Windows Event Log Detection Guide

Event ID 4625 — Failed Logon

Event ID 4625 is logged every time a Windows account fails to authenticate. A single failure is normal, but large volume…

Event ID 4794 — DSRM Account Password Change

Event ID 4794 is logged when the Directory Services Restore Mode (DSRM) administrator password on a domain controller is…

Event ID 1102 — Security Audit Log Cleared

Event ID 1102 is logged when the Windows Security event log is cleared. While administrators sometimes clear logs for ma…

Event ID 4698 — Scheduled Task Created

Event ID 4698 is logged when a new scheduled task is created on a Windows system. Scheduled tasks are a common persisten…

Event ID 7045 — New Service Installed

Event ID 7045 is logged when a new Windows service is installed on a system. While legitimate software installs services…

Event ID 4104 — PowerShell Script Block Logging

Event ID 4104 captures the full content of PowerShell scripts as they execute, including de-obfuscated code. When script…

Event ID 4740 — Account Lockout

Event ID 4740 is logged when a Windows user account is locked out after exceeding the failed logon threshold. Account lo…

Event ID 4672 — Special Privileges Assigned to New Logon

Event ID 4672 is logged whenever an account logs on with sensitive or special privileges such as SeDebugPrivilege, SeImp…

Event ID 4720 — User Account Created

Event ID 4720 is logged when a new user account is created in Active Directory or on a local Windows system. While routi…

Event ID 4728 / 4732 — User Added to Privileged Group

Event ID 4728 is logged when a user is added to a global security group (such as Domain Admins). Event ID 4732 covers lo…

PowerShell Abuse — Living Off the Land

PowerShell is one of the most abused tools in modern attacks. Because it is built into every Windows system and trusted …

Failed Logon Spike — Brute Force and Password Spray

A failed logon spike is a large volume of authentication failures in a short window — the fingerprint of a brute-force o…

Windows Defender Disabled or Tampered

Attackers routinely disable or tamper with Windows Defender before executing their main payload — disabling real-time pr…

Lateral Movement — Spreading Across the Network

Lateral movement is how attackers spread from their initial foothold to other systems on the network — reaching domain c…

Ransomware Indicators — Pre-Encryption Activity

Ransomware attacks follow a predictable pattern in Windows event logs — disabling defenses, establishing persistence, sp…

Privilege Escalation — Gaining Admin and Domain Access

Privilege escalation is the step between gaining an initial foothold and gaining full control. Attackers add accounts to…

WMI Persistence — Event Subscription Backdoors

Windows Management Instrumentation (WMI) event subscriptions allow code to execute automatically in response to system e…

Credential Dumping

Credential dumping is the extraction of account credentials — password hashes, plaintext passwords, or Kerberos tickets …

DCSync Attack Detection — Mimikatz Replication & AD Credential Dumping

A DCSync attack abuses Active Directory replication rights to impersonate a domain controller and pull password hashes f…

Detect Mimikatz — LSASS Dumping, DCSync & Credential Theft Indicators

Mimikatz is the most widely used credential theft tool in post-exploitation. It can extract plaintext passwords and NTLM…

Detect Pass-the-Hash — NTLM Lateral Movement & Suspicious Network Logons

Pass-the-Hash (PtH) is a lateral movement technique where an attacker uses a stolen NTLM password hash to authenticate a…

Living-Off-the-Land Binary Abuse (LOLBins)

Living-off-the-land (LOLBin) attacks abuse legitimate Windows binaries — certutil, bitsadmin, regsvr32, mshta, and other…

Kerberos Attacks (Kerberoasting, AS-REP Roasting)

Kerberos attacks exploit the Windows authentication protocol to extract and crack service account credentials offline, o…

Detect Golden Ticket Attacks — Forged Kerberos TGT & krbtgt Hash Abuse

A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) created using the krbtgt account's NTLM hash. Because …

Pass-the-Ticket — Stolen Kerberos Ticket Lateral Movement

Pass-the-Ticket (PtT) steals a valid Kerberos ticket from a user's LSASS memory and injects it into a different session,…

AS-REP Roasting — Kerberos Pre-Authentication Disabled Account Attack

AS-REP Roasting exploits accounts with Kerberos pre-authentication disabled. Without pre-authentication, the Domain Cont…

Skeleton Key Attack — In-Memory LSASS Patch for Universal DC Authentication

A Skeleton Key attack patches LSASS on a domain controller in memory, inserting a secondary 'skeleton' password that wor…

Suspicious Process Creation — Abnormal Parent-Child Relationships

Event ID 4688 logs every process creation on Windows when process auditing is enabled. Attackers abuse this by launching…

UAC Bypass Detection — Privilege Escalation Without a Prompt

UAC bypass techniques allow attackers to silently elevate a process from a standard or medium-integrity context to high …

PsExec & Remote Execution — Lateral Movement via Admin Shares

PsExec is a Sysinternals tool that executes commands on remote systems over SMB using admin shares (ADMIN$, C$). It is w…

Scheduled Task Abuse — Persistence and Lateral Execution

Windows Scheduled Tasks are a primary persistence mechanism abused by malware, ransomware, and post-exploitation framewo…

Account Persistence — Backdoor Accounts and Unauthorized Group Changes

Attackers who gain domain admin privileges frequently create backdoor accounts or add existing accounts to privileged gr…

Malicious Service Installation — Persistence via Windows Services

Windows services run continuously in the background, start automatically at boot, and often execute under SYSTEM or Loca…

Registry Run Key Persistence — Autostart via HKCU/HKLM Run Keys

Registry Run keys are one of the oldest and most common Windows persistence mechanisms. Entries written to HKCU\Software…