Windows Event Logs are goldmine for security investigations. Knowing which Event IDs to monitor is essential for threat detection.
Critical Event IDs
| Event ID | Log | Description |
|---|---|---|
| 4624 | Security | Successful logon |
| 4625 | Security | Failed logon |
| 4648 | Security | Logon with explicit credentials |
| 4672 | Security | Admin privileges assigned |
| 4688 | Security | New process created |
| 4698 | Security | Scheduled task created |
| 4720 | Security | User account created |
| 4732 | Security | User added to local group |
| 7045 | System | Service installed |
Logon Types
| Type 2 | Interactive (local) |
| Type 3 | Network (SMB, file share) |
| Type 4 | Batch (scheduled task) |
| Type 5 | Service |
| Type 7 | Unlock |
| Type 10 | RemoteInteractive (RDP) |
Sysmon Critical Events
- Event 1: Process creation (with command line)
- Event 3: Network connection
- Event 7: DLL loaded
- Event 11: File created
- Event 22: DNS query
Investigation Tips
- Correlate 4624 with 4672 to find admin logins
- Look for 4648 + unusual target (lateral movement)
- Monitor 4698/4699 for persistence via tasks
- Enable PowerShell Script Block Logging (4104)
December 2024