0x00000300)\tIIS APPPOOL\\OCSPISAPIAppPool\n\tRead\n\tOCSP Requestor\n",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x477ac56"
}
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5124
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5125 — A request was submitted to OCSP Responder Service.
Description
A request was submitted to OCSP Responder Service.
Message #
Fields #
| Name | Description |
|---|---|
SerialNumber UnicodeString | Certificate Serial Number |
CAName UnicodeString | Issuer CA Name |
Status UnicodeString | Revocation Status NTSTATUS reference |
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
Event ID 5126 — Signing Certificate was automatically updated by the OCSP Responder Service.
Event ID 5127 — The OCSP Revocation Provider successfully updated the revocation information.
Description
The OCSP Revocation Provider successfully updated the revocation information.
Message #
Fields #
| Name | Description |
|---|---|
CAConfigurationId UnicodeString | CA Configuration ID |
BaseCRLNumber UnicodeString | Base CRL Number |
BaseCRLThisUpdate UnicodeString | Base CRL This Update |
BaseCRLHash UnicodeString | Base CRL Hash |
DeltaCRLNumber UnicodeString | Delta CRL Number |
DeltaCRLIndicator UnicodeString | Delta CRL Indicator |
DeltaCRLThisUpdate UnicodeString | Delta CRL This Update |
DeltaCRLHash UnicodeString | Delta CRL Hash |
References #
Event ID 5136 — A directory service object was modified.
#Description
A directory service object was modified.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
ObjectDN UnicodeString | [Object] DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
AttributeLDAPDisplayName UnicodeString | [Attribute] LDAP Display Name |
AttributeSyntaxOID UnicodeString | [Attribute] Syntax (OID) |
AttributeValue UnicodeString | [Attribute] Value |
OperationType UnicodeString | [Operation] Type Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5136,
"version": 0,
"level": 0,
"task": 14081,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-25T10:33:56.457629Z",
"event_record_id": 198238043,
"correlation": {},
"execution": {
"process_id": 444,
"thread_id": 3488
},
"channel": "Security",
"computer": "DC1.insecurebank.local",
"security": {
"user_id": ""
}
},
"event_data": {
"OpCorrelationID": "780EA6E1-6307-48D6-8B0D-8C45CC7534AE",
"AppCorrelationID": "-",
"SubjectUserSid": "S-1-5-21-738609754-2819869699-4189121830-1108",
"SubjectUserName": "bob",
"SubjectDomainName": "insecurebank",
"SubjectLogonId": "0x8d7099",
"DSName": "insecurebank.local",
"DSType": "%%14676",
"ObjectDN": "CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=INSECUREBANK,DC=LOCAL",
"ObjectGUID": "6CDECDB5-7515-4511-8141-C34A7C3D4A0A",
"ObjectClass": "groupPolicyContainer",
"AttributeLDAPDisplayName": "versionNumber",
"AttributeSyntaxOID": "2.5.5.9",
"AttributeValue": "5",
"OperationType": "%%14675"
}
}
Detection Patterns #
Startup Logon Script Added
Kerberos Coercion Via DNS
Persistence: Account Manipulation
Potential Kerberos Coercion
Defense Evasion: Rogue Domain Controller
Security-Auditing Event ID 4742: A computer account was changed.OREvent ID 5136: A directory service object was modified.
1 rule
Community Notes #
May indicate high-impact changes in AD, like adding SID history or malicious GPOs. Attribute change to msDS-AllowedToActOnBehalfOfOtherIdentity is usually suspicious and indicates a Kerberos relay attack.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Powerview Add-DomainObjectAcl DCSync AD Extend Right source high: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
- Windows Default Domain GPO Modification source medium: Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
- Group Policy Abuse for Privilege Addition source medium: Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Show 2 more (5 total)
- Suspicious LDAP-Attributes Used source high: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
- Possible Shadow Credentials Added source high: Detects possible addition of shadow credentials to an active directory object.
Elastic # view in reference
- Potential Active Directory Replication Account Backdoor source medium: Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
- Potential Shadow Credentials added to AD Object source high: Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.
- User account exposed to Kerberoasting source medium: Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.
Show 4 more (7 total)
- AdminSDHolder Backdoor source high: Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.
- AdminSDHolder SDProp Exclusion Added source high: Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.
- Delegated Managed Service Account Modification by an Unusual User source high: Detects modifications in the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account by an unusual subject account. Attackers can abuse this attribute to take over the permission of a target account and inherit it's permissions allowing them to further elevate privileges.
- Modification of the msPKIAccountCredentials source medium: Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.
Splunk # view in reference
- Windows AD AdminSDHolder ACL Modified source: The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment.
- Windows AD Dangerous Deny ACL Modification source: This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.
- Windows AD Dangerous Group ACL Modification source: This detection monitors the addition of the following ACLs to an Active Directory group object: "Full control", "All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree", "Delete", "Modify permissions", "Modify owner", and "Write all properties". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.
Show 17 more (20 total)
- Windows AD Dangerous User ACL Modification source: This detection monitors the addition of the following ACLs to an Active Directory user object: "Full control","All extended rights","All validated writes", "Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.
- Windows AD DCShadow Privileges ACL Addition source: This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack.
- Windows AD Domain Replication ACL Addition source: The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.
- Windows AD Domain Root ACL Deletion source: ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.
- Windows AD Domain Root ACL Modification source: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.
- Windows AD GPO Deleted source: This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console.
- Windows AD GPO Disabled source: This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console.
- Windows AD GPO New CSE Addition source: This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console.
- Windows AD Hidden OU Creation source: This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators.
- Windows AD Object Owner Updated source: AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object.
- Windows AD Self DACL Assignment source: Detect when a user creates a new DACL in AD for their own AD object.
- Windows AD ServicePrincipalName Added To Domain Account source: The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.
- Windows AD Short Lived Domain Account ServicePrincipalName source: The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.
- Windows AD Short Lived Domain Controller SPN Attribute source: The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.↳ also matches:Event ID 4624: An account was successfully logged on.
- Windows AD SID History Attribute Modified source: The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the `wineventlog_security` data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk.
- Windows AD Suspicious Attribute Modification source: This detection monitors changes to the following Active Directory attributes: "msDS-AllowedToDelegateTo", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-KeyCredentialLink", "scriptPath", and "msTSInitialProgram". Modifications to these attributes can indicate potential malicious activity or privilege escalation attempts. Immediate investigation is recommended upon alert.
- Windows Default Group Policy Object Modified source: The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.
Kusto Query Language # view in reference
- AdminSDHolder Modifications source high: 'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory. This query searches for the event id 5136 where the Object DN is AdminSDHolder. Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
- Possible Resource-Based Constrained Delegation Abuse source medium: 'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object Class field is "computer" and the LDAP Display Name is "msDS-AllowedToActOnBehalfOfOtherIdentity" which is an indicator of Resource-based constrained delegation. Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html'
- Service Principal Name (SPN) Assigned to User Account source medium: 'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName". Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'
Show 1 more (4 total)
- Exchange OAB Virtual Directory Attribute Containing Potential Webshell source high: 'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5137 — A directory service object was created.
#Description
A directory service object was created.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
ObjectDN UnicodeString | [Object] DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5137,
"version": 0,
"level": 0,
"task": 14081,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-04-27T11:04:13.291038Z",
"event_record_id": 138520223,
"correlation": {
"#attributes": {
"ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
}
},
"execution": {
"process_id": 548,
"thread_id": 4324
},
"channel": "Security",
"computer": "rootdc1.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"OpCorrelationID": "B960A203-A3DF-4586-A2ED-740024D6C42A",
"AppCorrelationID": "-",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x31a24611",
"DSName": "offsec.lan",
"DSType": "%%14676",
"ObjectDN": "CN=JUMP01,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan",
"ObjectGUID": "590B1EF4-6143-4C18-B554-1EE0A59BB7F8",
"ObjectClass": "server"
}
}
Detection Patterns #
Kerberos Coercion Via DNS
Kerberos Coercion Via DNS
Potential Kerberos Coercion
Defense Evasion: Rogue Domain Controller
Security-Auditing Event ID 5137: A directory service object was created.→Event ID 5141: A directory service object was deleted.
1 rule
Community Notes #
May indicate high-impact changes in AD.
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- Potential ADIDNS Poisoning via Wildcard Record Creation source high: Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.
- Potential WPAD Spoofing via DNS Record Creation source medium: Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.
- Creation of a DNS-Named Record source low: Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.
Show 1 more (4 total)
- dMSA Account Creation by an Unusual User source high: Detects the creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse the dMSA account migration feature to elevate privileges abusing weak persmission allowing users child objects rights or msDS-DelegatedManagedServiceAccount rights.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5137
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5138 — A directory service object was undeleted.
Description
A directory service object was undeleted.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
OldObjectDN UnicodeString | [Object] Old DN |
NewObjectDN UnicodeString | [Object] New DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
References #
Event ID 5139 — A directory service object was moved.
#Description
A directory service object was moved.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
OldObjectDN UnicodeString | [Object] Old DN |
NewObjectDN UnicodeString | [Object] New DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
Community Notes #
May indicate high-impact changes in AD.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
Event ID 5140 — A network share object was accessed.
#Description
A network share object was accessed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectType UnicodeString | [Network Information] Object Type |
IpAddress UnicodeString | [Network Information] Source Address |
IpPort UnicodeString | [Network Information] Source Port |
ShareName UnicodeString | [Share Information] Share Name |
ShareLocalPath UnicodeString | [Share Information] Share Path |
AccessMask HexInt32 | [Access Request Information] Access Mask Access mask reference |
AccessList UnicodeString | [Access Request Information] Accesses |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5140,
"version": 1,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:51:58.721534+00:00",
"event_record_id": 300935,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 17692
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"ObjectType": "File",
"IpAddress": "::1",
"IpPort": "62726",
"ShareName": "\\\\*\\C$",
"ShareLocalPath": "\\??\\C:\\",
"AccessMask": "0x1",
"AccessList": "%%4416\r\n\t\t\t\t"
},
"message": ""
}
Detection Patterns #
Community Notes #
Tracks who is accessing shared folders on the network. Very noisy.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Access To ADMIN$ Network Share source low: Detects access to ADMIN$ network share
Splunk # view in reference
- Network Share Discovery Via Dir Command source: The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5140
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5141 — A directory service object was deleted.
#Description
A directory service object was deleted.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
ObjectDN UnicodeString | [Object] DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
TreeDelete UnicodeString | [Operation] Tree Delete |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5141,
"version": 0,
"level": 0,
"task": 14081,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T23:09:16.430494+00:00",
"event_record_id": 16632112,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 724
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"OpCorrelationID": "B2C1C1B5-B65D-4E48-B5C7-AD55815CDF5D",
"AppCorrelationID": "-",
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xbefec",
"DSName": "ludus.domain",
"DSType": "%%14676",
"ObjectDN": "CN=testaudit2,CN=Users,DC=ludus,DC=domain",
"ObjectGUID": "E352E021-AD2D-40D3-B617-37AEF7687FFD",
"ObjectClass": "user",
"TreeDelete": "%%14679"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Rogue Domain Controller
Security-Auditing Event ID 5137: A directory service object was created.→Event ID 5141: A directory service object was deleted.
1 rule
References #
Event ID 5142 — A network share object was added.
#Description
A network share object was added.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ShareName UnicodeString | [Share Information] Share Name |
ShareLocalPath UnicodeString | [Share Information] Share Path |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5142,
"version": 0,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-03-17T19:30:30.324836Z",
"event_record_id": 6273,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 64
},
"channel": "Security",
"computer": "PC04.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-3583694148-1414552638-2922671848-1000",
"SubjectUserName": "IEUser",
"SubjectDomainName": "PC04",
"SubjectLogonId": "0x128a9",
"ShareName": "\\\\*\\PRINT",
"ShareLocalPath": "c:\\windows\\system32"
}
}
Community Notes #
May be a prelude to data exfiltration. Includes named pipes and IPC$ (confirm if the client address is external/unexpected). May indicate share enumeration and directory walking prior to exfiltration. The RelativeTargetName field may show the original file name and path on the attacker's machine.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5142
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5143 — A network share object was modified.
#Description
A network share object was modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectType UnicodeString | [Share Information] Object Type |
ShareName UnicodeString | [Share Information] Share Name |
ShareLocalPath UnicodeString | [Share Information] Share Path |
OldRemark UnicodeString | [Share Information] Old Remark |
NewRemark UnicodeString | [Share Information] New Remark |
OldMaxUsers HexInt32 | [Share Information] Old MaxUsers |
NewMaxUsers HexInt32 | [Share Information] New Maxusers |
OldShareFlags HexInt32 | [Share Information] Old ShareFlags |
NewShareFlags HexInt32 | [Share Information] New ShareFlags |
OldSD UnicodeString | [Share Information] Old SD |
NewSD UnicodeString | [Share Information] New SD |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5143,
"version": 0,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2020-07-11T17:17:32.128132Z",
"event_record_id": 1228290,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 472
},
"channel": "Security",
"computer": "fs02.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x202dac8",
"ObjectType": "Directory",
"ShareName": "\\\\*\\hidden-share$",
"ShareLocalPath": "C:\\TOOLS\\hidden-share$",
"OldRemark": "N/A",
"NewRemark": "N/A",
"OldMaxUsers": "0xffffffff",
"NewMaxUsers": "0xffffffff",
"OldShareFlags": "0x0",
"NewShareFlags": "0x0",
"OldSD": "O:BAG:DUD:(A;;0x1200a9;;;WD)",
"NewSD": "O:BAG:DUD:(A;;FA;;;S-1-5-21-4230534742-2542757381-3142984815-1107)(A;;0x1301bf;;;WD)"
}
}
Detection Rules #
View all rules referencing this event →
Kusto Query Language # view in reference
- Excessive share permissions source medium: The query searches for event 5143, which is triggered when a share is created or changed and includes de share permissions. First it checks to see if this is a whitelisted share for the system (e.g. domaincontroller netlogon, printserver print$ etc.). The share permissions are then checked against 'allow' rule (A) for a number of well known overly permissive groups, like all users, guests, authenticated users etc. If these are found, an alert is raised so the share creation may be audited. Note: this rule only checks for changed permissions, to prevent repeat alerts if for example a comment is changed, but the permissions are not altered.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5143
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5144 — A network share object was deleted.
#Description
A network share object was deleted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ShareName UnicodeString | [Share Information] Share Name |
ShareLocalPath UnicodeString | [Share Information] Share Path |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5144,
"version": 0,
"level": 0,
"task": 12808,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:20.582403+00:00",
"event_record_id": 16257540,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 2396
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"ShareName": "\\\\*\\EvtGenShare",
"ShareLocalPath": "C:\\EvtGenFileTest\\Shared"
},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
Event ID 5145 — A network share object was checked to see whether client can be granted desired access.
#Description
A network share object was checked to see whether client can be granted desired access.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectType UnicodeString | [Network Information] Object Type |
IpAddress UnicodeString | [Network Information] Source Address |
IpPort UnicodeString | [Network Information] Source Port |
ShareName UnicodeString | [Share Information] Share Name |
ShareLocalPath UnicodeString | [Share Information] Share Path |
RelativeTargetName UnicodeString | [Share Information] Relative Target Name |
AccessMask HexInt32 | [Access Request Information] Access Mask Access mask reference |
AccessList UnicodeString | [Access Request Information] Accesses |
AccessReason UnicodeString | — Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5145,
"version": 0,
"level": 0,
"task": 12811,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:51:58.765174+00:00",
"event_record_id": 300953,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 20724
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
"SubjectUserName": "User",
"SubjectDomainName": "WINDEV2310EVAL",
"SubjectLogonId": "0x27844",
"ObjectType": "File",
"IpAddress": "::1",
"IpPort": "62726",
"ShareName": "\\\\*\\C$",
"ShareLocalPath": "\\??\\C:\\",
"RelativeTargetName": "Users\\User\\Downloads",
"AccessMask": "0x100081",
"AccessList": "%%1541\r\n\t\t\t\t%%4416\r\n\t\t\t\t%%4423\r\n\t\t\t\t",
"AccessReason": "-"
},
"message": ""
}
Detection Patterns #
Named Pipe
Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent
13 rules
Sigma
Splunk
Show 2 more (5 total)
Startup Logon Script Added
Relay Attack Against
Discovery: Network Share Discovery
Lateral Movement: Exploitation of Remote Services
Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4688: A new process has been created.→Event ID 4697: A service was installed in the system.→Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.→Event ID 4700: A scheduled task was enabled.→Event ID 4701: A scheduled task was disabled.→Event ID 4702: A scheduled task was updated.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Remote Task Creation via ATSVC Named Pipe source medium: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
- DCERPC SMB Spoolss Named Pipe source medium: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security source high: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Show 12 more (15 total)
- Impacket PsExec Execution source high: Detects execution of Impacket's psexec.py.
- Possible Impacket SecretDump Remote Activity source high: Detect AD credential dumping using impacket secretdump HKTL
- First Time Seen Remote Named Pipe source high: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
- Windows Network Access Suspicious desktop.ini Action source medium: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
- Possible PetitPotam Coerce Authentication Attempt source high: Detect PetitPotam coerced authentication activity.
- Protected Storage Service Access source high: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
- SMB Create Remote File Admin Share source high: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
- Suspicious PsExec Execution source high: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
- Suspicious Access to Sensitive File Extensions source medium: Detects known sensitive file extensions accessed on a network share
- Remote Service Activity via SVCCTL Named Pipe source medium: Detects remote service activity via remote access to the svcctl named pipe
- Transferring Files with Credential Data via Network Shares source medium: Transferring files with well-known filenames (sensitive files with credential data) using network shares
- T1047 Wmiprvse Wbemcomn DLL Hijack source high: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
Elastic # view in reference
- Potential Machine Account Relay Attack via SMB source high: Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack.
Splunk # view in reference
- Executable File Written in Administrative SMB Share source: The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed for lateral movement and remote code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code remotely, potentially compromising additional systems within the network.
- High Frequency Copy Of Files In Network Share source: The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.
- PetitPotam Network Share Access Request source: The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-share
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5146 — The Windows Filtering Platform has blocked a packet.
Description
The Windows Filtering Platform has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
DestAddress UnicodeString | [Network Information] Destination Address |
EtherType HexInt32 | [Network Information] EtherType |
VlanTag HexInt32 | [Network Information] VlanTag |
vSwitch ID UnicodeString | — |
SourcevSwitchPort UInt32 | [Network Information] Source vSwitch Port |
DestinationvSwitchPort UInt32 | [Network Information] Destination vSwitch Port |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
vSwitchID UnicodeString | [Network Information] vSwitchId |
Event ID 5147 — A more restrictive Windows Filtering Platform filter has blocked a packet.
Description
A more restrictive Windows Filtering Platform filter has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
DestAddress UnicodeString | [Network Information] Destination Address |
EtherType HexInt32 | [Network Information] EtherType |
VlanTag HexInt32 | [Network Information] VlanTag |
vSwitch ID UnicodeString | — |
SourcevSwitchPort UInt32 | [Network Information] Source vSwitch Port |
DestinationvSwitchPort UInt32 | [Network Information] Destination vSwitch Port |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
vSwitchID UnicodeString | [Network Information] vSwitchId |
Event ID 5148 — The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.
Event ID 5149 — The DoS attack has subsided and normal processing is being resumed.
Event ID 5150 — The Windows Filtering Platform has blocked a packet.
Description
The Windows Filtering Platform has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
DestAddress UnicodeString | [Network Information] Destination Address |
EtherType HexInt32 | [Network Information] EtherType |
MediaType UInt32 | [Network Information] MediaType |
InterfaceType UInt32 | [Network Information] InterfaceType |
VlanTag HexInt32 | [Network Information] VlanTag |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
References #
Event ID 5151 — A more restrictive Windows Filtering Platform filter has blocked a packet.
Description
A more restrictive Windows Filtering Platform filter has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
DestAddress UnicodeString | [Network Information] Destination Address |
EtherType HexInt32 | [Network Information] EtherType |
MediaType UInt32 | [Network Information] MediaType |
InterfaceType UInt32 | [Network Information] InterfaceType |
VlanTag HexInt32 | [Network Information] VlanTag |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
Event ID 5152 — The Windows Filtering Platform blocked a packet.
#Description
The Windows Filtering Platform has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
DestAddress UnicodeString | [Network Information] Destination Address |
DestPort UnicodeString | [Network Information] Destination Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterOrigin UnicodeString | [Filter Information] Filter Origin |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5152,
"version": 1,
"level": 0,
"task": 12809,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T20:18:50.483625+00:00",
"event_record_id": 16258577,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3152
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 0,
"Application": "-",
"Direction": "%%14592",
"SourceAddress": "10.2.10.21",
"SourcePort": "5355",
"DestAddress": "10.2.10.11",
"DestPort": "53173",
"Protocol": 17,
"FilterOrigin": "Stealth",
"FilterRTID": 70356,
"LayerName": "%%14597",
"LayerRTID": 13
},
"message": ""
}
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Defense Evasion: Disable or Modify System Firewall
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5157: The Windows Filtering Platform has blocked a connection.
1 rule
Community Notes #
Prefer 5157 when both are available as it is per-connection.
References #
Event ID 5153 — A more restrictive Windows Filtering Platform filter has blocked a packet.
Description
A more restrictive Windows Filtering Platform filter has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
DestAddress UnicodeString | [Network Information] Destination Address |
DestPort UnicodeString | [Network Information] Destination Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterOrigin UnicodeString | [Filter Information] Filter Origin |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop
Event ID 5154 — The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
#Description
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5154,
"version": 0,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-12T01:42:03.150814+00:00",
"event_record_id": 2727618,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8992
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 764,
"Application": "\\device\\harddiskvolume4\\users\\localuser\\appdata\\local\\microsoft\\onedrive\\26.026.0209.0004\\onedrive.sync.service.exe",
"SourceAddress": "::1",
"SourcePort": "42050",
"Protocol": 6,
"FilterRTID": 0,
"LayerName": "%%14609",
"LayerRTID": 42
},
"message": ""
}
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Community Notes #
Detects unexpected services binding, often precedes C2 beaconing.
References #
Event ID 5155 — The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
#Description
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
Event ID 5156 — The Windows Filtering Platform has permitted a connection.
#Description
The Windows Filtering Platform has permitted a connection.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
DestAddress UnicodeString | [Network Information] Destination Address |
DestPort UnicodeString | [Network Information] Destination Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
RemoteUserID SID | [Filter Information] Remote User ID |
RemoteMachineID SID | [Filter Information] Remote Machine ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5156,
"version": 1,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-02-13T18:01:47.512340Z",
"event_record_id": 227694,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 56
},
"channel": "Security",
"computer": "PC01.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": 820,
"Application": "\\device\\harddiskvolume1\\windows\\system32\\svchost.exe",
"Direction": "%%14593",
"SourceAddress": "fe80::80ac:4126:fa58:1b81",
"SourcePort": "546",
"DestAddress": "ff02::1:2",
"DestPort": "547",
"Protocol": 17,
"FilterRTID": 65865,
"LayerName": "%%14611",
"LayerRTID": 50,
"RemoteUserID": "S-1-0-0",
"RemoteMachineID": "S-1-0-0"
}
}
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Defender-DeviceNetworkEvents Event ID 9004001: Connection succeededORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection
1 rule
Kusto Query Language
Collection: Data from Local System
Security-Auditing Event ID 412: AD FS authentication failure.→Event ID 501: AD FS proxy authentication request.→Event ID 5156: The Windows Filtering Platform has permitted a connection.
1 rule
Kusto Query Language
Community Notes #
Indicates what process (application path) on the local machine made an outbound connection to a specific destination IP and port. Helpful for reviewing connections made by a suspect process.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- RDP over Reverse SSH Tunnel WFP source high: Detects svchost hosting RDP termsvcs communicating with the loopback address
- Remote PowerShell Sessions Network Connections (WinRM) source high: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
- Uncommon Outbound Kerberos Connection - Security source medium: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Kusto Query Language # view in reference
- Zinc Actor IOCs files - October 2022 source high: 'Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5156
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-5156-wfp-permitted.md
Event ID 5157 — The Windows Filtering Platform has blocked a connection.
#Description
The Windows Filtering Platform has blocked a connection.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
DestAddress UnicodeString | [Network Information] Destination Address |
DestPort UnicodeString | [Network Information] Destination Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
InterfaceIndex UInt32 | [Network Information] Interface Index |
FilterOrigin UnicodeString | [Filter Information] Filter Origin |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
RemoteUserID SID | [Filter Information] Remote User ID |
RemoteMachineID SID | [Filter Information] Remote Machine ID |
OriginalProfile UnicodeString | [Filter Information] Original Profile |
CurrentProfile UnicodeString | [Filter Information] Current Profile |
IsLoopback UnicodeString | [Filter Information] Is Loopback |
HasRemoteDynamicKeywordAddress UnicodeString | [Filter Information] Has Remote Dynamic Keyword Address |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5157,
"version": 3,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-11T06:32:07.887002+00:00",
"event_record_id": 2461636,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 352
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": 6872,
"Application": "\\device\\harddiskvolume4\\windows\\system32\\svchost.exe",
"Direction": "%%14592",
"SourceAddress": "172.18.253.78",
"SourcePort": "37359",
"DestAddress": "172.18.240.1",
"DestPort": "53",
"Protocol": 17,
"InterfaceIndex": 12,
"FilterOrigin": "Quarantine Default",
"FilterRTID": 66241,
"LayerName": "%%14610",
"LayerRTID": 44,
"RemoteUserID": "S-1-0-0",
"RemoteMachineID": "S-1-0-0",
"OriginalProfile": "%%14643",
"CurrentProfile": "%%14643",
"IsLoopback": "%%1826",
"HasRemoteDynamicKeywordAddress": "%%1826"
},
"message": ""
}
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Defense Evasion: Disable or Modify System Firewall
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5157: The Windows Filtering Platform has blocked a connection.
1 rule
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Windows Filtering Platform Blocked Connection From EDR Agent Binary source high: Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
Event ID 5158 — The Windows Filtering Platform has permitted a bind to a local port.
#Description
The Windows Filtering Platform has permitted a bind to a local port.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5158,
"version": 0,
"level": 0,
"task": 12810,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2019-02-13T18:04:01.722250Z",
"event_record_id": 227731,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 56
},
"channel": "Security",
"computer": "PC01.example.corp",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 1280,
"Application": "\\device\\harddiskvolume1\\windows\\system32\\svchost.exe",
"SourceAddress": "0.0.0.0",
"SourcePort": "55355",
"Protocol": 17,
"FilterRTID": 0,
"LayerName": "%%14608",
"LayerRTID": 36
}
}
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Community Notes #
Unexpected binds on high ports may be a prelude to data exfiltration.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5159 — The Windows Filtering Platform has blocked a bind to a local port.
#Description
The Windows Filtering Platform has blocked a bind to a local port.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
Event ID 5160 — The Windows Filtering Platform Audit Mode has allowed a connection or packet that would have been blocked.
Description
The Windows Filtering Platform Audit Mode has allowed a connection or packet that would have been blocked.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt64 | — |
Application UnicodeString | — |
Direction UnicodeString | — Known values
|
SourceAddress UnicodeString | — |
SourcePort UnicodeString | — |
DestAddress UnicodeString | — |
DestPort UnicodeString | — |
Protocol UInt32 | — Known values
|
InterfaceIndex UInt32 | — |
FilterOrigin UnicodeString | — |
FilterRTID UInt64 | — |
LayerName UnicodeString | — Known values
|
LayerRTID UInt64 | — |
RemoteUserID SID | — |
RemoteMachineID SID | — |
OriginalProfile UnicodeString | — |
CurrentProfile UnicodeString | — |
IsLoopback UnicodeString | — |
HasRemoteDynamicKeywordAddress UnicodeString | — |
FirewallPolicyStore UnicodeString | — |
Modifiable UnicodeString | — |
CalloutInvolved UnicodeString | — |
CalloutID UInt32 | — |
Event ID 5168 — SPN check for SMB/SMB2 fails.
Description
Spn check for SMB/SMB2 fails.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
SpnName UnicodeString | [SPN] SPN Name |
ErrorCode HexInt32 | [SPN] Error Code |
ServerNames UnicodeString | [Server Information] Server Names |
ConfiguredNames UnicodeString | [Server Information] Configured Names |
IpAddresses UnicodeString | [Server Information] IP Addresses |
References #
Event ID 5169 — A directory service object was modified.
Description
A directory service object was modified.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
ObjectDN UnicodeString | [Object] DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
AttributeLDAPDisplayName UnicodeString | [Attribute] LDAP Display Name |
AttributeSyntaxOID UnicodeString | [Attribute] Syntax (OID) |
AttributeValue UnicodeString | [Attribute] Value |
ExpirationTime FILETIME | [Attribute] Expiration Time |
OperationType UnicodeString | [Operation] Type Known values
|
Event ID 5170 — A directory service object was modified during a background cleanup task.
Description
A directory service object was modified during a background cleanup task.
Message #
Fields #
| Name | Description |
|---|---|
OpCorrelationID GUID | [Operation] Correlation ID |
AppCorrelationID UnicodeString | [Operation] Application Correlation ID |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DSName UnicodeString | [Directory Service] Name |
DSType UnicodeString | [Directory Service] Type Known values
|
ObjectDN UnicodeString | [Object] DN |
ObjectGUID GUID | [Object] GUID |
ObjectClass UnicodeString | [Object] Class |
AttributeLDAPDisplayName UnicodeString | [Attribute] LDAP Display Name |
AttributeSyntaxOID UnicodeString | [Attribute] Syntax (OID) |
AttributeValue UnicodeString | [Attribute] Value |
ExpirationTime FILETIME | [Attribute] Expiration Time |
OperationType UnicodeString | [Operation] Type Known values
|
Event ID 5376 — Credential Manager credentials were backed up.
#Description
Credential Manager credentials were backed up.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
BackupFileName UnicodeString | [Subject] BackupFileName |
ProcessCreationTime FILETIME | — |
ClientProcessId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5376,
"version": 1,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-09-24T19:57:32.266266+00:00",
"event_record_id": 150002,
"correlation": {
"ActivityID": "B2946CF1-CF76-0001-5C6D-94B276CFD801"
},
"execution": {
"process_id": 804,
"thread_id": 5832
},
"channel": "Security",
"computer": "GUAPOS-PC",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-3960598978-2723104146-531989891-1001",
"SubjectUserName": "FOXTWO",
"SubjectDomainName": "GUAPOS-PC",
"SubjectLogonId": 894283,
"BackupFileName": "C:\\Windows\\TEMP\\CRD46C3.tmp",
"ProcessCreationTime": 1664049447.1706607,
"ClientProcessId": 5400
},
"message": "Credential Manager credentials were backed up.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3960598978-2723104146-531989891-1001\n\tAccount Name:\t\tFOXTWO\n\tAccount Domain:\t\tGUAPOS-PC\n\tLogon ID:\t\t894283\n\tBackupFileName:\t\tC:\\Windows\\TEMP\\CRD46C3.tmp\n\nThis event occurs when a user backs up their own Credential Manager credentials. A user (even an Administrator) cannot back up the credentials of an account other than his own."
}
Community Notes #
Backup of Credential Manager vault, shows a user exporting stored passwords and keys. Often precedes lateral movement or exfiltration.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5377 — Credential Manager credentials were restored from a backup.
#Description
Credential Manager credentials were restored from a backup.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
BackupFileName UnicodeString | [Subject] BackupFileName |
ProcessCreationTime FILETIME | — |
ClientProcessId UInt32 | — |
Community Notes #
Credential Manager credentials were restored from a backup, may indicate import of stolen vaults from another host.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Event ID 5378 — The requested credentials delegation was disallowed by policy.
Description
The requested credentials delegation was disallowed by policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Package UnicodeString | [Credential Delegation Information] Security Package |
UserUPN UnicodeString | [Credential Delegation Information] User's UPN |
TargetServer UnicodeString | [Credential Delegation Information] Target Server |
CredType UnicodeString | [Credential Delegation Information] Credential Type |
References #
Event ID 5379 — Credential Manager credentials were read.
#Description
Credential Manager credentials were read.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
TargetName UnicodeString | — |
Type UInt32 | — |
CountOfCredentialsReturned UInt32 | — |
ReadOperation UnicodeString | [Subject] Read Operation Known values
|
ReturnCode UInt32 | — |
ProcessCreationTime FILETIME | — |
ClientProcessId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5379,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T06:25:40.049147+00:00",
"event_record_id": 2888,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TargetName": "WindowsLive:target=virtualapp/didlogical",
"Type": 0,
"CountOfCredentialsReturned": 0,
"ReadOperation": "%%8100",
"ReturnCode": 3221226021,
"ProcessCreationTime": "2023-11-06T06:25:38.635483Z",
"ClientProcessId": 1612
},
"message": ""
}
Community Notes #
Credential Manager credentials were read. Large numbers of reads may indicate automated credential theft.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Password Protected ZIP File Opened source medium: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
- Password Protected ZIP File Opened (Suspicious Filenames) source high: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
- Password Protected ZIP File Opened (Email Attachment) source high: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5380 — Vault Find Credential.
Description
Vault Find Credential.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
SearchString UnicodeString | — |
SchemaFriendlyName UnicodeString | — |
Schema GUID | — |
CountOfCredentialsReturned UInt32 | — |
ProcessCreationTime FILETIME | — |
ClientProcessId UInt32 | — |
Event ID 5381 — Vault credentials were read.
#Description
Vault credentials were read.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
Flags UInt32 | — |
CountOfCredentialsReturned UInt32 | — |
ProcessCreationTime FILETIME | — |
ClientProcessId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5381,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-09-24T20:05:50.571779+00:00",
"event_record_id": 150026,
"correlation": {},
"execution": {
"process_id": 804,
"thread_id": 5636
},
"channel": "Security",
"computer": "GUAPOS-PC",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-3960598978-2723104146-531989891-1001",
"SubjectUserName": "FOXTWO",
"SubjectDomainName": "GUAPOS-PC",
"SubjectLogonId": 894283,
"Flags": 0,
"CountOfCredentialsReturned": 1,
"ProcessCreationTime": 1664049942.3177185,
"ClientProcessId": 10620
},
"message": "Vault credentials were read.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3960598978-2723104146-531989891-1001\n\tAccount Name:\t\tFOXTWO\n\tAccount Domain:\t\tGUAPOS-PC\n\tLogon ID:\t\t894283\n\nThis event occurs when a user enumerates stored vault credentials."
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5382 — Vault credentials were read.
#Description
Vault credentials were read.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
SchemaFriendlyName UnicodeString | — |
Schema GUID | — |
Resource UnicodeString | — |
Identity UnicodeString | — |
PackageSid UnicodeString | — |
Flags UInt32 | — |
ReturnCode UInt32 | — |
ProcessCreationTime FILETIME | — |
ClientProcessId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5382,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T22:28:52.690626+00:00",
"event_record_id": 3184,
"correlation": {},
"execution": {
"process_id": 808,
"thread_id": 888
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SchemaFriendlyName": "NGC Local Accoount Logon Vault Resource Schema",
"Schema": "1D4350A3-330D-4AF9-B3FF-A927A45998AC",
"Resource": "NGC Local Accoount Logon Vault Resource",
"Identity": "010500000000000515000000F15DC676EF81AF629C157803E8030000",
"PackageSid": "",
"Flags": 0,
"ReturnCode": 1168,
"ProcessCreationTime": "2023-11-05T22:28:52.050339Z",
"ClientProcessId": 4612
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- Multiple Vault Web Credentials Read source medium: Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 5440 — The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
Description
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | [Provider Information] ID |
ProviderName UnicodeString | [Provider Information] Name |
CalloutKey GUID | [Callout Information] ID |
CalloutName UnicodeString | [Callout Information] Name |
CalloutType UnicodeString | [Callout Information] Type |
CalloutId UInt32 | [Callout Information] Run-Time ID |
LayerKey GUID | [Layer Information] ID |
LayerName UnicodeString | [Layer Information] Name Known values
|
LayerId UInt32 | [Layer Information] Run-Time ID |
References #
Event ID 5441 — The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | [Provider Information] ID |
ProviderName UnicodeString | [Provider Information] Name |
FilterKey GUID | [Filter Information] ID |
FilterName UnicodeString | [Filter Information] Name |
FilterType UnicodeString | [Filter Information] Type |
FilterId UInt64 | [Filter Information] Run-Time ID |
LayerKey GUID | [Layer Information] ID |
LayerName UnicodeString | [Layer Information] Name Known values
|
LayerId UInt32 | [Layer Information] Run-Time ID |
Weight UInt64 | [Layer Information] Weight |
Conditions UnicodeString | [Additional Information] Conditions |
Action UnicodeString | [Additional Information] Filter Action |
CalloutKey GUID | [Additional Information] Callout ID |
CalloutName UnicodeString | [Additional Information] Callout Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5441,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:16.631722+00:00",
"event_record_id": 25499,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 668
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderKey": "DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62",
"ProviderName": "Microsoft Corporation",
"FilterKey": "B98B75DC-17C0-4E84-BD4E-2080527CA6A6",
"FilterName": "AppContainerBoottimeFilter",
"FilterType": "%%16387",
"FilterId": 67430,
"LayerKey": "A3B42C97-9F04-4672-B87E-CEE9C483257F",
"LayerName": "ALE Receive/Accept v6 Layer",
"LayerId": 46,
"Weight": 18446744073709551615,
"Conditions": "\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tAll flags set\n\tCondition value:\t0x00400000\n",
"Action": "%%16390",
"CalloutKey": "00000000-0000-0000-0000-000000000000",
"CalloutName": "-"
},
"message": ""
}
Detection Patterns #
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5441
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5441
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5442 — The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | Provider ID |
ProviderName UnicodeString | Provider Name |
ProviderType UnicodeString | Provider Type |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5442,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:16.631829+00:00",
"event_record_id": 25503,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 668
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderKey": "1BEBC969-61A5-4732-A177-847A0817862A",
"ProviderName": "Microsoft Corporation",
"ProviderType": "%%16387"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5442
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5442
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5443 — The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | Provider ID |
ProviderName UnicodeString | Provider Name |
ProviderContextKey GUID | Provider Context ID |
ProviderContextName UnicodeString | Provider Context Name |
ProviderContextType UnicodeString | Provider Context Type |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5443,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:16.631811+00:00",
"event_record_id": 25502,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 668
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderKey": "DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62",
"ProviderName": "Microsoft Corporation",
"ProviderContextKey": "93132C36-6E06-4E6F-A10B-218787CD49CF",
"ProviderContextName": "MPSSVC",
"ProviderContextType": "%%16387"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5443
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5443
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5444 — The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
#Description
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
Message #
Fields #
| Name | Description |
|---|---|
ProviderKey GUID | Provider ID |
ProviderName UnicodeString | Provider Name |
SubLayerKey GUID | Sub-layer ID |
SubLayerName UnicodeString | Sub-layer Name |
SubLayerType UnicodeString | Sub-layer Type |
Weight UInt32 | Weight |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5444,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:16.631773+00:00",
"event_record_id": 25500,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 668
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderKey": "1BEBC969-61A5-4732-A177-847A0817862A",
"ProviderName": "Microsoft Corporation",
"SubLayerKey": "9BA30013-C84E-47E5-AC6E-1E1AED72FA69",
"SubLayerName": "Microsoft Corporation",
"SubLayerType": "%%16387",
"Weight": 40961
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5444
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5444
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5446 — A Windows Filtering Platform callout has been changed.
#Description
A Windows Filtering Platform callout has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ProviderKey GUID | [Provider Information] ID |
ProviderName UnicodeString | [Provider Information] Name |
ChangeType UnicodeString | [Change Information] Change Type |
CalloutKey GUID | [Callout Information] ID |
CalloutName UnicodeString | [Callout Information] Name |
CalloutType UnicodeString | [Callout Information] Type |
CalloutId UInt32 | [Callout Information] Run-Time ID |
LayerKey GUID | [Layer Information] ID |
LayerName UnicodeString | [Layer Information] Name Known values
|
LayerId UInt32 | [Layer Information] Run-Time ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5446,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:12:54.760281+00:00",
"event_record_id": 29300,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 664
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 2088,
"UserSid": "S-1-5-19",
"UserName": "NT AUTHORITY\\LOCAL SERVICE",
"ProviderKey": "00000000-0000-0000-0000-000000000000",
"ProviderName": "-",
"ChangeType": "%%16384",
"CalloutKey": "31114833-2891-4EDD-A8EC-2FF8549AA491",
"CalloutName": "windefend_flow_established_v6",
"CalloutType": "%%16388",
"CalloutId": 289,
"LayerKey": "7021D2B3-DFA4-406E-AFEB-6AFAF7E70EFD",
"LayerName": "ALE Flow Established v6 Layer",
"LayerId": 54
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5446
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5446
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5447 — A Windows Filtering Platform filter has been changed.
#Description
A Windows Filtering Platform filter has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ProviderKey GUID | [Provider Information] ID |
ProviderName UnicodeString | [Provider Information] Name |
ChangeType UnicodeString | [Change Information] Change Type |
FilterKey GUID | [Filter Information] ID |
FilterName UnicodeString | [Filter Information] Name |
FilterType UnicodeString | [Filter Information] Type |
FilterId UInt64 | [Filter Information] Run-Time ID |
LayerKey GUID | [Layer Information] ID |
LayerName UnicodeString | [Layer Information] Name Known values
|
LayerId UInt32 | [Layer Information] Run-Time ID |
Weight UInt64 | [Additional Information] Weight |
Conditions UnicodeString | [Additional Information] Conditions |
Action UnicodeString | [Additional Information] Filter Action |
CalloutKey GUID | [Callout Information] ID |
CalloutName UnicodeString | [Callout Information] Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5447,
"version": 0,
"level": 0,
"task": 13573,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:44:15.910142+00:00",
"event_record_id": 289924,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 12032
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 2896,
"UserSid": "S-1-5-19",
"UserName": "NT AUTHORITY\\LOCAL SERVICE",
"ProviderKey": "DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62",
"ProviderName": "Microsoft Corporation",
"ChangeType": "%%16384",
"FilterKey": "E170DBAA-294E-40F7-A2BE-E0DEE7DF9E43",
"FilterName": "Microsoft Teams",
"FilterType": "%%16388",
"FilterId": 78819,
"LayerKey": "A3B42C97-9F04-4672-B87E-CEE9C483257F",
"LayerName": "ALE Receive/Accept v6 Layer",
"LayerId": 46,
"Weight": 10376504785133109248,
"Conditions": "\n\tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971}\n\tMatch value:\tEqual to\n\tCondition value:\t\n 00000000 5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00 \\.d.e.v.i.c.e.\\.\n 00000010 68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 h.a.r.d.d.i.s.k.\n 00000020 76 00 6f 00 6c 00 75 00-6d 00 65 00 34 00 5c 00 v.o.l.u.m.e.4.\\.\n 00000030 70 00 72 00 6f 00 67 00-72 00 61 00 6d 00 20 00 p.r.o.g.r.a.m. .\n 00000040 66 00 69 00 6c 00 65 00-73 00 5c 00 77 00 69 00 f.i.l.e.s.\\.w.i.\n 00000050 6e 00 64 00 6f 00 77 00-73 00 61 00 70 00 70 00 n.d.o.w.s.a.p.p.\n 00000060 73 00 5c 00 6d 00 69 00-63 00 72 00 6f 00 73 00 s.\\.m.i.c.r.o.s.\n 00000070 6f 00 66 00 74 00 74 00-65 00 61 00 6d 00 73 00 o.f.t.t.e.a.m.s.\n 00000080 5f 00 32 00 33 00 32 00-37 00 35 00 2e 00 37 00 _.2.3.2.7.5...7.\n 00000090 30 00 32 00 2e 00 32 00-34 00 32 00 31 00 2e 00 0.2...2.4.2.1...\n 000000a0 32 00 34 00 30 00 36 00-5f 00 78 00 36 00 34 00 2.4.0.6._.x.6.4.\n 000000b0 5f 00 5f 00 38 00 77 00-65 00 6b 00 79 00 62 00 _._.8.w.e.k.y.b.\n 000000c0 33 00 64 00 38 00 62 00-62 00 77 00 65 00 5c 00 3.d.8.b.b.w.e.\\.\n 000000d0 6d 00 73 00 74 00 65 00-61 00 6d 00 73 00 2e 00 m.s.t.e.a.m.s...\n 000000e0 65 00 78 00 65 00 00 00 e.x.e...\n\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x11\n",
"Action": "%%16390",
"CalloutKey": "00000000-0000-0000-0000-000000000000",
"CalloutName": "-"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Token Impersonation/Theft
Security-Auditing Event ID 5447: A Windows Filtering Platform filter has been changed.OREvent ID 5449: A Windows Filtering Platform provider context has been changed.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5447
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5447
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5448 — A Windows Filtering Platform provider has been changed.
#Description
A Windows Filtering Platform provider has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ChangeType UnicodeString | [Change Information] Change Type |
ProviderKey GUID | [Provider Information] ID |
ProviderName UnicodeString | [Provider Information] Name |
ProviderType UnicodeString | [Provider Information] Type |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5448,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:27:26.268863+00:00",
"event_record_id": 2450415,
"correlation": {
"ActivityID": "164E10E5-B120-0003-FC10-4E1620B1DC01"
},
"execution": {
"process_id": 720,
"thread_id": 1044
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 3624,
"UserSid": "S-1-5-18",
"UserName": "NT AUTHORITY\\SYSTEM",
"ChangeType": "%%16384",
"ProviderKey": "32B38E01-DDB2-45AB-A37A-189A2BCA5CFC",
"ProviderName": "Microsoft Corporation",
"ProviderType": "%%16388"
},
"message": ""
}
References #
Event ID 5449 — A Windows Filtering Platform provider context has been changed.
#Description
A Windows Filtering Platform provider context has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ProviderKey GUID | [Provider Information] Provider ID |
ProviderName UnicodeString | [Provider Information] Provider Name |
ChangeType UnicodeString | [Change Information] Change Type |
ProviderContextKey GUID | [Provider Context] ID |
ProviderContextName UnicodeString | [Provider Context] Name |
ProviderContextType UnicodeString | [Provider Context] Type |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5449,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:13:39.336916+00:00",
"event_record_id": 29353,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 664
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 1192,
"UserSid": "S-1-5-19",
"UserName": "NT AUTHORITY\\LOCAL SERVICE",
"ProviderKey": "DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62",
"ProviderName": "Microsoft Corporation",
"ChangeType": "%%16385",
"ProviderContextKey": "E5AF5758-67DC-469F-9F77-8EAB0F229359",
"ProviderContextName": "MPSSVC",
"ProviderContextType": "%%16388"
},
"message": ""
}
Detection Patterns #
Defense Evasion: Token Impersonation/Theft
Security-Auditing Event ID 5447: A Windows Filtering Platform filter has been changed.OREvent ID 5449: A Windows Filtering Platform provider context has been changed.
1 rule
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5449
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5449
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5450 — A Windows Filtering Platform sub-layer has been changed.
#Description
A Windows Filtering Platform sub-layer has been changed.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | [Process Information] Process ID |
UserSid SID | [Subject] Security ID |
UserName UnicodeString | [Subject] Account Name |
ProviderKey GUID | [Provider Information] Provider ID |
ProviderName UnicodeString | [Provider Information] Provider Name |
ChangeType UnicodeString | [Change Information] Change Type |
SubLayerKey GUID | [Sub-layer Information] Sub-layer ID |
SubLayerName UnicodeString | [Sub-layer Information] Sub-layer Name |
SubLayerType UnicodeString | [Sub-layer Information] Sub-layer Type |
Weight UInt32 | [Additional Information] Weight |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5450,
"version": 0,
"level": 0,
"task": 13572,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:12:54.760352+00:00",
"event_record_id": 29301,
"correlation": {
"ActivityID": "7377737E-4825-0000-C974-77732548D801"
},
"execution": {
"process_id": 612,
"thread_id": 664
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 2088,
"UserSid": "S-1-5-19",
"UserName": "NT AUTHORITY\\LOCAL SERVICE",
"ProviderKey": "00000000-0000-0000-0000-000000000000",
"ProviderName": "-",
"ChangeType": "%%16384",
"SubLayerKey": "3C1CD879-1B8C-4AB4-8F83-5ED129176EF3",
"SubLayerName": "windefend",
"SubLayerType": "%%16388",
"Weight": 4096
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5450
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5450
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5451 — An IPsec quick mode security association was established.
Description
An IPsec quick mode security association was established.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalAddressMask UnicodeString | [Local Endpoint] Network Address mask |
LocalPort UInt32 | [Local Endpoint] Port |
LocalTunnelEndpoint UnicodeString | [Local Endpoint] Tunnel Endpoint |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteAddressMask UnicodeString | [Remote Endpoint] Network Address Mask |
RemotePort UInt32 | [Remote Endpoint] Port |
PeerPrivateAddress UnicodeString | [Remote Endpoint] Private Address |
RemoteTunnelEndpoint UnicodeString | [Remote Endpoint] Tunnel Endpoint |
IpProtocol UInt32 | [Remote Endpoint] Protocol |
KeyingModuleName UnicodeString | [Remote Endpoint] Keying Module Name |
AhAuthType UnicodeString | [Cryptographic Information] Integrity Algorithm - AH |
EspAuthType UnicodeString | [Cryptographic Information] Integrity Algorithm - ESP |
CipherType UnicodeString | [Cryptographic Information] Encryption Algorithm |
LifetimeSeconds UInt32 | [Security Association Information] Lifetime - seconds |
LifetimeKilobytes UInt32 | [Security Association Information] Lifetime - data |
LifetimePackets UInt32 | [Security Association Information] Lifetime - packets |
Mode UnicodeString | [Security Association Information] Mode |
Role UnicodeString | [Security Association Information] Role |
TransportFilterId UInt64 | [Security Association Information] Quick Mode Filter ID |
MainModeSaId UInt64 | [Security Association Information] Main Mode SA ID |
QuickModeSaId UInt64 | [Security Association Information] Quick Mode SA ID |
InboundSpi UInt64 | [Additional Information] Inbound SPI |
OutboundSpi UInt64 | [Additional Information] Outbound SPI |
TunnelId UInt64 | [Additional Information] Virtual Interface Tunnel ID |
TrafficSelectorId UInt64 | [Additional Information] Traffic Selector ID |
References #
Event ID 5452 — An IPsec quick mode security association ended.
Description
An IPsec quick mode security association ended.
Message #
Fields #
| Name | Description |
|---|---|
LocalAddress UnicodeString | [Local Endpoint] Network Address |
LocalAddressMask UnicodeString | [Local Endpoint] Network Address mask |
LocalPort UInt32 | [Local Endpoint] Port |
LocalTunnelEndpoint UnicodeString | [Local Endpoint] Tunnel Endpoint |
RemoteAddress UnicodeString | [Remote Endpoint] Network Address |
RemoteAddressMask UnicodeString | [Remote Endpoint] Network Address mask |
RemotePort UInt32 | [Remote Endpoint] Port |
RemoteTunnelEndpoint UnicodeString | [Remote Endpoint] Tunnel Endpoint |
IpProtocol UInt32 | [Additional Information] Protocol |
QuickModeSaId UInt64 | [Additional Information] Quick Mode SA ID |
TunnelId UInt64 | [Additional Information] Virtual Interface Tunnel ID |
TrafficSelectorId UInt64 | [Additional Information] Traffic Selector ID |
References #
Event ID 5453 — An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
Description
An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Event ID 5456 — PAStore Engine applied Active Directory storage IPsec policy on the computer.
Event ID 5457 — PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
Event ID 5458 — PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
Description
IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5459 — PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
Description
IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5460 — PAStore Engine applied local registry storage IPsec policy on the computer.
Description
IPsec Policy Agent applied local registry storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5461 — PAStore Engine failed to apply local registry storage IPsec policy on the computer.
Description
IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5462 — PAStore Engine failed to apply some rules of the active IPsec policy on the computer.
Description
IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5463 — PAStore Engine polled for changes to the active IPsec policy and detected no changes.
Description
IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5464 — PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
Description
IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5465 — PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
Description
IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5466 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5467 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5468 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5471 — PAStore Engine loaded local storage IPsec policy on the computer.
Description
IPsec Policy Agent loaded local storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5472 — PAStore Engine failed to load local storage IPsec policy on the computer.
Description
IPsec Policy Agent failed to load local storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5473 — PAStore Engine loaded directory storage IPsec policy on the computer.
Description
IPsec Policy Agent loaded directory storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5474 — PAStore Engine failed to load directory storage IPsec policy on the computer.
Description
IPsec Policy Agent failed to load directory storage IPsec policy on the computer.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | Policy |
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Event ID 5477 — PAStore Engine failed to add quick mode filter.
Event ID 5478 — IPsec Services has started successfully.
Description
The IPsec Policy Agent service was started.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5479 — IPsec Services has been shut down successfully.
Description
The IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack or expose the computer to potential security risks.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5480 — IPsec Services failed to get the complete list of network interfaces on the computer.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5483 — IPsec Services failed to initialize RPC server.
Event ID 5484 — IPsec Services has experienced a critical failure and has been shut down.
Message #
Fields #
| Name | Description |
|---|---|
Error UnicodeString | Error Code |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5485 — IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces.
Message #
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver
Event ID 5632 — A request was made to authenticate to a wireless network.
Description
A request was made to authenticate to a wireless network.
Message #
Fields #
| Name | Description |
|---|---|
SSID UnicodeString | [Network Information] Name (SSID) |
Identity UnicodeString | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
PeerMac UnicodeString | [Network Information] Peer MAC Address |
LocalMac UnicodeString | [Network Information] Local MAC Address |
IntfGuid GUID | [Network Information] Interface GUID |
ReasonCode HexInt32 | [Additional Information] ( |
ReasonText UnicodeString | [Additional Information] Reason Code |
ErrorCode HexInt32 | [Additional Information] Error Code |
EAPReasonCode HexInt32 | [Additional Information] EAP Reason Code |
EapRootCauseString UnicodeString | [Additional Information] EAP Root Cause String |
EAPErrorCode HexInt32 | [Additional Information] EAP Error Code |
References #
Event ID 5633 — A request was made to authenticate to a wired network.
Description
A request was made to authenticate to a wired network.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceName UnicodeString | [Interface] Name |
Identity UnicodeString | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ReasonCode HexInt32 | [Interface] ( |
ReasonText UnicodeString | [Interface] Reason Code |
ErrorCode HexInt32 | [Interface] Error Code |
References #
Event ID 5712 — A Remote Procedure Call (RPC) was attempted.
Description
A Remote Procedure Call (RPC) was attempted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] SID |
SubjectUserName UnicodeString | [Subject] Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] LogonId |
ProcessId UInt32 | [Process Information] PID |
ProcessName UnicodeString | [Process Information] Name |
RemoteIpAddress UnicodeString | [Network Information] Remote IP Address |
RemotePort UnicodeString | [Network Information] Remote Port |
InterfaceUuid GUID | [RPC Attributes] Interface UUID |
ProtocolSequence UnicodeString | [RPC Attributes] Protocol Sequence |
AuthenticationService UInt32 | [RPC Attributes] Authentication Service |
AuthenticationLevel UInt32 | [RPC Attributes] Authentication Level |
OpNum UInt32 | — |
Endpoint UnicodeString | — |
RemoteHost UnicodeString | — |
References #
Event ID 5888 — An object in the COM+ Catalog was modified.
#Description
An object in the COM+ Catalog was modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectUserDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
ObjectCollectionName UnicodeString | [Object] COM+ Catalog Collection |
ObjectIdentifyingProperties UnicodeString | [Object] Object Name |
ModifiedObjectProperties UnicodeString | [Object] Object Properties Modified |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5888,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:07:28.323865+00:00",
"event_record_id": 2042752,
"correlation": {
"ActivityID": "56E3EAD5-F269-44B1-8096-7C737168F10A"
},
"execution": {
"process_id": 984,
"thread_id": 1556
},
"channel": "Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "SYSTEM",
"SubjectUserDomainName": "NT AUTHORITY",
"SubjectLogonId": 999,
"ObjectCollectionName": "Components",
"ObjectIdentifyingProperties": "\r\n\t\tCLSID = {315FA593-3CF5-4310-887B-3977A578488A}\r\n\t\tBitness = 2\r\n\t\tApplicationID = {5268CA1B-44FF-4FE6-9D5F-9CF63F69C4E3}",
"ModifiedObjectProperties": "\r\n\t\tApplicationID = '<null>' -> '{5268CA1B-44FF-4FE6-9D5F-9CF63F69C4E3}'\r\n\t\tTransaction = '0' -> '1'\r\n\t\tSynchronization = '0' -> '3'\r\n\t\tJustInTimeActivation = '0' -> '1'\r\n\t\tEventTrackingEnabled = '0' -> '1'\r\n\t\tSavedProgId = '<null>' -> 'IISFtpHost.IISFtpHost.1'\r\n\t\tAllowInprocSubscribers = '0' -> '1'\r\n\t\tIsEnabled = '0' -> '1'\r\n\t\tTxIsolationLevel = '0' -> '4'"
},
"message": ""
}
References #
Event ID 5889 — An object was deleted from the COM+ Catalog.
#Description
An object was deleted from the COM+ Catalog.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectUserDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
ObjectCollectionName UnicodeString | [Object] COM+ Catalog Collection |
ObjectIdentifyingProperties UnicodeString | [Object] Object Name |
ObjectProperties UnicodeString | [Object] Object Details |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5889,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T22:30:46.980255+00:00",
"event_record_id": 3332,
"correlation": {
"ActivityID": "59A0D65F-1037-0001-A7D6-A0593710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 888
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "SYSTEM",
"SubjectUserDomainName": "NT AUTHORITY",
"SubjectLogonId": 999,
"ObjectCollectionName": "Applications",
"ObjectIdentifyingProperties": "\r\n\t\tID = {A14C837E-C9BC-4E79-B228-2A6CB72524A5}\r\n\t\tAppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}",
"ObjectProperties": "\r\n\t\tName = VMware Snapshot Provider\r\n\t\tApplicationProxyServerName = \r\n\t\tProcessType = 2\r\n\t\tCommandLine = \r\n\t\tServiceName = vmvss\r\n\t\tRunAsUserType = 1\r\n\t\tIdentity = LocalSystem\r\n\t\tDescription = VMware Snapshot Provider\r\n\t\tIsSystem = N\r\n\t\tAuthentication = 6\r\n\t\tShutdownAfter = 3\r\n\t\tRunForever = N\r\n\t\tPassword = ********\r\n\t\tActivation = Local\r\n\t\tChangeable = Y\r\n\t\tDeleteable = Y\r\n\t\tCreatedBy = \r\n\t\tAccessChecksLevel = 1\r\n\t\tApplicationAccessChecksEnabled = 0\r\n\t\tcCOL_SecurityDescriptor = <Opaque>\r\n\t\tImpersonationLevel = 2\r\n\t\tAuthenticationCapability = 2\r\n\t\tCRMEnabled = 0\r\n\t\t3GigSupportEnabled = 0\r\n\t\tQueuingEnabled = 0\r\n\t\tQueueListenerEnabled = N\r\n\t\tEventsEnabled = 1\r\n\t\tProcessFlags = 0\r\n\t\tThreadMax = 0\r\n\t\tApplicationProxy = 0\r\n\t\tCRMLogFile = \r\n\t\tDumpEnabled = 0\r\n\t\tDumpOnException = 0\r\n\t\tDumpOnFailfast = 0\r\n\t\tMaxDumpCount = 5\r\n\t\tDumpPath = %systemroot%\\system32\\com\\dmp\r\n\t\tIsEnabled = 1\r\n\t\tAppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}\r\n\t\tConcurrentApps = 1\r\n\t\tRecycleLifetimeLimit = 0\r\n\t\tRecycleCallLimit = 0\r\n\t\tRecycleActivationLimit = 0\r\n\t\tRecycleMemoryLimit = 0\r\n\t\tRecycleExpirationTimeout = 15\r\n\t\tQCListenerMaxThreads = 0\r\n\t\tQCAuthenticateMsgs = 0\r\n\t\tApplicationDirectory = \r\n\t\tSRPTrustLevel = 262144\r\n\t\tSRPEnabled = 0\r\n\t\tSoapActivated = 0\r\n\t\tSoapVRoot = \r\n\t\tSoapMailTo = \r\n\t\tSoapBaseUrl = \r\n\t\tReplicable = 1"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5889
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5889
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5890 — An object was added to the COM+ Catalog.
#Description
An object was added to the COM+ Catalog.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectUserDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId UInt64 | [Subject] Logon ID |
ObjectCollectionName UnicodeString | [Object] COM+ Catalog Collection |
ObjectIdentifyingProperties UnicodeString | [Object] Object Name |
ObjectProperties UnicodeString | [Object] Object Details |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5890,
"version": 0,
"level": 0,
"task": 12290,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-05T22:30:50.680307+00:00",
"event_record_id": 3348,
"correlation": {
"ActivityID": "59A0D65F-1037-0001-A7D6-A0593710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 896
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "SYSTEM",
"SubjectUserDomainName": "NT AUTHORITY",
"SubjectLogonId": 999,
"ObjectCollectionName": "UsersInRole",
"ObjectIdentifyingProperties": "\r\n\t\tApplId = {B0C2D0B3-B19E-4769-B00B-A0D5996BAD73}\r\n\t\tName = Administrators\r\n\t\tUser = SYSTEM",
"ObjectProperties": "\r\n\t\t<null>"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5890
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5890
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6144 — Security policy in the group policy objects has been applied successfully.
Event ID 6145 — One or more errors occured while processing security policy in the group policy objects.
Description
One or more errors occured while processing security policy in the group policy objects.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | Error Code |
GPOList UnicodeString | — |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
Event ID 6272 — Network Policy Server granted access to a user.
Description
Network Policy Server granted access to a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
LoggingResult UnicodeString | [Authentication Details] Logging Results |
References #
Event ID 6273 — Network Policy Server denied access to a user.
#Description
Network Policy Server denied access to a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
ReasonCode UnicodeString | [Authentication Details] Reason Code |
Reason UnicodeString | [Authentication Details] Reason |
LoggingResult UnicodeString | [Authentication Details] Logging Results |
Community Notes #
Large numbers of Reason 16 or 23 from the same IP or MAC indicates bruting of WiFi, VPN, 802.1x portals. Repeat denials for privileged accounts should be investigated.
References #
Event ID 6274 — Network Policy Server discarded the request for a user.
Description
Network Policy Server discarded the request for a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
ReasonCode UnicodeString | [Authentication Details] Reason Code |
Reason UnicodeString | [Authentication Details] Reason |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server
Event ID 6275 — Network Policy Server discarded the accounting request for a user.
Description
Network Policy Server discarded the accounting request for a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
ReasonCode UnicodeString | [Authentication Details] Reason Code |
Reason UnicodeString | [Authentication Details] Reason |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server
Event ID 6276 — Network Policy Server quarantined a user.
Description
Network Policy Server quarantined a user.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
MachineInventory UnicodeString | [Client Machine] OS-Version |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
QuarantineState UnicodeString | [Quarantine Information] Result |
ExtendedQuarantineState UnicodeString | [Quarantine Information] Extended-Result |
QuarantineSessionID UnicodeString | [Quarantine Information] Session Identifier |
QuarantineHelpURL UnicodeString | [Quarantine Information] Help URL |
QuarantineSystemHealthResult UnicodeString | [Quarantine Information] System Health Validator Result(s) |
References #
Event ID 6277 — Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Description
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
MachineInventory UnicodeString | [Client Machine] OS-Version |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
QuarantineState UnicodeString | [Quarantine Information] Result |
ExtendedQuarantineState UnicodeString | [Quarantine Information] Extended-Result |
QuarantineSessionID UnicodeString | [Quarantine Information] Session Identifier |
QuarantineHelpURL UnicodeString | [Quarantine Information] Help URL |
QuarantineSystemHealthResult UnicodeString | [Quarantine Information] System Health Validator Result(s) |
QuarantineGraceTime UnicodeString | [Quarantine Information] Quarantine Grace Time |
References #
Event ID 6278 — Network Policy Server granted full access to a user because the host met the defined health policy.
Description
Network Policy Server granted full access to a user because the host met the defined health policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
SubjectMachineSID SID | [Client Machine] Security ID |
SubjectMachineName UnicodeString | [Client Machine] Account Name |
FullyQualifiedSubjectMachineName UnicodeString | [Client Machine] Fully Qualified Account Name |
MachineInventory UnicodeString | [Client Machine] OS-Version |
CalledStationID UnicodeString | [Client Machine] Called Station Identifier |
CallingStationID UnicodeString | [Client Machine] Calling Station Identifier |
NASIPv4Address UnicodeString | [NAS] NAS IPv4 Address |
NASIPv6Address UnicodeString | [NAS] NAS IPv6 Address |
NASIdentifier UnicodeString | [NAS] NAS Identifier |
NASPortType UnicodeString | [NAS] NAS Port-Type |
NASPort UnicodeString | [NAS] NAS Port |
ClientName UnicodeString | [RADIUS Client] Client Friendly Name |
ClientIPAddress UnicodeString | [RADIUS Client] Client IP Address |
ProxyPolicyName UnicodeString | [Authentication Details] Connection Request Policy Name |
NetworkPolicyName UnicodeString | [Authentication Details] Network Policy Name |
AuthenticationProvider UnicodeString | [Authentication Details] Authentication Provider |
AuthenticationServer UnicodeString | [Authentication Details] Authentication Server |
AuthenticationType UnicodeString | [Authentication Details] Authentication Type |
EAPType UnicodeString | [Authentication Details] EAP Type |
AccountSessionIdentifier UnicodeString | [Authentication Details] Account Session Identifier |
QuarantineState UnicodeString | [Quarantine Information] Result |
ExtendedQuarantineState UnicodeString | [Quarantine Information] Extended-Result |
QuarantineSessionID UnicodeString | [Quarantine Information] Session Identifier |
QuarantineHelpURL UnicodeString | [Quarantine Information] Help URL |
QuarantineSystemHealthResult UnicodeString | [Quarantine Information] System Health Validator Result(s) |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server
Event ID 6279 — Network Policy Server locked the user account due to repeated failed authentication attempts.
Description
Network Policy Server locked the user account due to repeated failed authentication attempts.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
References #
Event ID 6280 — Network Policy Server unlocked the user account.
Description
Network Policy Server unlocked the user account.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [User] Security ID |
SubjectUserName UnicodeString | [User] Account Name |
SubjectDomainName UnicodeString | [User] Account Domain |
FullyQualifiedSubjectUserName UnicodeString | [User] Fully Qualified Account Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server
Event ID 6281 — Code Integrity determined that the page hashes of an image file are not valid.
#Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | File Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Event ID 6400 — BranchCache: Received an incorrectly formatted response while discovering availability of content.
Event ID 6401 — BranchCache: Received invalid data from a peer.
Description
BranchCache: Received invalid data from a peer. Data discarded.
Message #
Fields #
| Name | Description |
|---|---|
ClientIPAddress UnicodeString | IP address of the client that sent this data |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 6402 — BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Description
BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Message #
Fields #
| Name | Description |
|---|---|
ClientIPAddress UnicodeString | IP address of the client that sent this message |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 6403 — BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
Event ID 6404 — BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
Event ID 6405 — BranchCache: Count instance(s) of event id EventId occurred.
Event ID 6406 — ProductName registered to Windows Firewall to control filtering for the following.
Event ID 6407 — Firewall category unregistered: Message
Event ID 6408 — Registered product ProductName failed and Windows Firewall is now controlling the filtering for Categories.
Description
Registered product ProductName failed and Windows Firewall is now controlling the filtering for Categories.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | Registered product |
Categories UnicodeString | failed and Windows Firewall is now controlling the filtering for |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 6409 — BranchCache: A service connection point object could not be parsed.
Description
BranchCache: A service connection point object could not be parsed.
Message #
Fields #
| Name | Description |
|---|---|
GUID UnicodeString | SCP object GUID |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Event ID 6410 — Code integrity determined that a file does not meet the security requirements to load into a process.
Description
Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | File Name |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Event ID 6416 — A new external device was recognized by the system.
#Description
A new external device was recognized by the system.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DeviceId UnicodeString | Device ID |
DeviceDescription UnicodeString | Device Name |
ClassId GUID | Class ID |
ClassName UnicodeString | Class Name |
VendorIds UnicodeString | Vendor IDs |
CompatibleIds UnicodeString | Compatible IDs |
LocationInformation UnicodeString | Location Information |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6416,
"version": 1,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-04-04T13:11:35.388890+00:00",
"event_record_id": 28470,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 340
},
"channel": "Security",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WIN-TKC15D7KHUR$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"DeviceId": "SWD\\PRINTENUM\\{3AEC7D2D-F29E-48EB-A851-2E9DF0B72EDC}",
"DeviceDescription": "Microsoft Print to PDF",
"ClassId": "1ED2BBF9-11F0-4084-B21F-AD83A8E6DCDC",
"ClassName": "PrintQueue",
"VendorIds": "\r\n\t\tPRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}\r\n\t\tPRINTENUM\\LocalPrintQueue\r\n\t\t{084f01fa-e634-4d77-83ee-074817c03581}\r\n\t\t\r\n\t\t",
"CompatibleIds": "\r\n\t\tGenPrintQueue\r\n\t\tSWD\\GenericRaw\r\n\t\tSWD\\Generic\r\n\t\t\r\n\t\t",
"LocationInformation": "-"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- External Disk Drive Or USB Storage Device Was Recognized By The System source low: Detects external disk drives or plugged-in USB devices.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6416
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6417 — The FIPS mode crypto selftests succeeded.
Event ID 6418 — The FIPS mode crypto selftests failed.
Event ID 6419 — A request was made to disable a device.
#Description
A request was made to disable a device.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DeviceId UnicodeString | Device ID |
DeviceDescription UnicodeString | Device Name |
ClassId GUID | Class ID |
ClassName UnicodeString | Class Name |
HardwareIds UnicodeString | Hardware IDs |
CompatibleIds UnicodeString | Compatible IDs |
LocationInformation UnicodeString | Location Information |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6419,
"version": 0,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:51.247229+00:00",
"event_record_id": 16259082,
"correlation": {},
"execution": {
"process_id": 6984,
"thread_id": 9864
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"DeviceId": "PCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\\3&267A616A&0&90",
"DeviceDescription": "Red Hat VirtIO Ethernet Adapter",
"ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ClassName": "Net",
"HardwareIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_020000\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_0200\r\n\t\t\r\n\t\t",
"CompatibleIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000\r\n\t\tPCI\\VEN_1AF4&CC_020000\r\n\t\tPCI\\VEN_1AF4&CC_0200\r\n\t\tPCI\\VEN_1AF4\r\n\t\tPCI\\CC_020000\r\n\t\tPCI\\CC_0200\r\n\t\t\r\n\t\t",
"LocationInformation": "-"
},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
Event ID 6420 — A device was disabled.
#Description
A device was disabled.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DeviceId UnicodeString | Device ID |
DeviceDescription UnicodeString | Device Name |
ClassId GUID | Class ID |
ClassName UnicodeString | Class Name |
HardwareIds UnicodeString | Hardware IDs |
CompatibleIds UnicodeString | Compatible IDs |
LocationInformation UnicodeString | Location Information |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6420,
"version": 0,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:32:01.859671+00:00",
"event_record_id": 2461244,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 356
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-WIN11$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"DeviceId": "ROOT\\VMS_VSMP\\0000",
"DeviceDescription": "Hyper-V Virtual Switch Extension Adapter",
"ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ClassName": "Net",
"HardwareIds": "\r\n\t\tvms_vsmp\r\n\t\t\r\n\t\t",
"CompatibleIds": "-",
"LocationInformation": "-"
},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
Event ID 6421 — A request was made to enable a device.
#Description
A request was made to enable a device.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DeviceId UnicodeString | Device ID |
DeviceDescription UnicodeString | Device Name |
ClassId GUID | Class ID |
ClassName UnicodeString | Class Name |
HardwareIds UnicodeString | Hardware IDs |
CompatibleIds UnicodeString | Compatible IDs |
LocationInformation UnicodeString | Location Information |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6421,
"version": 0,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-13T20:18:54.348192+00:00",
"event_record_id": 16267789,
"correlation": {},
"execution": {
"process_id": 6984,
"thread_id": 6948
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"SubjectUserName": "domainadmin",
"SubjectDomainName": "ludus",
"SubjectLogonId": "0xa981e",
"DeviceId": "PCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\\3&267A616A&0&90",
"DeviceDescription": "Red Hat VirtIO Ethernet Adapter",
"ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ClassName": "Net",
"HardwareIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_020000\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_0200\r\n\t\t\r\n\t\t",
"CompatibleIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000\r\n\t\tPCI\\VEN_1AF4&CC_020000\r\n\t\tPCI\\VEN_1AF4&CC_0200\r\n\t\tPCI\\VEN_1AF4\r\n\t\tPCI\\CC_020000\r\n\t\tPCI\\CC_0200\r\n\t\t\r\n\t\t",
"LocationInformation": "-"
},
"message": ""
}
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
Event ID 6422 — A device was enabled.
#Description
A device was enabled.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DeviceId UnicodeString | Device ID |
DeviceDescription UnicodeString | Device Name |
ClassId GUID | Class ID |
ClassName UnicodeString | Class Name |
HardwareIds UnicodeString | Hardware IDs |
CompatibleIds UnicodeString | Compatible IDs |
LocationInformation UnicodeString | Location Information |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 6422,
"version": 0,
"level": 0,
"task": 13316,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:32:01.861463+00:00",
"event_record_id": 2461246,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3728
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "LAB-WIN11$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"DeviceId": "ROOT\\VMS_VSMP\\0000",
"DeviceDescription": "Hyper-V Virtual Switch Extension Adapter",
"ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ClassName": "Net",
"HardwareIds": "\r\n\t\tvms_vsmp\r\n\t\t\r\n\t\t",
"CompatibleIds": "-",
"LocationInformation": "-"
},
"message": ""
}
Community Notes #
May indicate removable storage or network adapters to stage tools or exfiltrate data.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
Event ID 6423 — The installation of this device is forbidden by system policy.
#Description
The installation of this device is forbidden by system policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DeviceId UnicodeString | Device ID |
DeviceDescription UnicodeString | Device Name |
ClassId GUID | Class ID |
ClassName UnicodeString | Class Name |
HardwareIds UnicodeString | Hardware IDs |
CompatibleIds UnicodeString | Compatible IDs |
LocationInformation UnicodeString | Location Information |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Device Installation Blocked source medium: Detects an installation of a device that is forbidden by the system policy
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
Event ID 6424 — The installation of this device was allowed, after having previously been forbidden by policy.
Description
The installation of this device was allowed, after having previously been forbidden by policy.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
DeviceId UnicodeString | Device ID |
DeviceDescription UnicodeString | Device Name |
ClassId GUID | Class ID |
ClassName UnicodeString | Class Name |
HardwareIds UnicodeString | Hardware IDs |
CompatibleIds UnicodeString | Compatible IDs |
LocationInformation UnicodeString | Location Information |
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
Event ID 6425 — A network client used a legacy RPC method to modify authentication information on a trusted domain object.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Modified By] Security ID |
SubjectUserName UnicodeString | [Modified By] Account Name |
SubjectDomainName UnicodeString | [Modified By] Account Domain |
SubjectLogonId HexInt64 | [Modified By] Logon ID |
TrustedDomainName UnicodeString | [Trusted Domain] Domain Name |
TrustedDomainId SID | [Trusted Domain] Domain ID |
ClientNetworkAddress UnicodeString | Client Network Address |
LegacyRPCMethodName UnicodeString | RPC Method Name |
Event ID 6426 — The volatile system access rights assigned to an account were modified.
Description
The volatile system access rights assigned to an account were modified.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
TargetSid SID | — |
OriginalAccessRightsMask HexInt32 | — |
OriginalAccessRights UnicodeString | — |
GrantedAccessRightsMask HexInt32 | — |
GrantedAccessRights UnicodeString | — |
RemovedAccessRightsMask HexInt32 | — |
RemovedAccessRights UnicodeString | — |
FinalAccessRightsMask HexInt32 | — |
FinalAccessRights UnicodeString | — |
Event ID 6427 — System access right details for a successful logon.
Description
System access right details for a successful logon.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
TargetUserSid SID | — |
TargetUserName UnicodeString | — |
TargetDomainName UnicodeString | — |
TargetLogonId HexInt64 | — |
LogonType UInt32 | — Logon type reference |
SystemAccessRightRequiredForLogon UnicodeString | — |
SystemAccessRightRequiredForLogonUlong HexInt32 | — |
EventIndex UInt32 | — |
EventCountTotal UInt32 | — |
SystemAccessRightSidList UnicodeString | — |
LocalSystemAccessRightSidList UnicodeString | — |
Event ID 6428 — System access right details for a failed logon that was explicitly denied.
Description
System access right details for a failed logon that was explicitly denied.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
TargetUserSid SID | — |
TargetUserName UnicodeString | — |
TargetDomainName UnicodeString | — |
LogonType UInt32 | — Logon type reference |
DenySystemAccessRight UnicodeString | — |
DenySystemAccessRightUlong HexInt32 | — |
EventIndex UInt32 | — |
EventCountTotal UInt32 | — |
DenySystemAccessRightsSidList UnicodeString | — |
DenyLocalSystemAccessRightsSidList UnicodeString | — |
Event ID 6429 — System access right details for a failed logon that was implicitly denied.
Description
System access right details for a failed logon that was implicitly denied.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | — |
SubjectUserName UnicodeString | — |
SubjectDomainName UnicodeString | — |
SubjectLogonId HexInt64 | — |
TargetUserSid SID | — |
TargetUserName UnicodeString | — |
TargetDomainName UnicodeString | — |
LogonType UInt32 | — Logon type reference |
AllowSystemAccessRight UnicodeString | — |
AllowSystemAccessRightUlong HexInt32 | — |
Event ID 6430 — A Windows Firewall policy was imported.
Event ID 8191 — Highest System-Defined Audit Message Value.
Description
Highest System-Defined Audit Message Value.