Detection Guides

Windows Event Log reference for security analysts and threat hunters.

What is Event ID 4625?

Failed logon attempts — detecting brute force and credential attacks

What is Event ID 4794?

DSRM password change — a critical domain controller backdoor technique

What is Event ID 1102?

Audit log cleared — a strong indicator of active attack or cover-up

What is Event ID 4698?

Scheduled task creation — a common attacker persistence method

What is Event ID 7045?

New service installed — used by malware to establish persistence

What is Event ID 4104?

PowerShell script block logging — detecting malicious scripts

Full guides coming soon.