Skip to content

EvIDs.md

Latest commit

 

History

History
383 lines (350 loc) · 23 KB

EvIDs.md

File metadata and controls

383 lines (350 loc) · 23 KB

Event ID References

Direct References

Kerberoasting

  • 4768: A Kerberos authentication ticket (TGT) was requested
  • 4769: A Kerberos service ticket was requested
  • 4770: A Kerberos service ticket was renewed
  • 4773: A Kerberos service ticket request failed
  • 4771: Kerberos pre-authentication failed

Kerberos Authentiation Detail

  • Service Name: Name of service in Kerberos Realm to which the TGT request was sent, such as "krbtgt"
  • Service ID: (SID) Security Identifier, such as "S-1-5-21-DOMAIN_IDENTIFIER-502." Will display resolved account name if possible.
  • NULL SID: Result of 4768 failures

Authentication Manipulation

  • 4624: An account was successfully logged on
  • 4625: An account failed to log on
  • 4627: Group membership information
  • 4648: A logon was attempted using explicit credentials
  • 4776: The computer attempted to validate the credentials for an account.
  • 4634: An account was logged off
  • 4647: User initiated logoff
  • 4964: Special groups have been assigned to a new login
  • 4672: Special privileges assigned to new logon
  • 4717: System securit access was granted to an account (logon user right)
  • 4673: A privileged service was called
  • 4674: An operation was attempted on a privileged object
  • 4610: An authentication package has been loaded by the Local Security Authority.

Authentication Logon Types

  • 2: Interactive
  • 3: Network
  • 4: Batch
  • 5: Service
  • 7: Unlock
  • 8: NetworkCleartext (Typically IIS /w Basic Auth)
  • 9: NewCredentials
  • 10: RemoteItneractive (RDP)
  • 11: CachedInteractive (Logon with DCC)

Authentication Impersonation Level

  • Anonymous
  • Default
  • Delegate
  • Identify
  • Impersonate

Process Manipulation

  • 4688: A new process has been created
  • 4689: A process has exited
  • 4696: A primary token was assigned to process
  • 4690: An attempt was made to duplicate a handle to an object
  • 4697: A service was installed on the system
  • Sysmon 25: ProcessTampering (Process image change)

PowerShell Operational/Audit/Transaction Logs

  • 4100: PS Error (Operational)
  • 4101: PS Activity (MS Windows PowerShell Event)
  • 4102: PS Error (Operational)
  • 4103: PS Event (MS Windows PowerShell Event)
  • 4104: PS Script Execution
  • 4105: PS Script Execution Start (Operational)
  • 4106: PS Script Execution End (Operational)
  • 40961: PS Console Starting
  • 40962: PS Console Ready
  • 53249: PS Scheduled Job Start (Scheduled Task)
  • 53250: PS Scheduled Job Completed (Scheduled Task)
  • 24577: PS ISE Running Script

Log Manipulation

  • 1102: the audit log was cleared
  • 1100: The event logging service has shut down

Sysmon Events

  • 1: Process creation
  • 2: A process changed a file creation time
  • 3: Network Connection
  • 4: Sysmon service state changed
  • 5: Process terminated
  • 6: Driver loaded
  • 7: Image loaded
  • 8: CreateRemoteThread
  • 9: RawAccessRead
  • 10: ProcessAccess
  • 11: FileCreate
  • 12: RegistryEvent (Object create and delete)
  • 13: RegistryEvent (Value Set)
  • 14: RegistryEvent (Key and Value Rename)
  • 15: FileCreateStreamHash
  • 16: ServiceConfigurationChange
  • 17: PipeEvent (Pipe Created)
  • 18: PipeEvent (Pipe Connected)
  • 19: WmiEvent (WmiEventFilter activity detected)
  • 20: WmiEvent (WmiEventFilter activity detected)
  • 21: WmiEvent (WmiEventConsumerToFilter activity detected)
  • 22: DNSEvent (DNS query)
  • 23: FileDelete (File Delete archived)
  • 24: ClipboardChange (New content in the clipboard)
  • 25: ProcessTampering (Process image change)
  • 26: FileDeleteDetected (File Delete logged)
  • 255: Error

Active Directory Object Manipulation

  • 4662: An operation was performed by an object
  • 4661: A handle to an object was requested
  • 5136: A directory service object was modified
  • 5137: A directory service object was created
  • 5138: A directory service object was undeleted
  • 5139: A directory service object was moved
  • 5141: A directory service object was deleted
  • 4670: Permissions on an object were changed
  • 4715: The audit policy on an object was changed

Active Directory (User) Account Management

  • 4720: A user account was created
  • 4722: A user account was enabled
  • 4723: An attempt was made to change an account's password
  • 4724: An attempt was made to reset an account's password
  • 4725: A user account was disabled
  • 4726: A user account was deleted
  • 4738: A user account was changed
  • 4740: A user account was locked out
  • 4767: A user account was unlocked
  • 4781: The name of an account was changed
  • 4780: The ACL was set on accounts which are members of administrator groups (ADMIN=1)
  • 4798: A user's local group membership was enumerated
  • 4782: The password hash on an account was accessed
  • 4670: Permissions on an object were changed
  • 4715: The audit policy on an object was changed
  • 4703: A user right was adjusted
  • 4704: A user right was assigned
  • 4705: A user right was removed

Active Directory (Computer) Account Management

  • 4741: A computer account was created
  • 4742: A computer account was changed
  • 4743: A computer account was deleted
  • 4670: Permission on an object were changed

Active Directory Security Group Management

  • 4731: A security-enabled local group as created
  • 4732: A member was added to a security-enabled local group
  • 4733: A member was removed from a security-enabled local group
  • 4735: A security-enabled local group was changed
  • 4799: A security-enabled local group membership was enumerated
  • 4670: Permission on an object were changed

Active Directory Services - Misc

  • 4706: A new trust was created to a domain
  • 4707: A trust to a domain was removed
  • 4716: Trusted domain information was modified
  • 4739: Domain Policy was changed
  • 6145: One or more errors occured while processign security policy in the group policy objects
  • ADCS: Securing PKI Appendix

Aduit File Share / System

  • 5145: A network share object was checked to see whether client can be granted desired access
  • 5140: A network share object was accessed
  • 5142: A network share object was added
  • 5143: A network share object was modified
  • 5144: A network share object was deleted
  • 5168: SPN check for SMB/SMB2 Failed
  • 4670: Permission on an object were changed

Windows Firewall

  • 5157: The Windows Filtering Platform has blocked a connection
  • 5158: The Windows Filtering Platform has permitted a bind to a local port
  • 5159: The Windows Filtering Platform has blocked a bind to a local port
  • 5152: The Windows Filtering Platform has blocked a packet
  • 5447: A Windows Filtering Platform filter has been changed
  • 5025: The Windows Firewall Service has been stopped

Scheduled Tasks

  • 4698: A scheduled task was created
  • 4699: A scheduled task was deleted
  • 4700: A scheduled task was enabled
  • 4701: A scheduled task was disabled
  • 4702: A scheduled task was updated
  • 4717: System security access was granted to an account (logon user right)

Registry Management

  • 4663: An attempt was made to access an object
  • 4656: A handle to an object was requested
  • 4660: An object was deleted
  • 4657: A registry value was modified
  • 4670: Permission on an object were changed
  • Sysmon 12: RegistryEvent (Object create and delete)
  • Sysmon 13: RegistryEvent (Value Set)
  • Sysmon 14: RegistryEvent (Key and Value Rename)

Audit Policy

  • 4719: System audit policy was changed
  • 4715: The audit policy on an object was changed
  • 4670: Permission on an object were changed
  • 4817: Auditing settings on object were changed (Global)
  • 4907: Auditing settings on object were changed (Object)
  • 4908: Special Grouops Logon Table modified

Copyright - All Rights Reserved, Defensive Origins LLC