whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

more event ids

This commit is contained in:
gurkenhabicht 2026-04-07 16:50:43 +02:00
parent e8c3e42f94
commit 2a561ac73f
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Forensics/Windows Event Logs.md
View File

@ -55,34 +55,46 @@ The `subject` is the account doing an action on an `object`.
their password their password
* **4724**: Attempt to reset the account password. The user attempts to reset * **4724**: Attempt to reset the account password. The user attempts to reset
the password of another account the password of another account
* **4725**: Account disable * **4725**: Account disabled
* **4726**: Account removed from systemved from system * **4726**: Account removed from systemved from system
* **4728**: Attempt to add an account to a global security group * **4728**: Attempt to add an account to a global security group (logged domain wide)
* **4729**: Attempt to remove an account from a global security group * **4729**: Attempt to remove an account from a global security group
* **4732**: User was added to a security group (like Administrators) * **4732**: User was added to a security group (like Administrators, logged on local or DC)
* **4733**: User was removed from a security group (like Administrators) * **4733**: User was removed from a security group (like Administrators)
* **4738**: User account properties were changed * **4738**: User account properties were changed
* **4740**: User account was locked after repeated attempt of access * **4740**: User account was locked after repeated attempt of access
* **4756**: Attempt to add an account to a universal security group * **4756**: Attempt to add an account to a universal security group (logged on entire ad forest)
* **4757**: Attempt to remove an account from a universal security group * **4757**: Attempt to remove an account from a universal security group
* **4768**: Kerberos TGT request * **4768**: Kerberos TGT request
* **4769**: Kerberos TGS request * **4769**: Kerberos TGS request
* **4771**: Kerberos pre-auth failure * **4771**: Kerberos pre-auth failure
* **4776**: Validate NTLM credentials at DC. This happens when the resource is
accessed via IP address, for legacy applications without Kerberos support or
auth between untrusted DC domains
### Account Logon ### Account Logon
These can be found via `Event Viewer` under `Windows Logs` -> `Security`. These can be found via `Event Viewer` under `Windows Logs` -> `Security`.
The `Logon ID` is the session identifier. The `Logon ID` is the session identifier.
* **4624**: Successful logon/login * **4624**: Successful logon/login, Session created on target resource
* **4625**: Failed logon/login * **4625**: Failed logon/login
* **4634** and **4647**: Logoff * **4634** and **4647**: Logoff
* **4779**: Session disconnect * **4779**: Session disconnect
### Active Directory Objects
* **5136**: Attribute-level modification on AD object (e.g. Group Policy Objects)
* **5140**: Object Access
### Logon Types ### Logon Types
* **10**: RDP * **2**: Interactive
* **3**: Network * **3**: Network
* **4**: Batch
* **5**: Service
* **7**: Unlock
* **10**: RDP
### Scheduled Tasks ### Scheduled Tasks