Microsoft-Windows-Security-Auditing

Florian Roth (Nextron Systems)

Event ID 4608: Windows is starting up.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security State Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Windows is starting up.

Message #

Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4608,
    "version": 0,
    "level": 0,
    "task": 12288,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:50.4026945+00:00",
    "event_record_id": 1715910,
    "correlation": {},
    "execution": {
      "process_id": 812,
      "thread_id": 816
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "Windows is starting up.\r\n\r\nThis event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4608

Event ID 4609: Windows is shutting down.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security State Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Windows is shutting down.

Message #

Windows is shutting down.
All logon sessions will be terminated by this shutdown.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4609
Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4609

Event ID 4610: An authentication package has been loaded by the Local Security Authority.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security System Extension
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time Authentication Package has been loaded by the Local Security Authority (LSA). Each time the system starts, the LSA loads the Authentication Package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages registry value and performs the initialization sequence for every package located in these DLLs.

Message #

An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.

Authentication Package Name: %1

Fields #

Name	Description
`AuthenticationPackageName` UnicodeString	The name of loaded Authentication Package. The format is: DLL_PATH_AND_NAME: AUTHENTICATION_PACKAGE_NAME.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4610,
    "version": 0,
    "level": 0,
    "task": 12289,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:50.7528048+00:00",
    "event_record_id": 1715923,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 816
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AuthenticationPackageName": "C:\\Windows\\system32\\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
  },
  "message": "An authentication package has been loaded by the Local Security Authority.\r\nThis authentication package will be used to authenticate logon attempts.\r\n\r\nAuthentication Package Name:\tC:\\Windows\\system32\\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4610
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4610
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4610.yml

Event ID 4611: A trusted logon process has been registered with the Local Security Authority.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security System Extension
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source. At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.). You typically see these events during operating system startup or user logon and authentication actions

Message #

A trusted logon process has been registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Logon Process Name: %5

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that registered the trusted logon process.
`SubjectUserName` UnicodeString	The name of the account that registered the trusted logon process.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`LogonProcessName` UnicodeString	The name of registered logon process.	1 detection rule

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4611,
    "version": 0,
    "level": 0,
    "task": 12289,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:33:48.1527291+00:00",
    "event_record_id": 1724051,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 3340
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "LogonProcessName": "UserManager"
  },
  "message": "A trusted logon process has been registered with the Local Security Authority.\r\nThis logon process will be trusted to submit logon requests.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Process Name:\t\tUserManager"
}

Community Notes #

May be seen when a process injects into LSASS.

Detection Rules #

Sigma # view in coverage

Register new Logon Process by Rubeus source high: Detects potential use of Rubeus via registered new trusted logon process

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4611
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4611.yml

Event ID 4612: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

Message #

Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

Number of audit messages discarded: %1

This event is generated when audit queues are filled and events must be discarded.  This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.

Fields #

Name	Description
`AuditsDiscarded` UInt32	Number of audit messages discarded

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4612
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4612

Event ID 4614: A notification package has been loaded by the Security Account Manager.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security System Extension
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time a Notification Package has been loaded by the Security Account Manager. In reality, starting with Windows Vista, a notification package should be interpreted as afs Password Filter. Password Filters are DLLs that are loaded or called when passwords are set or changed. Each time a system starts, it loads the notification package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages registry value and performs the initialization sequence for every package.

Message #

A notification package has been loaded by the Security Account Manager.
This package will be notified of any account or password changes.

Notification Package Name: %1

Fields #

Name	Description
`NotificationPackageName` UnicodeString	The name of loaded Notification Package.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4614,
    "version": 0,
    "level": 0,
    "task": 12289,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:52.4233877+00:00",
    "event_record_id": 1715954,
    "correlation": {},
    "execution": {
      "process_id": 812,
      "thread_id": 816
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "NotificationPackageName": "scecli"
  },
  "message": "A notification package has been loaded by the Security Account Manager.\r\nThis package will be notified of any account or password changes.\r\n\r\nNotification Package Name:\tscecli"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4614
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4614
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4614.yml

Event ID 4615: Invalid use of LPC port.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Invalid use of LPC port.

Message #

Invalid use of LPC port.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Process Information:
	PID: %7
	Name: %8

Invalid Use: %5

LPC Server Port Name: %6

Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA's use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel.

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`InvalidCallName` UnicodeString	Invalid Use
`ServerPortName` UnicodeString	LPC Server Port Name
`ProcessId` Pointer	[Process Information] PID
`ProcessName` UnicodeString	[Process Information] Name

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4615
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4615

Event ID 4616: The system time was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security State Change
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

This event generates every time system time was changed.

Message #

The system time was changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Process Information:
	Process ID: %9
	Name: %10

Previous Time: %6 %5
New Time: %8 %7

This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested the "change system time" operation.	1 detection rule
`SubjectUserName` UnicodeString	The name of the account that requested the "change system time" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on".
`PreviousTime` FILETIME	Previous time in UTC time zone.
`NewTime` FILETIME	New time that was set in UTC time zone.
`ProcessId` Pointer	Hexadecimal Process ID of the process that changed the system time. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.	7 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4616,
    "version": 1,
    "level": 0,
    "task": 12288,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:39:30.8456189+00:00",
    "event_record_id": 1842818,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4312
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-19",
    "SubjectUserName": "LOCAL SERVICE",
    "SubjectDomainName": "NT AUTHORITY",
    "SubjectLogonId": "0x3e5",
    "PreviousTime": "2026-06-13T05:39:30.8442156Z",
    "NewTime": "2026-06-13T05:39:30.8452453Z",
    "ProcessId": "0x1434",
    "ProcessName": "C:\\Windows\\System32\\svchost.exe"
  },
  "message": "The system time was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1434\r\n\tName:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nPrevious Time:\t\t‎2026‎-‎06‎-‎13T05:39:30.844215600Z\r\nNew Time:\t\t‎2026‎-‎06‎-‎13T05:39:30.845245300Z\r\n\r\nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
}

Detection Rules #

Sigma # view in coverage

Unauthorized System Time Modification source low: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
System time changed source medium: Detects scenarios where an attacker attempts to change the system time to evade defense. Check also if NewTime is different from PreviousTime to reduce false positives.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4616
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4616_v1.yml

Event ID 4618: A monitored security event pattern has occurred.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event is generated when Windows is configured to generate alerts in accordance with the Common Criteria Security Audit Analysis requirements (FAU_SAA) and an auditable event pattern occurs.

Message #

A monitored security event pattern has occurred.

Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6

Alert Information:
	Computer: %2
	Event ID: %1
	Number of Events: %7
	Duration: %8

This event is generated when Windows is configured to generate alerts in accordance with the Common Criteria Security Audit Analysis requirements (FAU_SAA) and an auditable event pattern occurs.

Fields #

Name	Description
`EventId` UInt32	[Alert Information] Event ID.
`ComputerName` UnicodeString	[Alert Information] Computer.
`TargetUserSid` SID	[Subject] Security ID.
`TargetUserName` UnicodeString	[Subject] Account Name.
`TargetUserDomain` UnicodeString	Subject's domain or computer name.
`TargetLogonId` HexInt64	[Subject] Logon ID.
`EventCount` UInt32	[Alert Information] Number of Events.
`Duration` UnicodeString	[Alert Information] Duration.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4618
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4618
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4618.yml

Event ID 4621: Administrator recovered system from CrashOnAuditFail.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security State Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Message #

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Value of CrashOnAuditFail: %1

This event is logged after a system reboots following CrashOnAuditFail.

Fields #

Name	Description
`CrashOnAuditFailValue` UnicodeString	Value of CrashOnAuditFail

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4621
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4621

Event ID 4622: A security package has been loaded by the Local Security Authority.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security System Extension
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time Security Package has been loaded by the Local Security Authority (LSA). Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs. Each time the system starts, the LSA loads the Security Package DLLs from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages registry value and performs the initialization sequence for every package located in these DLLs. It is also possible to add security package dynamically using AddSecurityPackage function, not only during system startup process.

Message #

A security package has been loaded by the Local Security Authority.

Security Package Name: %1

Fields #

Name	Description	Rules
`SecurityPackageName` UnicodeString	The name of loaded Security Package. The format is: DLL_PATH_AND_NAME: SECURITY_PACKAGE_NAME.	9 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4622,
    "version": 0,
    "level": 0,
    "task": 12289,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:50.7526189+00:00",
    "event_record_id": 1715922,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 816
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SecurityPackageName": "C:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider"
  },
  "message": "A security package has been loaded by the Local Security Authority.\r\n\r\nSecurity Package Name:\tC:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider"
}

Detection Rules #

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4648: A logon was attempted using explicit credentials.

Sigma # view in coverage

Security package (SSP) loaded into LSA (native) source high: Detects scenarios where an attacker loads a malicious SSP (Security Support Provider) into the LSA process. Note that this rule will not work with "in memory" SSP injection (Mimikatz) as no event will be triggered.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4622
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4622
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4622.yml

Event ID 4624: An account was successfully logged on.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Logon
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.

Message #

An account was successfully logged on.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Logon Type: %9

New Logon:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8
	Logon GUID: %13

Process Information:
	Process ID: %17
	Process Name: %18

Network Information:
	Workstation Name: %12
	Source Network Address: %19
	Source Port: %20

Detailed Authentication Information:
	Logon Process: %10
	Authentication Package: %11
	Transited Services: %14
	Package Name (NTLM only): %15
	Key Length: %16

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of the account on the local system that requested the logon.	12 detection rules
`SubjectUserName` UnicodeString	Name of the account on the local system that requested the logon.	5 detection rules
`SubjectDomainName` UnicodeString	Domain of the account that requested the logon.	4 detection rules
`SubjectLogonId` HexInt64	Hex logon session ID of the account that requested the logon.
`TargetUserSid` SID	SID of the account that was logged on.	9 detection rules
`TargetUserName` UnicodeString	Name of the account that was logged on.	20 detection rules
`TargetDomainName` UnicodeString	Domain of the account that was logged on.	3 detection rules
`TargetLogonId` HexInt64	Hex logon session ID for the new session. Correlates with Event ID 4634 (logoff).	1 detection rule
`LogonType` UInt32	Type of logon session created. Logon type reference Known values `0` System (used during system startup) `2` Interactive (local keyboard/KVM logon) `3` Network (e.g. SMB, mapped drive) `4` Batch (scheduled task) `5` Service (service startup) `6` Proxy `7` Unlock (workstation unlock) `8` NetworkCleartext (e.g. IIS basic auth) `9` NewCredentials (RunAs /netonly) `10` RemoteInteractive (RDP/Terminal Services) `11` CachedInteractive (cached domain credentials) `12` CachedRemoteInteractive (cached RDP credentials) `13` CachedUnlock (cached workstation unlock)	33 detection rules
`LogonProcessName` UnicodeString	Logon process that authenticated the request (e.g., User32, Advapi, NtLmSsp).	8 detection rules
`AuthenticationPackageName` UnicodeString	Authentication package used (e.g., Kerberos, NTLM, Negotiate).	13 detection rules
`WorkstationName` UnicodeString	Hostname of the machine that initiated the logon. "-" for local logons.	6 detection rules
`LogonGuid` GUID	GUID correlating this logon with a Kerberos TGS request (Event ID 4769) on the domain controller, and with Event ID 4648.
`TransmittedServices` UnicodeString	Kerberos services transmitted during S4U (Service For User) delegation. Empty for non-delegated logons.
`LmPackageName` UnicodeString	NTLM sub-protocol used (NTLM V1, NTLM V2, or LM). "-" for Kerberos logons.
`KeyLength` UInt32	NTLM session security key length in bits. 0 for Kerberos or when no session key was requested. Known values `0` No key (NTLM or pre-auth not required) `128` 128-bit (AES-128 or RC4) `256` 256-bit (AES-256)	1 detection rule
`ProcessId` Pointer	Process ID of the process that initiated the logon.
`ProcessName` UnicodeString	Full path of the process that initiated the logon.	6 detection rules
`IpAddress` UnicodeString	Source IP address of the remote logon. "-" for local logons.	24 detection rules
`IpPort` UnicodeString	Source port of the remote logon. "-" for local logons.	1 detection rule
`ImpersonationLevel` UnicodeString	Level of token impersonation permitted for this logon session. Known values `%%1831` Anonymous `%%1832` Identification `%%1833` Impersonation `%%1840` Delegation	1 detection rule
`RestrictedAdminMode` UnicodeString	For RemoteInteractive (RDP) logons, indicates credentials were passed in Restricted Admin mode (Win8.1+). "-" for other logon types. Known values `%%1842` Yes `%%1843` No
`TargetOutboundUserName` UnicodeString	Outbound network account name for pass-through authentication. Typically empty.	1 detection rule
`TargetOutboundDomainName` UnicodeString	Domain of the outbound network account. Typically empty.
`VirtualAccount` UnicodeString	Indicates the logged-on account is a Managed Service Account or Group Managed Service Account. Known values `%%1842` Yes `%%1843` No
`TargetLinkedLogonId` HexInt64	Logon ID of the linked token session. When UAC splits a logon into limited and elevated tokens, this links the two sessions. "0x0" if not linked.
`ElevatedToken` UnicodeString	Indicates this logon session carries an elevated (administrator) token. Known values `%%1842` Yes `%%1843` No
`RemoteCredentialGuard` UnicodeString	For RemoteInteractive logons, indicates Remote Credential Guard was used to redirect Kerberos requests to the originating device. Known values `%%1842` Yes `%%1843` No

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4624,
    "version": 2,
    "level": 0,
    "task": 12544,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:49.2402547+00:00",
    "event_record_id": 3213578,
    "correlation": {},
    "execution": {
      "process_id": 896,
      "thread_id": 4272
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-0-0",
    "SubjectUserName": "-",
    "SubjectDomainName": "-",
    "SubjectLogonId": "0x0",
    "TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "TargetUserName": "domainadmin",
    "TargetDomainName": "cell-c",
    "TargetLogonId": "0x296120d",
    "LogonType": "3",
    "LogonProcessName": "NtLmSsp ",
    "AuthenticationPackageName": "NTLM",
    "WorkstationName": "LUDUS",
    "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
    "TransmittedServices": "-",
    "LmPackageName": "NTLM V2",
    "KeyLength": "128",
    "ProcessId": "0x0",
    "ProcessName": "-",
    "IpAddress": "-",
    "IpPort": "-",
    "ImpersonationLevel": "%%1833",
    "RestrictedAdminMode": "-",
    "TargetOutboundUserName": "-",
    "TargetOutboundDomainName": "-",
    "VirtualAccount": "%%1843",
    "TargetLinkedLogonId": "0x0",
    "ElevatedToken": "%%1842"
  },
  "message": "An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Information:\r\n\tLogon Type:\t\t3\r\n\tRestricted Admin Mode:\t-\r\n\tVirtual Account:\t\tNo\r\n\tElevated Token:\t\tYes\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\tLinked Logon ID:\t\t0x0\r\n\tNetwork Account Name:\t-\r\n\tNetwork Account Domain:\t-\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tLUDUS\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V2\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
}

Detection Patterns #

13 rules

Sigma

Multiple Logon Failure Followed by Logon Success (source)

Florian Roth (Nextron Systems)

Elastic

Elastic

Splunk

Windows Identify PowerShell Web Access IIS Pool (source)

Michael Haag, Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

User login from different countries within 3 hours (Uses Authentication Normalization) (source)

Kusto

Ofer Shezaf

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4634: An account was logged off.

11 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Windows Local Administrator Credential Stuffing (source)

Mauricio Velazco, Splunk

Kusto

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)

User login from different countries within 3 hours (Uses Authentication Normalization) (source)

Ofer Shezaf

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.

10 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Potential Computer Account NTLM Relay Activity (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Windows Local Administrator Credential Stuffing (source)

Mauricio Velazco, Splunk

Kusto

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Security-Auditing Event ID 4625: An account failed to log on.→Event ID 4624: An account was successfully logged on.

Credential Access: Password Guessing

8 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Windows Local Administrator Credential Stuffing (source)

Mauricio Velazco, Splunk

Kusto

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4625: An account failed to log on.

Credential Access: Brute Force

8 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Windows Local Administrator Credential Stuffing (source)

Mauricio Velazco, Splunk

Kusto

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4776: The domain controller attempted to validate the credentials for an account.

Show All Detection Patterns

5 rules

Sigma

Detection of default a Windows host name in login attempts (source)

Florian Roth (Nextron Systems)

mdecrevoisier

Chakib Gzenayi (@Chak092), Hosni Mribah

Potential EternalBlue via Metasploit (Windows Event Log) (source)

Splunk

Computer Account

Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.→(Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.)

5 rules

Sigma

Potential Kerberos Relay Attack against a Computer Account (source)

Florian Roth (Nextron Systems)

Elastic

Elastic

Potential NTLM Relay Attack against a Computer Account (source)

Elastic

Potential Computer Account NTLM Relay Activity (source)

Elastic

Splunk

Suspicious Spool Authentication (Windows Event Log) (source)

Event Log

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

3 rules

Sigma

SecretsDump Credential Harvest (Windows Event Log) (source)

mdecrevoisier

Splunk

Suspicious Spool Authentication (Windows Event Log) (source)

Uses Authentication Normalization

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4634: An account was logged off.OREvent ID 4647: User initiated logoff.OREvent ID 4648: A logon was attempted using explicit credentials.OREvent ID 4675: SIDs were filtered.

3 rules

Kusto

User login from different countries within 3 hours (Uses Authentication Normalization) (source)

Ofer Shezaf

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4662: An operation was performed on an object.

AD Replication Request Initiated

3 rules

Splunk

Windows AD Replication Request Initiated by User Account (source)

Dean Luxton

Windows AD Replication Request Initiated from Unsanctioned Location (source)

Dean Luxton

Kusto

Non Domain Controller Active Directory Replication (source)

Lateral Movement: Remote Services

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4768: A Kerberos authentication ticket (TGT) was requested.OREvent ID 4769: A Kerberos service ticket was requested.OREvent ID 4770: A Kerberos service ticket was renewed.OREvent ID 4771: Kerberos pre-authentication failed.OREvent ID 5140: A network share object was accessed.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

3 rules

Sigma

Active Directory honeypot used for lateral movement (source)

Chakib Gzenayi (@Chak092), Hosni Mribah

mdecrevoisier

Splunk

Potential EternalBlue via Metasploit (Windows Event Log) (source)

Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4697: A service was installed in the system.

2 rules

Elastic

Remote Windows Service Installed (source)

Elastic

Service Creation via Local Kerberos Authentication (source)

Elastic

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 5136: A directory service object was modified.

2 rules

Splunk

Windows AD Short Lived Domain Controller SPN Attribute (source)

Dean Luxton

Windows AD Suspicious Attribute Modification (source)

Dean Luxton

Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4724: An attempt was made to reset an account's password.

2 rules

Sigma

User password change without previous password known - SetNTLM (Mimikatz) (source)

mdecrevoisier

Elastic

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4724: An attempt was made to reset an account's password.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

Elastic

Persistence: Account Manipulation

2 rules

Sigma

User password change without previous password known - SetNTLM (Mimikatz) (source)

mdecrevoisier

Elastic

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4661: A handle to an object was requested.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

Elastic

Credential Access: Security Account Manager

2 rules

Sigma

SecretsDump Credential Harvest (Windows Event Log) (source)

mdecrevoisier

Splunk

Initial Access: Exploit Public-Facing Application

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 5140: A network share object was accessed.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

1 rule

Splunk

Potential SMB Activity from External IP - Windows (Windows Event Log) (source)

Stealth: Create Process with Token

Security-Auditing Event ID 4624: An account was successfully logged on.→(Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

1 rule

Elastic

Process Creation via Secondary Logon (source)

Elastic

Stealth: Token Impersonation/Theft

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.

1 rule

Sigma

Anonymous login (RottenPotatoNG) (source)

mdecrevoisier

Stealth: Create Process with Token

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4648: A logon was attempted using explicit credentials.OREvent ID 4688: A new process has been created.

1 rule

Sigma

Privilege escalation via runas (command) (source)

mdecrevoisier

Stealth: Disable or Modify Tools

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4656: A handle to an object was requested.

1 rule

Kusto

Starting or Stopping HealthService to Avoid Detection (source)

Defense Impairment: Rogue Domain Controller

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4742: A computer account was changed.

1 rule

Splunk

Windows AD Domain Controller Promotion (source)

Dean Luxton

Lateral Movement: Exploitation of Remote Services

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent

1 rule

Kusto

Gain Code Execution on ADFS Server via Remote WMI Execution (source)

Microsoft Security Research

Lateral Movement: Exploitation of Remote Services

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4688: A new process has been created.ANDEvent ID 4697: A service was installed in the system.ANDEvent ID 4698: A scheduled task was created.ANDEvent ID 4699: A scheduled task was deleted.ANDEvent ID 4700: A scheduled task was enabled.ANDEvent ID 4701: A scheduled task was disabled.ANDEvent ID 4702: A scheduled task was updated.ANDEvent ID 5145: A network share object was checked to see whether client can be granted desired access.

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Lateral Movement: Use Alternate Authentication Material

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4648: A logon was attempted using explicit credentials.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation

1 rule

Sigma

Florian Roth (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`LogonType`	eq	`Network`	33 rules	elastic, kusto, sigma, splunk
`LogonType`	eq	`RemoteInteractive`	8 rules	kusto, sigma, splunk
`LogonType`	eq	`NewCredentials`	7 rules	elastic, sigma
`AuthenticationPackageName`	eq	`NTLM`	9 rules	elastic, kusto, sigma, splunk
`AuthenticationPackageName`	eq	`Kerberos`	5 rules	elastic, sigma, splunk
`AuthenticationPackageName`	eq	`Negotiate`	4 rules	sigma
`EventType`	eq	`logged-in`	8 rules	elastic
`event.outcome`	eq	`success`	7 rules	elastic
`src_ip`	eq	`::1`	5 rules	elastic, sigma
`src_ip`	eq	`127.0.0.1`	4 rules	kusto, sigma
`src_ip`	is_not_null		7 rules	elastic, kusto, panther
`src_ip`	ne	`127.0.0.1`	7 rules	elastic, splunk
`src_ip`	ne	`::1`	6 rules	elastic, splunk
`LogonProcessName`	eq	`seclogo`	5 rules	elastic, sigma
`security_result.action`	eq	`ALLOW`	5 rules	chronicle

Community Notes #

See the Logon Type Reference for a full breakdown of LogonType values and detection guidance.

Detection Rules #

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4648: A logon was attempted using explicit credentials.

Sigma # view in coverage

Potential Access Token Abuse source medium: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
Admin User Remote Logon source low: Detect remote login by Administrator user (depending on internal pattern).
DiagTrackEoP Default Login Username source critical: Detects the default "UserName" used by the DiagTrackEoP POC

Show 17 more (21 total)

Successful Overpass the Hash Attempt source high: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
Pass the Hash Activity 2 source medium: Detects the attack technique pass the hash which is used to move laterally inside the network
RDP Login from Localhost source high: RDP login with localhost source address may be a tunnelled login
External Remote RDP Logon from Public IP source medium: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
External Remote SMB Logon from Public IP source high: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Outgoing Logon with New Credentials source low: Detects logon events that specify new credentials
Potential Privilege Escalation via Local Kerberos Relay over LDAP source high: Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
RottenPotato Like Attack Pattern source high: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Successful Account Login Via WMI source low: Detects successful logon attempts performed with WMI
Administrator login impersonation with forged Golden ticket source high: Detects scenarios where an attacker used a forged Golden ticket to login on a remote host. Per default or if specified, the ticket will be forged using the builtin administrator account (SID *-500). However, and it frequent cases, a non suspicious user name will be specificied during the forge in order to evade security monitoring. The rule works based on this trick.
Azure Windows virtual machine login via serial console source high: Detects if an attacker logs on using the serial console.
Exchange server impersonation via PrivExchange relay attack source high: Detects scenarios where an attacker relays Exchange server authentication to abuse Exchange servers permissions and escalate privileges.
Success login attempt on a Windows OpenSSH server source medium: Detects scenarios where an attacker attempts to connect to a Windows host using the SSH protocol.
Mimikatz Pass-the-hash login source high: Detects scenarios where an attacker uses the Mimikatz Pass-the-hash feature to move laterally. Correlation with others event IDs can be done in the following way:| ID 4624 TargetLogonId + ID 4672 SubjectLogonId + ID 4688 TargetLogonId. Having those 3 elements together allows to bring in light what was exactly done.
Suspicious anonymous login (domain specified) source high: Detects scenarios where a suspicious anonymous login is performed during discovery phases.
Network login performed to multiple targets source high: Detects scenarios where an attacker would attempt to enumerate hosts resources and execute a payload with a compromised account. Vulnerability scanners, enumeration software or tool like SharepHound/CrackMapexec may generate such behavior.
Anonymous access performed to multiple targets source high: Detects scenarios where an attacker would attempt to enumerate hosts and collect relevant information using anonymous access. Vulnerability scanners, enumeration software or tool like CrackMapexec may generate such behavior.

Elastic # view in coverage

Potential Pass-the-Hash (PtH) Attempt source medium: Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.
Potential Account Takeover - Mixed Logon Types source medium: Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected).
Potential Account Takeover - Logon from New Source IP source medium: Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location.

Splunk # view in coverage

Unusual Number of Remote Endpoint Authentication Events source: The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma…
Windows Kerberos Local Successful Logon source: The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local…
Windows Rapid Authentication On Multiple Hosts source: The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting…

Show 4 more (7 total)

Windows RDP Login Session Was Established source: The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only…
Multiple Host logons (Windows Event Log) source: Use case looks for users who have logged into multiple hosts
Pass-the-Hash (Windows Event Log) source: Detect when pass-the-hash techniques are utilized with computer or user accounts as in the most notable ZeroLogon exploit scenario after a computer account password has been reset.
Potential Exposed SMB_RDP Port - Windows (Windows Event Log) source: Threat actors may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. This use case detects…

Kusto # view in coverage

Failed AzureAD logons but success logon to host source medium: Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.
Multiple RDP connections from Single System source low: Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day. RDP connections are indicated by the EventID 4624 with LogonType = 10
RDP Nesting source medium: Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from that system to another, using the same account within a 60-minute window. To reduce false positives, it excludes scenarios where the same account has made 5 or more connections to the same set of computers in the previous 7 days. This approach focuses on highlighting unusual RDP behaviour that suggests lateral movement, which is often associated with attacker tactics during a network breach.

Show 9 more (12 total)

Rare RDP Connections source medium: Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days. RDP connections are indicated by the EventID 4624 with LogonType = 10
Service Accounts Performing Remote PS source high: Service Accounts Performing Remote PowerShell. The purpose behind this detection is for finding service accounts that are performing remote powershell sessions. There are two phases to the detection: Identify service accounts, Find remote PS cmdlets being ran by these accounts. To accomplish this, we utilize DeviceLogonEvents and DeviceEvents to find cmdlets ran that meet the criteria. One of the main advantages of this method is that only requires server telemetry, and not the attacking client. The first phase relies on the DeviceLogonEvents to determine whether an account is a service account or not, consider the following accounts with logons:. Random_user has DeviceLogonEvents with type 2, 3, 7, 10, 11 & 13. Random_service_account 'should' only have DeviceLogonEvents with type 3,4 or 5.
NTLM Relay Attack source: This query searches for successful NTLM network logins where the device name contained in the NTLM authentication message contains a device that is known to MDE, but the source IP address is different from the known source IP address for that specific device. This could indicate an attacker is relaying the NTLM authentication information. To remove false positives, this query also searches for an outgoing network connection from the initiator to the attacker.↳ also matches Event ID 5156: The Windows Filtering Platform has permitted a connection.
Password Spray source: Below queries detect password spray attacks using sliding window count plugin. Because of implementation of the sliding window, queries work better than the bin() usage, but may create duplicate alerts. Grouping can be used in such cases. Sentinel Query:↳ also matches Event ID 4625: An account failed to log on.
Potential NTLM Relay Attack to Domain Controller source: Below query detects NTLM authentication coming from Domain Controller machine accounts. This is not an expected behavior and it's an indication of NTLM relay attack.
If NTLM Relaying is done towards a Linux machine, this query won't detect that. The attacker must have access to a Linux device in that case though.↳ also matches Event ID 4625: An account failed to log on.
Potentially Relayed NTLM Authentication - Microsoft Sentinel source: The below query detects Kerberos logons of computer accounts where there isn't any ticket request in the last 12h (10h is the default ticket expiration) coming from the same IpAddress with the same TargetUserName. The query can be enriched further if needed.↳ also matches Event ID 4769: A Kerberos service ticket was requested.
Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint source: The below query detects NTLM logons where Network Address in the logon event doesn't match the Workstation Name's IP. This indicates potentially relayed NTLM authentication. It analyzes only the logons with domain accounts having admin privileges.
Potentially Relayed NTLM Authentication - Microsoft Sentinel source: The below query detects NTLM logons where Network Address in the logon event doesn't match the Workstation Name's IP. This indicates potentially relayed NTLM authentication. It analyzes only the logons with domain accounts having admin privileges.↳ also matches Event ID 4672: Special privileges assigned to new logon.
Detect service account login on new device source: This detection rule tries to flag suspicious logins on devices from service accounts, for which these service accounts did not login into those devices for the last 14 days. This might indicate that the service account is compromised and is being used for lateral movement into the environment. Most service accounts have a fairly static set of devices they authenticate to. Because of this, it is easier to flag deviations for service accounts compared to user accounts. However, some service accounts are known to dynamically log into devices based on observed events (susch as the MDI service accounts). Because of this some environment specific finetuning might be needed to reduce BP detections.

YARA-L # view in coverage

GeoIP User Login From Multiple States Or Countries source: Detect multiple user logins from multiple states or countries using Chronicle GeoIP enrichment.↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
Logins From Terminated Employees source: Allowed Logins from Terminated Employees↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage source: Alerts when an authorization token originating from GKE activity is subsequently used within a command line on an endpoint system, suggesting potential credential exfiltration and reuse.↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4688: A new process has been created.

Show 9 more (12 total)

ADFS DKM Key Access source: Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4662: An operation was performed on an object.
MITRE ATT&CK T1110.003 RW Windows Password Spray source: Detect repeated authentication failure with multiple users indicative of a password spray attack.↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4720: A user account was created., Event ID 4726: A user account was deleted.
sap break glass account login source: Alerts whenever a default SAP administrative account (e.g., SAP*, DDIC, TMSADM) logs into the system. These accounts should be locked and used only for emergency 'break-glass' scenarios↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
sap impossible travel source: Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft.↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
sap multi terminal logon source: Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft.↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
Okta Multiple Failed Requests To Access Applications source: Detects multiple failed requests to access applications↳ also matches Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4624-successful-logon.md
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4624_v2.yml

Event ID 4625: An account failed to log on.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Logon
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.

Message #

An account failed to log on.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Logon Type: %11

Account For Which Logon Failed:
	Security ID: %5
	Account Name: %6
	Account Domain: %7

Failure Information:
	Failure Reason: %9
	Status: %8
	Sub Status: %10

Process Information:
	Caller Process ID: %18
	Caller Process Name: %19

Network Information:
	Workstation Name: %14
	Source Network Address: %20
	Source Port: %21

Detailed Authentication Information:
	Logon Process: %12
	Authentication Package: %13
	Transited Services: %15
	Package Name (NTLM only): %16
	Key Length: %17

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Fields #

Name	Description	Rules
`SubjectUserSid`	SID of account that reported information about logon failure.	1 detection rule
`SubjectUserName`	The name of the account that reported information about logon failure.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Logon session ID of the account that reported the failure.
`TargetUserSid`	SID of the account that was specified in the logon attempt.
`TargetUserName`	The name of the account that was specified in the logon attempt.	1 detection rule
`TargetDomainName`	Domain of the account that was specified in the logon attempt.
`Status` HexInt32	NTSTATUS failure code. See SubStatus for additional detail. NTSTATUS reference	12 detection rules
`FailureReason`	Human-readable translation of the Status code.
`SubStatus`	Secondary NTSTATUS code with additional failure detail (e.g., the specific account restriction that blocked logon). NTSTATUS reference	29 detection rules
`LogonType`	Type of logon that was attempted. Known values `0` System (used during system startup) `2` Interactive (local keyboard/KVM logon) `3` Network (e.g. SMB, mapped drive) `4` Batch (scheduled task) `5` Service (service startup) `6` Proxy `7` Unlock (workstation unlock) `8` NetworkCleartext (e.g. IIS basic auth) `9` NewCredentials (RunAs /netonly) `10` RemoteInteractive (RDP/Terminal Services) `11` CachedInteractive (cached domain credentials) `12` CachedRemoteInteractive (cached RDP credentials) `13` CachedUnlock (cached workstation unlock)	8 detection rules
`LogonProcessName`	Logon process that handled the authentication attempt (e.g., NtLmSsp, Kerberos, User32).
`AuthenticationPackageName`	Authentication package used for the logon attempt (e.g., NTLM, Kerberos).
`WorkstationName`	Name of the workstation the logon attempt originated from.	1 detection rule
`TransmittedServices`	Kerberos services transmitted during S4U delegation. Empty for non-delegated logon attempts.
`LmPackageName`	NTLM sub-protocol used (NTLM V1, NTLM V2, or LM). Populated only when AuthenticationPackageName = NTLM.
`KeyLength`	NTLM session security key length in bits. 0 for Kerberos or when no session key was requested. Known values `0` No key (NTLM or pre-auth not required) `128` 128-bit (AES-128 or RC4) `256` 256-bit (AES-256)
`ProcessId`	Process ID of the process that attempted the logon.
`ProcessName`	Full path of the process that attempted the logon.	7 detection rules
`IpAddress`	Source IP address of the logon attempt. "-" for local attempts.	6 detection rules
`IpPort`	Source port of the remote logon attempt. 0 for interactive logons.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4625,
    "version": 0,
    "level": 0,
    "task": 12544,
    "opcode": 0,
    "keywords": -9218868437227405312,
    "time_created": "2026-06-13T05:23:33.3577893+00:00",
    "event_record_id": 2937535,
    "correlation": {},
    "execution": {
      "process_id": 896,
      "thread_id": 5864
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-0-0",
    "SubjectUserName": "-",
    "SubjectDomainName": "-",
    "SubjectLogonId": "0x0",
    "TargetUserSid": "S-1-0-0",
    "TargetUserName": "domainadmin",
    "TargetDomainName": "",
    "Status": "0xc000006d",
    "FailureReason": "%%2313",
    "SubStatus": "0xc0000064",
    "LogonType": "3",
    "LogonProcessName": "NtLmSsp ",
    "AuthenticationPackageName": "NTLM",
    "WorkstationName": "LUDUS",
    "TransmittedServices": "-",
    "LmPackageName": "-",
    "KeyLength": "0",
    "ProcessId": "0x0",
    "ProcessName": "-",
    "IpAddress": "-",
    "IpPort": "-"
  },
  "message": "An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC0000064\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tLUDUS\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
}

Detection Patterns #

13 rules

Sigma

Multiple Logon Failure Followed by Logon Success (source)

Florian Roth (Nextron Systems)

Elastic

Elastic

Splunk

Windows Identify PowerShell Web Access IIS Pool (source)

Michael Haag, Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

User login from different countries within 3 hours (Uses Authentication Normalization) (source)

Kusto

Ofer Shezaf

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4634: An account was logged off.

11 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Windows Local Administrator Credential Stuffing (source)

Mauricio Velazco, Splunk

Kusto

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)

User login from different countries within 3 hours (Uses Authentication Normalization) (source)

Ofer Shezaf

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.

10 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Potential Computer Account NTLM Relay Activity (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Windows Local Administrator Credential Stuffing (source)

Mauricio Velazco, Splunk

Kusto

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Security-Auditing Event ID 4625: An account failed to log on.→Event ID 4624: An account was successfully logged on.

Credential Access: Password Guessing

8 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Windows Local Administrator Credential Stuffing (source)

Mauricio Velazco, Splunk

Kusto

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4625: An account failed to log on.

Credential Access: Brute Force

8 rules

Elastic

Multiple Logon Failure Followed by Logon Success (source)

Elastic

Splunk

Detect Password Spray Attack Behavior From Source (source)

Steven Dick

Detect Password Spray Attack Behavior On User (source)

Steven Dick

Windows Local Administrator Credential Stuffing (source)

Mauricio Velazco, Splunk

Kusto

Brute force attack against user credentials (Uses Authentication Normalization) (source)

Ofer Shezaf

Potential Password Spray Attack (Uses Authentication Normalization) (source)

Ofer Shezaf

Show All Detection Patterns

5 rules

Sigma

Detection of default a Windows host name in login attempts (source)

Florian Roth (Nextron Systems)

mdecrevoisier

Chakib Gzenayi (@Chak092), Hosni Mribah

Potential EternalBlue via Metasploit (Windows Event Log) (source)

Splunk

Relay Attack Against

4 rules

Sigma

Potential Kerberos Relay Attack against a Computer Account (source)

Florian Roth (Nextron Systems)

Elastic

Elastic

Potential NTLM Relay Attack against a Computer Account (source)

Elastic

Potential Computer Account NTLM Relay Activity (source)

Elastic

Uses Authentication Normalization

3 rules

Kusto

User login from different countries within 3 hours (Uses Authentication Normalization) (source)

Ofer Shezaf

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)

Lateral Movement: Remote Services

3 rules

Sigma

Active Directory honeypot used for lateral movement (source)

Chakib Gzenayi (@Chak092), Hosni Mribah

mdecrevoisier

Splunk

Potential EternalBlue via Metasploit (Windows Event Log) (source)

Security-Auditing Event ID 4625: An account failed to log on.OREvent ID 5140: A network share object was accessed.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Splunk

Meterpreter Reverse Shell (Windows Event Log) (source)

Security-Auditing Event ID 4625: An account failed to log on.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Splunk

RDP Brute-force Detection (Windows Event Log) (source)

Stealth: Valid Accounts

Security-Auditing Event ID 4625: An account failed to log on.OREvent ID 4776: The domain controller attempted to validate the credentials for an account.

1 rule

Sigma

Account Tampering - Suspicious Failed Logon Reasons (source)

Florian Roth (Nextron Systems)

Lateral Movement: Use Alternate Authentication Material

1 rule

Sigma

Florian Roth (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`LogonType`	eq	`Network`	13 rules	elastic, kusto, sigma, splunk
`src_ip`	is_not_null		6 rules	elastic, kusto, panther
`src_ip`	ne	`127.0.0.1`	4 rules	elastic, splunk
`src_ip`	ne	`::1`	4 rules	elastic, splunk
`security_result.action`	eq	`ALLOW`	5 rules	chronicle
`security_result.action`	eq	`BLOCK`	3 rules	chronicle
`AuthenticationPackageName`	eq	`NTLM`	4 rules	elastic, kusto, sigma, splunk
`isOutlier`	eq	`1`	4 rules	splunk
`user`	ends_with	`$`	4 rules	elastic, kusto
`AccountType`	eq	`User`	3 rules	kusto
`EventType`	eq	`logon-failed`	3 rules	elastic
`additional.fields["msg_1"]`	regex_match	`^AU1$\|^AU5$`	3 rules	chronicle
`metadata.log_type`	eq	`SAP_SECURITY_AUDIT`	3 rules	chronicle
`ElevatedToken`	eq	`Logon`	2 rules	kusto
`EventResult`	eq	`Failure`	2 rules	kusto

Community Notes #

The Status field indicates the top-level failure reason; SubStatus provides additional detail. When Status is 0xC000006D (generic logon failure), check SubStatus for the specific cause.

Kerberos result codes (Status, when authentication uses Kerberos):

Code	Description
0x6	KDC_ERR_C_PRINCIPAL_UNKNOWN — invalid/non-existent user account
0x7	KDC_ERR_S_PRINCIPAL_UNKNOWN — requested server not found
0xC	KDC_ERR_POLICY — policy restriction prohibited logon
0x12	KDC_ERR_CLIENT_REVOKED — account locked, disabled, or expired
0x17	KDC_ERR_KEY_EXPIRED — expired password
0x18	KDC_ERR_PREAUTH_FAILED — invalid password
0x25	KRB_AP_ERR_SKEW — clock skew too great between client and server

NTSTATUS codes (Status and SubStatus):

Code	Name	Description
0xC000006D	STATUS_LOGON_FAILURE	Generic logon failure — check SubStatus for detail
0xC0000064	STATUS_NO_SUCH_USER	Non-existent account username
0xC000006A	STATUS_WRONG_PASSWORD	Incorrect password (username correct)
0xC000006E	STATUS_ACCOUNT_RESTRICTION	Account restriction prevented logon
0xC000006C	STATUS_PASSWORD_RESTRICTION	Password does not meet policy requirements
0xC000006F	STATUS_INVALID_LOGON_HOURS	Account not allowed to log on at this time
0xC0000070	STATUS_INVALID_WORKSTATION	Account not allowed to log on from this computer
0xC0000071	STATUS_PASSWORD_EXPIRED	Expired password
0xC0000072	STATUS_ACCOUNT_DISABLED	Disabled account
0xC000005E	STATUS_NO_LOGON_SERVERS	No logon servers available
0xC0000133	STATUS_TIME_DIFFERENCE_AT_DC	Clock skew between client and DC too great
0xC000015B	STATUS_LOGON_TYPE_NOT_GRANTED	Logon type not granted to this account
0xC000018D	STATUS_TRUSTED_RELATIONSHIP_FAILURE	Trust relationship between domain and trusted domain failed
0xC0000192	STATUS_NETLOGON_NOT_STARTED	Netlogon service not started
0xC0000193	STATUS_ACCOUNT_EXPIRED	Expired account
0xC0000224	STATUS_PASSWORD_MUST_CHANGE	Password must change at next logon
0xC0000234	STATUS_ACCOUNT_LOCKED_OUT	Account locked out
0xC0000388	STATUS_DOWNGRADE_DETECTED	Kerberos/NTLM downgrade detected
0xC0000413	STATUS_AUTHENTICATION_FIREWALL_FAILED	Blocked by authentication policy/silo

Detection Rules #

Sigma # view in coverage

Failed Logon From Public IP source medium: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Brutforce enumeration on Windows OpenSSH server with non existing user source high: Detects scenarios where an attacker attempts to SSH brutforce a Windows OpenSSH server with non existing users.
Brutforce on Windows OpenSSH server with valid users source high: Detects scenarios where an attacker attempts to SSH brutforce a Windows OpenSSH server with a valid user.

Show 3 more (6 total)

Brutforce enumeration with non existing users (login) source high: Detects scenarios where an attacker attempts to enumerate potential existing users, resulting in failed logins with unexisting or invalid accounts.
Brutforce with denied access due to account restrictions policies source medium: Detects scenarios where an attacker attemps to use a comprimised account but failed to login due to account restrictions policies (permissions, time restrictions, workstation, logon type, ...)
Scanner PoC for CVE-2019-0708 RDP RCE Vuln source high: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Elastic # view in coverage

Privileged Accounts Brute Force source medium: Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.
Multiple Logon Failure from the same Source Address source medium: Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.

Splunk # view in coverage

Detect Password Spray Attempts source: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across…
Windows Multiple Users Failed To Authenticate From Process source: The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member…
Windows Multiple Users Remotely Failed To Authenticate From Host source: The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant…

Show 5 more (8 total)

Windows Unusual Count Of Users Failed To Authenticate From Process source: The following analytic identifies a source process failing to authenticate multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625, which logs failed logon attempts, and uses statistical analysis…
Windows Unusual Count Of Users Remotely Failed To Auth From Host source: The following analytic identifies a source host failing to authenticate against a remote host with multiple users, potentially indicating a Password Spraying attack. It leverages Windows Event 4625 (failed logon attempts) and Logon Type 3…
Multiple Failed Network Logon Attempts from Host (Windows Event Log) source: This use case detects a single source host with failed network (remote) authentication attempts from multiple user accounts in a short time period (default 2 minutes). This can be an indication of a password spraying attack from a…
Password Spraying Windows (Windows Event Log) source: Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials↳ also matches Event ID 4688: A new process has been created.
Suspicious Login Failures (Windows Event Log) source: Adversaries may use a single or small list of commonly used passwords against the same account in order to acquire valid account credentials. This use case looks for multiple logon failures by user and host, which may indicate a brute…

Kusto # view in coverage

Failed host logons but success logon to AzureAD source medium: Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts. Uses that list to identify any successful logons to Microsoft Entra ID from these IPs within the same timeframe.
Failed logon attempts by valid accounts within 10 mins source low: Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.
Excessive Windows Logon Failures source low: This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.

Show 2 more (5 total)

Password Spray source: Below queries detect password spray attacks using sliding window count plugin. Because of implementation of the sliding window, queries work better than the bin() usage, but may create duplicate alerts. Grouping can be used in such cases. Sentinel Query:↳ also matches Event ID 4624: An account was successfully logged on.
Potential NTLM Relay Attack to Domain Controller source: Below query detects NTLM authentication coming from Domain Controller machine accounts. This is not an expected behavior and it's an indication of NTLM relay attack.
If NTLM Relaying is done towards a Linux machine, this query won't detect that. The attacker must have access to a Linux device in that case though.↳ also matches Event ID 4624: An account was successfully logged on.

YARA-L # view in coverage

GeoIP User Login From Multiple States Or Countries source: Detect multiple user logins from multiple states or countries using Chronicle GeoIP enrichment.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
Logins From Terminated Employees source: Allowed Logins from Terminated Employees↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage source: Alerts when an authorization token originating from GKE activity is subsequently used within a command line on an endpoint system, suggesting potential credential exfiltration and reuse.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4688: A new process has been created.

Show 9 more (12 total)

ADFS DKM Key Access source: Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4662: An operation was performed on an object.
MITRE ATT&CK T1110.003 RW Windows Password Spray source: Detect repeated authentication failure with multiple users indicative of a password spray attack.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4720: A user account was created., Event ID 4726: A user account was deleted.
sap break glass account login source: Alerts whenever a default SAP administrative account (e.g., SAP*, DDIC, TMSADM) logs into the system. These accounts should be locked and used only for emergency 'break-glass' scenarios↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
sap impossible travel source: Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
sap multi terminal logon source: Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.
Okta Multiple Failed Requests To Access Applications source: Detects multiple failed requests to access applications↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4648: A logon was attempted using explicit credentials.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4625-failed-logon.md
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4625.yml

Event ID 4626: User / Device claims information.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → User / Device Claims
Collection Priority: Recommended (Palantir)
Opcode: Info

Description

This event generates for new account logons and contains user/device claims which were associated with a new logon session.

Message #

User / Device claims information.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Logon Type: %9

New Logon:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Event in sequence: %10 of %11

User Claims: %12

Device Claims: %13

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit User/Device claims subcategory is configured and the user?s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that reported information about claims.
`SubjectUserName` UnicodeString	The name of the account that reported information about claims.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TargetUserSid` SID	SID of account for which logon was performed.
`TargetUserName` UnicodeString	The name of the account for which logon was performed.
`TargetDomainName` UnicodeString	[New Logon] Account Domain.
`TargetLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`LogonType` UInt32	The type of logon which was performed. Logon type reference Known values `0` System (used during system startup) `2` Interactive (local keyboard/KVM logon) `3` Network (e.g. SMB, mapped drive) `4` Batch (scheduled task) `5` Service (service startup) `6` Proxy `7` Unlock (workstation unlock) `8` NetworkCleartext (e.g. IIS basic auth) `9` NewCredentials (RunAs /netonly) `10` RemoteInteractive (RDP/Terminal Services) `11` CachedInteractive (cached domain credentials) `12` CachedRemoteInteractive (cached RDP credentials) `13` CachedUnlock (cached workstation unlock)
`EventIdx` UInt32	If is there is not enough space in one event to put all claims, you will see "1 of N" in this field and additional events will be generated. Typically this field has "1 of 1" value.
`EventCountTotal` UInt32	The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" registry key.
`UserClaims` UnicodeString	List of user claims for new logon session. This field contains user claims if user account was logged in and device claims if computer account was logged in.
`DeviceClaims` UnicodeString	List of device claims for new logon session.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4626
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-device-claims
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4626
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4626.yml

Event ID 4627: Group membership information.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Group Membership
Collection Priority: Recommended (ASD, others)
Opcode: Info

Description

This event generates with "4624(S): An account was successfully logged on" and shows the list of groups that the logged-on account belongs to.

Message #

Group membership information.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Logon Type: %9

New Logon:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Event in sequence: %10 of %11

Group Membership: %12

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

Fields #

Name	Description	Rules
`SubjectUserSid` SID	[Subject] Security ID. Indicates the account on the local system which requested the logon.
`SubjectUserName` UnicodeString	[Subject] Account Name. Indicates the account on the local system which requested the logon.
`SubjectDomainName` UnicodeString	[Subject] Account Domain. Indicates the account on the local system which requested the logon.
`SubjectLogonId` HexInt64	[Subject] Logon ID. Indicates the account on the local system which requested the logon.
`TargetUserSid` SID	[New Logon] Security ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
`TargetUserName` UnicodeString	[New Logon] Account Name. Indicates the account for whom the new logon was created, i.e. the account that was logged on.	7 detection rules
`TargetDomainName` UnicodeString	[New Logon] Account Domain. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
`TargetLogonId` HexInt64	[New Logon] Logon ID. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
`LogonType` UInt32	[Subject] Logon Type. Indicates the account on the local system which requested the logon. Logon type reference Known values `0` System (used during system startup) `2` Interactive (local keyboard/KVM logon) `3` Network (e.g. SMB, mapped drive) `4` Batch (scheduled task) `5` Service (service startup) `6` Proxy `7` Unlock (workstation unlock) `8` NetworkCleartext (e.g. IIS basic auth) `9` NewCredentials (RunAs /netonly) `10` RemoteInteractive (RDP/Terminal Services) `11` CachedInteractive (cached domain credentials) `12` CachedRemoteInteractive (cached RDP credentials) `13` CachedUnlock (cached workstation unlock)	2 detection rules
`EventIdx` UInt32	[New Logon] Event in sequence. Indicates the account for whom the new logon was created, i.e. the account that was logged on.
`EventCountTotal` UInt32	Total number of events in the sequence.
`GroupMembership` UnicodeString	The list of group SIDs which logged account belongs to (member of).	1 detection rule

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4627,
    "version": 0,
    "level": 0,
    "task": 12554,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:49.2402736+00:00",
    "event_record_id": 3213579,
    "correlation": {},
    "execution": {
      "process_id": 896,
      "thread_id": 4272
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-0-0",
    "SubjectUserName": "-",
    "SubjectDomainName": "-",
    "SubjectLogonId": "0x0",
    "TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "TargetUserName": "domainadmin",
    "TargetDomainName": "cell-c",
    "TargetLogonId": "0x296120d",
    "LogonType": "3",
    "EventIdx": "1",
    "EventCountTotal": "1",
    "GroupMembership": "\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-513}\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-555}\n\t\t%{S-1-5-32-545}\n\t\t%{S-1-5-32-554}\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-2}\n\t\t%{S-1-5-11}\n\t\t%{S-1-5-15}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-520}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-512}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-519}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-518}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-572}\n\t\t%{S-1-5-64-10}\n\t\t%{S-1-16-12288}"
  },
  "message": "Group membership information.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nEvent in sequence:\t\t1 of 1\r\n\r\nGroup Membership:\t\t\t\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-555}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-554}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-520}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-512}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-519}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-518}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-572}\r\n\t\t%{S-1-5-64-10}\r\n\t\t%{S-1-16-12288}\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThis event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session."
}

Community Notes #

Shows the full AD group list for every successful logon (useful to detect changes in privileges).

Detection Rules #

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4634: An account was logged off.

Splunk # view in coverage

Windows Domain Admin Impersonation Indicator source: The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-group-membership
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4627
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4627.yml

Event ID 4634: An account was logged off.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Logoff
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event shows that logon session was terminated and no longer exists.

Message #

An account was logged off.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Logon Type: %5

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Fields #

Name	Description
`TargetUserSid` SID	SID of account that was logged off.
`TargetUserName` UnicodeString	The name of the account that was logged off.
`TargetDomainName` UnicodeString	Domain of the account that was logged off.
`TargetLogonId` HexInt64	Logon session ID of the session that ended. Correlates with Event ID 4624.
`LogonType` UInt32	Type of logon session that ended. Logon type reference Known values `0` System (used during system startup) `2` Interactive (local keyboard/KVM logon) `3` Network (e.g. SMB, mapped drive) `4` Batch (scheduled task) `5` Service (service startup) `6` Proxy `7` Unlock (workstation unlock) `8` NetworkCleartext (e.g. IIS basic auth) `9` NewCredentials (RunAs /netonly) `10` RemoteInteractive (RDP/Terminal Services) `11` CachedInteractive (cached domain credentials) `12` CachedRemoteInteractive (cached RDP credentials) `13` CachedUnlock (cached workstation unlock)

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4634,
    "version": 0,
    "level": 0,
    "task": 12545,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:49.2412951+00:00",
    "event_record_id": 3213581,
    "correlation": {},
    "execution": {
      "process_id": 896,
      "thread_id": 4272
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "TargetUserName": "domainadmin",
    "TargetDomainName": "cell-c",
    "TargetLogonId": "0x2651556",
    "LogonType": "3"
  },
  "message": "An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x2651556\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
}

Detection Patterns #

Uses Authentication Normalization

5 rules

Kusto

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)

User login from different countries within 3 hours (Uses Authentication Normalization) (source)

Ofer Shezaf

User login from different countries within 3 hours (Uses Authentication Normalization) (source)

Uses Authentication Normalization

3 rules

Kusto

Ofer Shezaf

Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)

Security-Auditing Event ID 4634: An account was logged off.OREvent ID 4647: User initiated logoff.

Impact: Account Access Removal

1 rule

Sigma

User Logoff Event (source)

frack113

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ElevatedToken`	eq	`Logon`	2 rules	kusto
`EventResult`	eq	`Failure`	2 rules	kusto
`EventResult`	eq	`Success`	2 rules	kusto
`FailureCount`	ge	`10`	1 rule	kusto
`NumOfCountries`	ge	`2`	1 rule	kusto
`SrcGeoCountry`	is_not_null		1 rule	kusto
`SuccessCount`	ge	`1`	1 rule	kusto
`TargetUserName`	is_not_null		1 rule	kusto
`UserCount`	gt	`15`	1 rule	kusto
`successfulAccountSigninCount`	lt	`100`	1 rule	kusto

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4634.yml

Event ID 4646: notification

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

notification

Message #

%1

Fields #

Name	Description
`notification` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4646
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4646

Event ID 4647: User initiated logoff.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Logoff
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.

Message #

User initiated logoff:

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.

Fields #

Name	Description
`TargetUserSid` SID	SID of account that requested the "logoff" operation.
`TargetUserName` UnicodeString	The name of the account that requested the "logoff" operation.
`TargetDomainName` UnicodeString	Subject's domain or computer name.
`TargetLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4647,
    "version": 0,
    "level": 0,
    "task": 12545,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:22:33.5864288+00:00",
    "event_record_id": 2929085,
    "correlation": {
      "ActivityID": "{55D4FF8A-EF8A-0001-0800-D5558AEFDC01}"
    },
    "execution": {
      "process_id": 852,
      "thread_id": 4760
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "TargetUserName": "domainadmin",
    "TargetDomainName": "cell-c",
    "TargetLogonId": "0x9bd40"
  },
  "message": "User initiated logoff:\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x9BD40\r\n\r\nThis event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event."
}

Detection Patterns #

Stealth: Valid Accounts

1 rule

Kusto

Security-Auditing Event ID 4634: An account was logged off.OREvent ID 4647: User initiated logoff.

Impact: Account Access Removal

1 rule

Sigma

User Logoff Event (source)

frack113

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetUserName`	is_not_null		1 rule	kusto

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4647
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4647.yml

Event ID 4648: A logon was attempted using explicit credentials.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Logon
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event is generated when a process attempts an account logon by explicitly specifying that account's credentials.

Message #

A logon was attempted using explicit credentials.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Logon GUID: %5

Account Whose Credentials Were Used:
	Account Name: %6
	Account Domain: %7
	Logon GUID: %8

Target Server:
	Target Server Name: %9
	Additional Information: %10

Process Information:
	Process ID: %11
	Process Name: %12

Network Information:
	Network Address: %13
	Port: %14

This event is generated when a process attempts to log on an account by explicitly specifying that account?s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested the new logon session with explicit credentials.
`SubjectUserName` UnicodeString	The name of the account that requested the new logon session with explicit credentials.	3 detection rules
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the calling account. Correlates with Event ID 4624.
`LogonGuid` GUID	GUID correlating this event with a Kerberos TGS request (Event ID 4769) on the domain controller. All zeros for non-Kerberos logons.
`TargetUserName` UnicodeString	The name of the account whose credentials were used.	2 detection rules
`TargetDomainName` UnicodeString	Domain of the account whose credentials were used.
`TargetLogonGuid` GUID	GUID correlating the target account's Kerberos TGS request (Event ID 4769) on the domain controller.
`TargetServerName` UnicodeString	Server for which the explicit credentials were used. "localhost" for local processes.	2 detection rules
`TargetInfo` UnicodeString	Additional SPN or resource identifier for the target server.	1 detection rule
`ProcessId` Pointer	Process ID of the process that used the explicit credentials.
`ProcessName` UnicodeString	Full path of the process that used the explicit credentials.	8 detection rules
`IpAddress` UnicodeString	Source IP of the remote logon attempt. "-" for local requests.
`IpPort` UnicodeString	Source port of the remote logon attempt. "-" for local requests.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4648,
    "version": 0,
    "level": 0,
    "task": 12544,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T08:33:05.1721046+00:00",
    "event_record_id": 1988356,
    "correlation": {},
    "execution": {
      "process_id": 812,
      "thread_id": 5768
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
    "TargetUserName": "TELEMETRY-DC-A$",
    "TargetDomainName": "CELL-A.LUDUS.DOMAIN",
    "TargetLogonGuid": "{d12ef9bd-613b-db6d-be77-75b97d030155}",
    "TargetServerName": "telemetry-dc-a$",
    "TargetInfo": "telemetry-dc-a$",
    "ProcessId": "0xcc",
    "ProcessName": "C:\\Windows\\System32\\taskhostw.exe",
    "IpAddress": "-",
    "IpPort": "-"
  },
  "message": "A logon was attempted using explicit credentials.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nAccount Whose Credentials Were Used:\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tCELL-A.LUDUS.DOMAIN\r\n\tLogon GUID:\t\t{d12ef9bd-613b-db6d-be77-75b97d030155}\r\n\r\nTarget Server:\r\n\tTarget Server Name:\ttelemetry-dc-a$\r\n\tAdditional Information:\ttelemetry-dc-a$\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xcc\r\n\tProcess Name:\t\tC:\\Windows\\System32\\taskhostw.exe\r\n\r\nNetwork Information:\r\n\tNetwork Address:\t-\r\n\tPort:\t\t\t-\r\n\r\nThis event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
}

Detection Patterns #

Event Log

Security-Auditing Event ID 4648: A logon was attempted using explicit credentials.OREvent ID 4688: A new process has been created.

3 rules

Sigma

SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) (source)

mdecrevoisier

Splunk

WMIC Explicit Credentials (Windows Event Log) (source)

ADExplorer Execution (Windows Event Log) (source)

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4625: An account failed to log on.OREvent ID 4648: A logon was attempted using explicit credentials.

2 rules

Splunk

Windows Identify PowerShell Web Access IIS Pool (source)

Michael Haag, Splunk

Kusto

Stealth: Valid Accounts

1 rule

Kusto

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4648: A logon was attempted using explicit credentials.OREvent ID 4688: A new process has been created.

Stealth: Create Process with Token

1 rule

Sigma

Privilege escalation via runas (command) (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`security_result.action`	eq	`ALLOW`	5 rules	chronicle
`security_result.action`	eq	`BLOCK`	3 rules	chronicle
`additional.fields["msg_1"]`	regex_match	`^AU1$\|^AU5$`	3 rules	chronicle
`metadata.log_type`	eq	`SAP_SECURITY_AUDIT`	3 rules	chronicle
`Target_User_Name`	ne	`*$`	2 rules	splunk
`principal.ip_geo_artifact.location.country_or_region`	is_not_null		2 rules	chronicle
`user`	ne	`*$`	2 rules	splunk
`CommandLine`	contains	`/user:`	1 rule	sigma, splunk
`CommandLine`	contains	`net use`	1 rule	sigma
`CommandLine`	contains	`printnightmare.gentilkiwi.com`	1 rule	sigma
`CommandLine`	contains	`runas`	1 rule	sigma, splunk
`Image`	ends_with	`\net.exe`	1 rule	sigma
`Image`	ends_with	`\net1.exe`	1 rule	sigma
`LogonProcessName`	eq	`seclogo`	1 rule	elastic, sigma
`LogonType`	eq	`Interactive`	1 rule	elastic, sigma, splunk

Community Notes #

Logon with explicit credentials (RunAs, SchTasks, Pass-the-Hash, WinRM, SMB). May appear when an NTLM relayed session is used to create a service/task. Useful with 4624 (successful logon)/4634 (logoff completed) for reconstructing interactive or service logons.

Detection Rules #

Sigma # view in coverage

Suspicious Remote Logon with Explicit Credentials source medium: Detects suspicious processes logging on with explicit credentials

Splunk # view in coverage

Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials source: The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly…
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials source: The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. It leverages Windows Event Code 4648 and calculates the standard deviation for each host, using the 3-sigma…

YARA-L # view in coverage

GeoIP User Login From Multiple States Or Countries source: Detect multiple user logins from multiple states or countries using Chronicle GeoIP enrichment.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
Logins From Terminated Employees source: Allowed Logins from Terminated Employees↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage source: Alerts when an authorization token originating from GKE activity is subsequently used within a command line on an endpoint system, suggesting potential credential exfiltration and reuse.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4688: A new process has been created.

Show 9 more (12 total)

ADFS DKM Key Access source: Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4662: An operation was performed on an object.
MITRE ATT&CK T1110.003 RW Windows Password Spray source: Detect repeated authentication failure with multiple users indicative of a password spray attack.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity source: Detect Multiple Failed Login Attempts followed by Successful Login↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4720: A user account was created., Event ID 4726: A user account was deleted.
sap break glass account login source: Alerts whenever a default SAP administrative account (e.g., SAP*, DDIC, TMSADM) logs into the system. These accounts should be locked and used only for emergency 'break-glass' scenarios↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
sap impossible travel source: Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
sap multi terminal logon source: Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.
Okta Multiple Failed Requests To Access Applications source: Detects multiple failed requests to access applications↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4648-explicit-credentials.md
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4648.yml

Event ID 4649: A replay attack was detected.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

A replay attack was detected.

Message #

A replay attack was detected.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Credentials Which Were Replayed:
	Account Name: %5
	Account Domain: %6

Process Information:
	Process ID: %12
	Process Name: %13

Network Information:
	Workstation Name: %10

Detailed Authentication Information:
	Request Type: %7
	Logon Process: %8
	Authentication Package: %9
	Transited Services: %11

This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`TargetUserName` UnicodeString	[Credentials Which Were Replayed] Account Name
`TargetDomainName` UnicodeString	[Credentials Which Were Replayed] Account Domain
`RequestType` UnicodeString	[Detailed Authentication Information] Request Type
`LogonProcessName` UnicodeString	[Detailed Authentication Information] Logon Process
`AuthenticationPackage` UnicodeString	[Detailed Authentication Information] Authentication Package
`WorkstationName` UnicodeString	[Network Information] Workstation Name
`TransmittedServices` UnicodeString	[Detailed Authentication Information] Transited Services
`ProcessId` Pointer	[Process Information] Process ID
`ProcessName` UnicodeString	[Process Information] Process Name

Community Notes #

Alerts when a copied ticket is reused.

Detection Rules #

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4663: An attempt was made to access an object.

Sigma # view in coverage

Replay Attack Detected source high: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4649

Event ID 4650: An IPsec main mode security association was established.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec main mode security association was established. Extended mode was not enabled. Certificate authentication was not used.

Message #

An IPsec main mode security association was established. Extended mode was not enabled.  Certificate authentication was not used.

Local Endpoint:
	Principal Name: %1
	Network Address: %3
	Keying Module Port: %4

Remote Endpoint:
	Principal Name: %2
	Network Address: %5
	Keying Module Port: %6

Security Association Information:
	Lifetime (minutes): %12
	Quick Mode Limit: %13
	Main Mode SA ID: %17

Cryptographic Information:
	Cipher Algorithm: %9
	Integrity Algorithm: %10
	Diffie-Hellman Group: %11

Additional Information:
	Keying Module Name: %7
	Authentication Method: %8
	Role: %14
	Impersonation State: %15
	Main Mode Filter ID: %16

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Local Endpoint] Principal Name
`RemoteMMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`KeyModName` UnicodeString	[Additional Information] Keying Module Name
`MMAuthMethod` UnicodeString	[Additional Information] Authentication Method
`MMCipherAlg` UnicodeString	[Cryptographic Information] Cipher Algorithm
`MMIntegrityAlg` UnicodeString	[Cryptographic Information] Integrity Algorithm
`DHGroup` UnicodeString	[Cryptographic Information] Diffie-Hellman Group
`MMLifetime` UInt32	[Security Association Information] Lifetime (minutes)
`QMLimit` UInt32	[Security Association Information] Quick Mode Limit
`Role` UnicodeString	[Additional Information] Role.
`MMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`MMFilterID` UInt64	[Additional Information] Main Mode Filter ID
`MMSAID` UInt64	[Security Association Information] Main Mode SA ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4650
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4650

Event ID 4651: An IPsec main mode security association was established.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec main mode security association was established. Extended mode was not enabled. A certificate was used for authentication.

Message #

An IPsec main mode security association was established. Extended mode was not enabled.  A certificate was used for authentication.

Local Endpoint:
	Principal Name: %1
	Network Address: %9
	Keying Module Port: %10

Local Certificate:
	SHA Thumbprint: %2
	Issuing CA: %3
	Root CA: %4

Remote Endpoint:
	Principal Name: %5
	Network Address: %11
	Keying Module Port: %12

Remote Certificate:
	SHA thumbprint: %6
	Issuing CA: %7
	Root CA: %8

Cryptographic Information:
	Cipher Algorithm: %15
	Integrity Algorithm: %16
	Diffie-Hellman Group: %17

Security Association Information:
	Lifetime (minutes): %18
	Quick Mode Limit: %19
	Main Mode SA ID: %23

Additional Information:
	Keying Module Name: %13
	Authentication Method: %14
	Role: %20
	Impersonation State: %21
	Main Mode Filter ID: %22

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Local Endpoint] Principal Name
`LocalMMCertHash` UnicodeString	[Local Certificate] SHA Thumbprint
`LocalMMIssuingCA` UnicodeString	[Local Certificate] Issuing CA
`LocalMMRootCA` UnicodeString	[Local Certificate] Root CA
`RemoteMMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`RemoteMMCertHash` UnicodeString	[Remote Certificate] SHA thumbprint
`RemoteMMIssuingCA` UnicodeString	[Remote Certificate] Issuing CA
`RemoteMMRootCA` UnicodeString	[Remote Certificate] Root CA
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`KeyModName` UnicodeString	[Additional Information] Keying Module Name
`MMAuthMethod` UnicodeString	[Additional Information] Authentication Method
`MMCipherAlg` UnicodeString	[Cryptographic Information] Cipher Algorithm
`MMIntegrityAlg` UnicodeString	[Cryptographic Information] Integrity Algorithm
`DHGroup` UnicodeString	[Cryptographic Information] Diffie-Hellman Group
`MMLifetime` UInt32	[Security Association Information] Lifetime (minutes)
`QMLimit` UInt32	[Security Association Information] Quick Mode Limit
`Role` UnicodeString	[Additional Information] Role.
`MMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`MMFilterID` UInt64	[Additional Information] Main Mode Filter ID
`MMSAID` UInt64	[Security Association Information] Main Mode SA ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4651
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4651

Event ID 4652: An IPsec main mode negotiation failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec main mode negotiation failed.

Message #

An IPsec main mode negotiation failed.


Local Endpoint:
	Principal Name: %1
	Network Address: %9
	Keying Module Port: %10

Local Certificate:
	SHA Thumbprint: %2
	Issuing CA: %3
	Root CA: %4

Remote Endpoint:
	Principal Name: %5
	Network Address: %11
	Keying Module Port: %12

Remote Certificate:
	SHA thumbprint: %6
	Issuing CA: %7
	Root CA: %8

Additional Information:
	Keying Module Name: %13
	Authentication Method: %16
	Role: %18
	Impersonation State: %19
	Main Mode Filter ID: %20

Failure Information:
	Failure Point: %14
	Failure Reason: %15
	State: %17
	Initiator Cookie: %21
	Responder Cookie: %22

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Local Endpoint] Principal Name
`LocalMMCertHash` UnicodeString	[Local Certificate] SHA Thumbprint
`LocalMMIssuingCA` UnicodeString	[Local Certificate] Issuing CA
`LocalMMRootCA` UnicodeString	[Local Certificate] Root CA
`RemoteMMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`RemoteMMCertHash` UnicodeString	[Remote Certificate] SHA thumbprint
`RemoteMMIssuingCA` UnicodeString	[Remote Certificate] Issuing CA
`RemoteMMRootCA` UnicodeString	[Remote Certificate] Root CA
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`KeyModName` UnicodeString	[Additional Information] Keying Module Name
`FailurePoint` UnicodeString	[Failure Information] Failure Point
`FailureReason` UnicodeString	[Failure Information] Failure Reason Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used. `0x0` Success (no failure - emitted by DPAPI Activity events 4692/4694/4695 when the master-key backup or auditable-data protect/unprotect operation succeeded, and by IPsec Main Mode success paths on 4652/4653/4654) `New policy invalidated SAs formed with old policy` IPsec Main Mode SA was torn down because a new IPsec policy rendered the existing SA invalid (event 4653 specific reason string)
`MMAuthMethod` UnicodeString	[Additional Information] Authentication Method
`State` UnicodeString	[Failure Information] State.
`Role` UnicodeString	[Additional Information] Role.
`MMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`MMFilterID` UInt64	[Additional Information] Main Mode Filter ID
`InitiatorCookie` UnicodeString	[Failure Information] Initiator Cookie
`ResponderCookie` UnicodeString	[Failure Information] Responder Cookie

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4652
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4652

Event ID 4653: An IPsec main mode negotiation failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec main mode negotiation failed.

Message #

An IPsec main mode negotiation failed.

Local Endpoint:
	Local Principal Name: %1
	Network Address: %3
	Keying Module Port: %4

Remote Endpoint:
	Principal Name: %2
	Network Address: %5
	Keying Module Port: %6

Additional Information:
	Keying Module Name: %7
	Authentication Method: %10
	Role: %12
	Impersonation State: %13
	Main Mode Filter ID: %14

Failure Information:
	Failure Point: %8
	Failure Reason: %9
	State: %11
	Initiator Cookie: %15
	Responder Cookie: %16

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Local Endpoint] Local Principal Name
`RemoteMMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`KeyModName` UnicodeString	[Additional Information] Keying Module Name
`FailurePoint` UnicodeString	[Failure Information] Failure Point
`FailureReason` UnicodeString	[Failure Information] Failure Reason Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used. `0x0` Success (no failure - emitted by DPAPI Activity events 4692/4694/4695 when the master-key backup or auditable-data protect/unprotect operation succeeded, and by IPsec Main Mode success paths on 4652/4653/4654) `New policy invalidated SAs formed with old policy` IPsec Main Mode SA was torn down because a new IPsec policy rendered the existing SA invalid (event 4653 specific reason string)
`MMAuthMethod` UnicodeString	[Additional Information] Authentication Method
`State` UnicodeString	[Failure Information] State.
`Role` UnicodeString	[Additional Information] Role.
`MMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`MMFilterID` UInt64	[Additional Information] Main Mode Filter ID
`InitiatorCookie` UnicodeString	[Failure Information] Initiator Cookie
`ResponderCookie` UnicodeString	[Failure Information] Responder Cookie

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4653,
    "version": 0,
    "level": 0,
    "task": 12547,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-13T23:09:45.572614+00:00",
    "event_record_id": 16633999,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 13940
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalMMPrincipalName": "-",
    "RemoteMMPrincipalName": "-",
    "LocalAddress": "10.2.10.11",
    "LocalKeyModPort": 500,
    "RemoteAddress": "10.2.20.41",
    "RemoteKeyModPort": 500,
    "KeyModName": "%%8223",
    "FailurePoint": "%%8199",
    "FailureReason": "New policy invalidated SAs formed with old policy\r\n",
    "MMAuthMethod": "%%8194",
    "State": "%%8202",
    "Role": "%%8205",
    "MMImpersonationState": "%%8217",
    "MMFilterID": 72917,
    "InitiatorCookie": "abd97649c27753ac",
    "ResponderCookie": "0000000000000000"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4653
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4653

Event ID 4654: An IPsec quick mode negotiation failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec quick mode negotiation failed.

Message #

An IPsec quick mode negotiation failed.

Local Endpoint:
	Network Address: %1
	Network Address mask: %2
	Port: %3
	Tunnel Endpoint: %4

Remote Endpoint:
	Network Address: %5
	Address Mask: %6
	Port: %7
	Tunnel Endpoint: %8
	Private Address: %10

Additional Information:
	Protocol: %9
	Keying Module Name: %11
	Mode: %14
	Role: %16
	Quick Mode Filter ID: %18
	Main Mode SA ID: %19

Failure Information:
	State: %15
	Message ID: %17
	Failure Point: %12
	Failure Reason: %13

Fields #

Name	Description
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalAddressMask` UnicodeString	[Local Endpoint] Network Address mask
`LocalPort` UInt32	[Local Endpoint] Port
`LocalTunnelEndpoint` UnicodeString	[Local Endpoint] Tunnel Endpoint
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteAddressMask` UnicodeString	[Remote Endpoint] Address Mask
`RemotePort` UInt32	[Remote Endpoint] Port
`RemoteTunnelEndpoint` UnicodeString	[Remote Endpoint] Tunnel Endpoint
`Protocol` UInt32	[Additional Information] Protocol. Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`RemotePrivateAddress` UnicodeString	[Remote Endpoint] Private Address
`KeyModName` UnicodeString	[Additional Information] Keying Module Name
`FailurePoint` UnicodeString	[Failure Information] Failure Point
`FailureReason` UnicodeString	[Failure Information] Failure Reason Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used. `0x0` Success (no failure - emitted by DPAPI Activity events 4692/4694/4695 when the master-key backup or auditable-data protect/unprotect operation succeeded, and by IPsec Main Mode success paths on 4652/4653/4654) `New policy invalidated SAs formed with old policy` IPsec Main Mode SA was torn down because a new IPsec policy rendered the existing SA invalid (event 4653 specific reason string)
`Mode` UnicodeString	[Additional Information] Mode.
`State` UnicodeString	[Failure Information] State.
`Role` UnicodeString	[Additional Information] Role.
`MessageID` UInt32	[Failure Information] Message ID
`QMFilterID` UInt64	[Additional Information] Quick Mode Filter ID
`MMSAID` UInt64	[Additional Information] Main Mode SA ID
`TunnelId` UInt64	[Additional Information] Virtual Interface Tunnel ID
`TrafficSelectorId` UInt64	[Additional Information] Traffic Selector ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4654
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4654

Event ID 4655: An IPsec main mode security association ended.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec main mode security association ended.

Message #

An IPsec main mode security association ended.

Local Network Address: %1
Remote Network Address: %2
Keying Module Name: %3
Main Mode SA ID: %4

Fields #

Name	Description
`LocalAddress` UnicodeString	Local Network Address
`RemoteAddress` UnicodeString	Remote Network Address
`KeyModName` UnicodeString	Keying Module Name
`MMSAID` UInt64	Main Mode SA ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4655
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4655

Event ID 4656: A handle to an object was requested.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File System
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.

Message #

A handle to an object was requested.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %14
	Process Name: %15

Access Request Information:
	Transaction ID: %9
	Accesses: %10
	Access Mask: %11
	Privileges Used for Access Check: %12
	Restricted SID Count: %13

Fields #

Name	Description	Rules
`SubjectUserSid`	SID of account that requested a handle to an object.
`SubjectUserName`	Name of the account that requested a handle to an object.	4 detection rules
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.	1 detection rule
`ObjectServer`	Has "Security" value for this event.	4 detection rules
`ObjectType`	Type of the object for which the handle was requested. Known values `File` File-system file or directory `Key` Registry key `SAM_DOMAIN` Security Account Manager domain object `SAM_USER` Security Account Manager user account object `SAM_GROUP` Security Account Manager global group object `SAM_ALIAS` Security Account Manager local group (alias) object `SAM_SERVER` Security Account Manager server object `Token` Access token object `Process` Process object `Thread` Thread object	22 detection rules
`ObjectName`	Name and identifying information for the object. For files, includes the full path.	26 detection rules
`HandleId`	Hexadecimal handle to the object. Correlates with Event ID 4663.
`TransactionId`	GUID of the transaction. Correlates with Event ID 4660.
`AccessList`	Access rights requested.	13 detection rules
`AccessReason`	Access check results. Not applicable to kernel objects.	1 detection rule
`AccessMask`	Hexadecimal access mask for the requested operation. The upper 16 bits hold the standard generic access rights that every securable object shares; the low 16 bits are object-type-specific and have to be decoded against the sibling ObjectType field. The object-type column under each low-bit entry below lists the canonical interpretation per object family (File / Directory rights from winnt.h, Registry KEY_* rights from winreg.h, AD DS ACTRL_DS_* rights from iads.h). For events whose ObjectType varies (4656 / 4663) check the event's ObjectType value before reading the low bits. Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects	32 detection rules
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".
`RestrictedSidCount`	Number of restricted SIDs in the token. Applicable only to specific object types.
`ProcessId`	Hexadecimal Process ID of the process through which the access was requested.
`ProcessName`	Full path and the name of the executable for the process.	68 detection rules
`ResourceAttributes`	Attributes associated with the object. "-" when not applicable.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4656,
    "version": 1,
    "level": 0,
    "task": 12802,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:53.1096028+00:00",
    "event_record_id": 3213665,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "ObjectServer": "Security",
    "ObjectType": "Process",
    "ObjectName": "\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe",
    "HandleId": "0x1150",
    "TransactionId": "{00000000-0000-0000-0000-000000000000}",
    "AccessList": "%%4484\n\t\t\t\t%%4490\n\t\t\t\t%%4492\n\t\t\t\t",
    "AccessReason": "-",
    "AccessMask": "0x1410",
    "PrivilegeList": "-",
    "RestrictedSidCount": "0",
    "ProcessId": "0x1584",
    "ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "ResourceAttributes": "-"
  },
  "message": "A handle to an object was requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x1150\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1584\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\tQuery process information\r\n\t\t\t\tUndefined Access (no effect) Bit 12\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t\t0x1410\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0"
}

Detection Patterns #

18 rules

Sigma

Windows Defender Exclusion Registry Key - Write Access Requested (source)

@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)

Roberto Rodriguez @Cyb3rWard0g

Thomas Patzke

RDP File Written by Outlook (Windows Event Log) (source)

Splunk

ISO File in Temp Folder (Windows Event Log) (source)

Browser Credential File Accessed - Windows (Windows Event Log) (source)

Show 3 more (6 total) on the rules page

Kusto

Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access (source)

Microsoft Entra ID Health Monitoring Agent Registry Keys Access (source)

Microsoft Security Research

Microsoft Entra ID Health Service Agents Registry Keys Access (source)

Microsoft Security Research

Credential Access: LSASS Memory

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4663: An attempt was made to access an object.OREvent ID 4673: A privileged service was called.OREvent ID 4688: A new process has been created.

9 rules

Sigma

Roberto Rodriguez @Cyb3rWard0g

Potentially Suspicious AccessMask Requested From LSASS (source)

Thomas Patzke

Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)

Browser Credential File Accessed - Windows (Windows Event Log) (source)

Splunk

Potential Credential Dumping of LSASS (Windows Event Log) (source)

Potential nanodump execution (Windows Event Log) (source)

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4688: A new process has been created.

Event Log

2 rules

Splunk

Service Stop Commands (Windows Event Log) (source)

Windows - Service Stop (Windows Event Log) (source)

Credential Access: DCSync

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4688: A new process has been created.OREvent ID 4690: An attempt was made to duplicate a handle to an object.

1 rule

Splunk

Mimikatz (Windows Event Log) (source)

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4658: The handle to an object was closed.OREvent ID 4663: An attempt was made to access an object.

1 rule

Sigma

Potential Secure Deletion with SDelete (source)

Thomas Patzke

Show All Detection Patterns

Stealth: Disable or Modify Tools

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4656: A handle to an object was requested.

1 rule

Kusto

Starting or Stopping HealthService to Avoid Detection (source)

Credential Access: LSASS Memory

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4688: A new process has been created.OREvent ID 4703: A user right was adjusted.

1 rule

Splunk

Common LSASS Memory Dump Behavior (Windows Event Log) (source)

Collection: Audio Capture

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.

1 rule

Sigma

Processes Accessing the Microphone and Webcam (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Impact: Data Encrypted for Impact

Security-Auditing Event ID 4656: A handle to an object was requested.ANDEvent ID 4663: An attempt was made to access an object.ANDEvent ID 5145: A network share object was checked to see whether client can be granted desired access.

1 rule

Sigma

BlueSky Ransomware Artefacts (source)

j4son

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ObjectType`	eq	`Key`	6 rules	kusto, sigma
`ObjectType`	eq	`Process`	4 rules	elastic, sigma
`ObjectType`	eq	`File`	1 rule	sigma, splunk
`ObjectType`	eq	`SAM_DOMAIN`	1 rule	sigma
`ObjectType`	eq	`SC_MANAGER OBJECT`	1 rule	sigma
`ObjectName`	contains	`\microsoft\windows defender\exclusions\`	1 rule	sigma
`ObjectName`	contains	`\registry\machine\system`	1 rule	sigma
`ObjectName`	ends_with	`\lsass.exe`	3 rules	sigma
`ObjectServer`	eq	`Security`	3 rules	sigma
`ObjectServer`	eq	`SC Manager`	1 rule	kusto, sigma
`signature_id`	contains	`4656`	3 rules	splunk
`signature_id`	contains	`4663`	2 rules	splunk
`AccessList`	contains	`%%4417`	2 rules	elastic, sigma, splunk
`AccessList`	contains	`%%4418`	2 rules	kusto, sigma, splunk
`event_count`	lt	`10`	1 rule	splunk

Community Notes #

Combined with 4663, may reveal bulk reads of sensitive shares before data exfil.

The AccessMask shown assumes File access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType GUID at runtime. Common alternatives:

Bit	File	Registry	Process	Service
0x01	ReadData / ListDirectory	KEY_QUERY_VALUE	PROCESS_TERMINATE	SERVICE_QUERY_CONFIG
0x02	WriteData / AddFile	KEY_SET_VALUE	PROCESS_CREATE_THREAD	SERVICE_CHANGE_CONFIG
0x04	AppendData / AddSubDir	KEY_CREATE_SUB_KEY	PROCESS_SET_SESSIONID	SERVICE_QUERY_STATUS
0x08	ReadEA	KEY_ENUMERATE_SUB_KEYS	PROCESS_VM_OPERATION	SERVICE_ENUMERATE_DEPENDENTS
0x10	WriteEA	KEY_NOTIFY	PROCESS_VM_READ	SERVICE_START
0x20	Execute / Traverse	KEY_CREATE_LINK	PROCESS_VM_WRITE	SERVICE_STOP

Standard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).

Detection Rules #

Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4688: A new process has been created.

Sigma # view in coverage

SAM Registry Hive Handle Request source high: Detects handles requested to SAM registry hive
SCM Database Handle Failure source medium: Detects non-system users failing to get a handle of the SCM database.
Password Dumper Activity on LSASS source high: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN

Show 3 more (6 total)

Sticky key sethc file failed replacement source high: Detects scenarios where an attacker failed to replace the original sethc.exe file by cmd.exe.
WinRM listening service reconnaissance (WS-Management) source medium: Detects scenarios where an attacker enumerates different remote WinRM listeners for lateral movement purposes.
CVE-2023-23397 Exploitation Attempt source critical: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.↳ also matches Event ID 4663: An attempt was made to access an object.

Elastic # view in coverage

LSASS Memory Dump Handle Access source medium: Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.

Splunk # view in coverage

Executable File Written to Disk (Windows Event Log) source: Detects when a potentially malicious file is written to the disk
File Written to Startup Folder - Windows (Windows Event Log) source: Adversaries may achieve persistence by adding a program to a startup folder. Adding an entry to the startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of…
Impacket atexec.py Temp File Creation (Windows Event Log) source: Impacket's atexec.py is a tool designed for executing commands on a target system via the Windows Task Scheduler to run arbitrary commands with the privileges of the account under which the scheduler is running, often providing a method…

Show 2 more (5 total)

LSASS Handle request (Windows Event Log) source: Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). This use case looks for lsass handle calls, without requiring process execution events as an…
Suspicious File written to Disk (Windows Event Log) source: Adversaries may transfer tools or other files from an external system into a compromised environment. As seen with Solorigate when backdoor activates, the executing process (usually SolarWinds.BusinessLayerHost.exe) creates two files on…

YARA-L # view in coverage

MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report source: Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4↳ also matches Event ID 4657: A registry value was modified., Event ID 4688: A new process has been created.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4656
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4656_v1.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
MS Learn KEY_* registry rights (winreg.h) https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights
MS Learn PROCESS_* access rights https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights

Event ID 4657: A registry value was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Registry
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

This event generates when a registry key value was modified. It doesn't generate when a registry key was modified. This event generates only if "Set Value" auditing is set in registry key's SACL.

Message #

A registry value was modified.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Name: %5
	Object Value Name: %6
	Handle ID: %7
	Operation Type: %8

Process Information:
	Process ID: %13
	Process Name: %14

Change Information:
	Old Value Type: %9
	Old Value: %10
	New Value Type: %11
	New Value: %12

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested the "modify registry value" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "modify registry value" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectName` UnicodeString	Full path and name of the registry key which value was modified.	10 detection rules
`ObjectValueName` UnicodeString	The name of modified registry key value.	8 detection rules
`HandleId` Pointer	Hexadecimal value of a handle to Object Name.
`OperationType` UnicodeString	The type of performed operation with registry key value. Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time	1 detection rule
`OldValueType` UnicodeString	Old type of changed registry key value. Known values `%%1872` REG_NONE `%%1873` REG_SZ `%%1874` REG_EXPAND_SZ `%%1875` REG_BINARY `%%1876` REG_DWORD `%%1877` REG_DWORD_BIG_ENDIAN `%%1878` REG_LINK `%%1879` REG_MULTI_SZ (New lines are replaced with . A is replaced with **) `%%1880` REG_RESOURCE_LIST `%%1881` REG_FULL_RESOURCE_DESCRIPTOR `%%1882` REG_RESOURCE_REQUIREMENTS_LIST `%%1883` REG_QWORD
`OldValue` UnicodeString	Old value for changed registry key value.
`NewValueType` UnicodeString	New type of changed registry key value. Known values `%%1872` REG_NONE `%%1873` REG_SZ `%%1874` REG_EXPAND_SZ `%%1875` REG_BINARY `%%1876` REG_DWORD `%%1877` REG_DWORD_BIG_ENDIAN `%%1878` REG_LINK `%%1879` REG_MULTI_SZ (New lines are replaced with . A is replaced with **) `%%1880` REG_RESOURCE_LIST `%%1881` REG_FULL_RESOURCE_DESCRIPTOR `%%1882` REG_RESOURCE_REQUIREMENTS_LIST `%%1883` REG_QWORD
`NewValue` UnicodeString	New value for changed registry key value.	3 detection rules
`ProcessId` Pointer	Hexadecimal Process ID of the process through which the registry key value was modified.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4657,
    "version": 0,
    "level": 0,
    "task": 12801,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:18:10.0945751+00:00",
    "event_record_id": 2171847,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 7324
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x333bffe",
    "ObjectName": "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-System\\{d1bc9aff-2abf-4d71-9146-ecb2a986eb85}",
    "ObjectValueName": "MatchAnyKeyword",
    "HandleId": "0xb90",
    "OperationType": "%%1905",
    "OldValueType": "%%1883",
    "OldValue": "0x5200000000000000",
    "NewValueType": "%%1883",
    "NewValue": "0x5A00000000000000",
    "ProcessId": "0x66c",
    "ProcessName": "C:\\Windows\\System32\\svchost.exe"
  },
  "message": "A registry value was modified.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x333BFFE\r\n\r\nObject:\r\n\tObject Name:\t\t\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-System\\{d1bc9aff-2abf-4d71-9146-ecb2a986eb85}\r\n\tObject Value Name:\tMatchAnyKeyword\r\n\tHandle ID:\t\t0xb90\r\n\tOperation Type:\t\tExisting registry value modified\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x66c\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nChange Information:\r\n\tOld Value Type:\t\tREG_QWORD\r\n\tOld Value:\t\t0x5200000000000000\r\n\tNew Value Type:\t\tREG_QWORD\r\n\tNew Value:\t\t0x5A00000000000000"
}

Detection Patterns #

Event Log

11 rules

Splunk

Command Line Utility Added to Accessibility Features (Windows Event Log) (source)

Wow6432Node Classes Autorun Keys Modification (Windows Event Log) (source)

ComputerDefaults UAC Bypass (Windows Event Log) (source)

Show 8 more (11 total) on the rules page

Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.ORSysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

8 rules

Sigma

Detect Print Processors Registry Driver Key Creation/Modification (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Kusto

Detect Registry Run Key Creation/Modification (source)

Registry Run Keys - Suspicious Registry Run Keys (source)

Cyb3rMonk

Security-Auditing Event ID 4657: A registry value was modified.ORSysmon Event ID 13: RegistryEvent

7 rules

Kusto

Detect Print Processors Registry Driver Key Creation/Modification (source)

Detect Registry Run Key Creation/Modification (source)

Registry Run Keys - Suspicious Registry Run Keys (source)

Cyb3rMonk

Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.

Defense Impairment: Modify Registry

2 rules

Sigma

Detect Registry Run Key Creation/Modification (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Kusto

Privilege Escalation: Bypass User Account Control

Security-Auditing Event ID 4657: A registry value was modified.ANDEvent ID 4688: A new process has been created.

1 rule

Kusto

Potential Fodhelper UAC Bypass (source)

Show All Detection Patterns

Collection: Audio Capture

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.

1 rule

Sigma

Processes Accessing the Microphone and Webcam (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`RegistryValueSet`	4 rules	kusto
`EventType`	in	`RegistryKeyCreated`	5 rules	kusto
`EventType`	in	`RegistryValueSet`	5 rules	kusto
`Details`	eq	`DWORD (0x00000001)`	4 rules	chronicle, sigma
`Details`	eq	`0`	2 rules	elastic, sigma, splunk
`Details`	eq	`DWORD (0x00000000)`	2 rules	chronicle, sigma
`ParentImage`	ends_with	`cmd.exe`	2 rules	kusto
`ParentImage`	ends_with	`powershell.exe`	2 rules	kusto
`ParentImage`	ends_with	`powershell_ise.exe`	2 rules	kusto
`TargetObject`	contains	`\\software\\microsoft\\windows\\currentversion\\policies\\explorer\\run`	2 rules	chronicle
`TargetObject`	contains	`\\software\\microsoft\\windows\\currentversion\\run`	2 rules	chronicle
`TargetObject`	contains	`\\software\\wow6432node\\microsoft\\windows\\currentversion\\run`	2 rules	chronicle
`TargetObject`	contains	`software\\classes\\ms-settings\\shell\\open\\command`	2 rules	kusto
`signature_id`	contains	`4657`	2 rules	splunk
`CommandLine`	match	`(?i)(\s+ADD\s+.\/d.0)`	1 rule	splunk

Community Notes #

Requires AuditRegistry/SetValue SACL.

Detection Rules #

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4658: The handle to an object was closed.OREvent ID 4663: An attempt was made to access an object.

Sigma # view in coverage

ETW Logging Disabled In .NET Processes - Registry source high: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
NetNTLM Downgrade Attack source high: Detects NetNTLM downgrade attack
Windows Defender Exclusion List Modified source medium: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Splunk # view in coverage

Executable Running as NT AUTHORITY_SYSTEM Registered in BAM (Windows Event Log) source: Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating…
Modify Registry Key (Windows Event Log) source: Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution
Suspicious Registry Key Created (Windows Event Log) source: Adversaries may achieve persistence by adding a program or referencing it with a Registry run key or by utilizing content triggered by Image File Execution Options (IFEO) debugger keys. Run keys may exist under multiple hives and IFEOs can…

Kusto # view in coverage

COM Registry Key Modified to Point to File in Color Profile Folder source medium: This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color. This can be used to enable COM hijacking for persistence. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
Scheduled Task Hide source high: This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler. The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive as well as audit policy for registry auditing to be turned on. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/
Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:↳ also matches Event ID 4663: An attempt was made to access an object.

YARA-L # view in coverage

Blackbyte Ransomware Registry source: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
CurrentControlSet Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
CurrentVersion Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry

Show 12 more (15 total)

Default RDP Port Changed to Non Standard Port source: Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Disable Internal Tools or Feature in Registry source: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
Modify User Shell Folders Startup Value source: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
New RUN Key Pointing to Suspicious Folder source: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report source: Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4↳ also matches Event ID 4656: A handle to an object was requested., Event ID 4688: A new process has been created.
Potential Credential Dumping Via LSASS SilentProcessExit Technique source: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
RDP Sensitive Settings Changed source: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
RDP Sensitive Settings Changed to Zero source: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RestrictedAdminMode Registry Value Tampering source: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Session Manager Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
Suspicious Powershell In Registry Run Keys source: Detects potential PowerShell commands or code within registry run keys
Wdigest Enable UseLogonCredential source: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4657.yml

Event ID 4658: The handle to an object was closed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File System
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.

Message #

The handle to an object was closed.

Subject :
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Handle ID: %6

Process Information:
	Process ID: %7
	Process Name: %8

Fields #

Name	Description
`SubjectUserSid`	SID of the account that closed the object handle.
`SubjectUserName`	Name of the account that closed the object handle.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectServer`	Has "Security" value for this event.
`HandleId`	Hexadecimal handle to the object. Correlates with Event ID 4663.
`ProcessId`	Hexadecimal Process ID of the process that closed the handle.
`ProcessName`	Full path and the name of the executable for the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4658,
    "version": 0,
    "level": 0,
    "task": 12802,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:53.1097418+00:00",
    "event_record_id": 3213667,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "ObjectServer": "Security",
    "HandleId": "0x1150",
    "ProcessId": "0x1584",
    "ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
  },
  "message": "The handle to an object was closed.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tHandle ID:\t\t0x1150\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1584\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
}

Detection Patterns #

1 rule

Sigma

Potential Secure Deletion with SDelete (source)

Thomas Patzke

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4658
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4658.yml

Event ID 4659: A handle to an object was requested with intent to delete.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A handle to an object was requested with intent to delete.

Message #

A handle to an object was requested with intent to delete.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %13

Access Request Information:
	Transaction ID: %9
	Accesses: %10
	Access Mask: %11
	Privileges Used for Access Check: %12

Fields #

Name	Description
`SubjectUserSid` SID	SID of account to which special privileges were assigned.
`SubjectUserName` UnicodeString	The name of the account to which special privileges were assigned.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectServer` UnicodeString	Contains the name of the Windows subsystem calling the routine.
`ObjectType` UnicodeString	The type of an object that was accessed during the operation.
`ObjectName` UnicodeString	The name of the object that was accessed during the operation.
`HandleId` Pointer	Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID.
`TransactionId` GUID	Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID.
`AccessList` UnicodeString	[Access Request Information] Accesses.
`AccessMask` HexInt32	The desired access mask. This mask depends on Object Server and Object Type parameters values. The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If Desired Access is not presented, then this parameter will have “0” value. Access mask reference Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects
`PrivilegeList` UnicodeString	[Access Request Information] Privileges Used for Access Check. Privilege constants reference
`ProcessId` Pointer	[Process Information] Process ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4659,
    "version": 0,
    "level": 0,
    "task": 12800,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:41:33.7880533+00:00",
    "event_record_id": 1217672,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 452
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-20",
    "SubjectUserName": "TELEMETRY-DC-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x3e4",
    "ObjectServer": "Security",
    "ObjectType": "File",
    "ObjectName": "C:\\Windows\\System32\\dhcp\\tmp.edb",
    "HandleId": "0x0",
    "TransactionId": "{00000000-0000-0000-0000-000000000000}",
    "AccessList": "-",
    "AccessMask": "0x0",
    "PrivilegeList": "-",
    "ProcessId": "0xd80"
  },
  "message": "A handle to an object was requested with intent to delete.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-20\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E4\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tFile\r\n\tObject Name:\tC:\\Windows\\System32\\dhcp\\tmp.edb\r\n\tHandle ID:\t0x0\r\n\r\nProcess Information:\r\n\tProcess ID:\t0xd80\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t-\r\n\tAccess Mask:\t0x0\r\n\tPrivileges Used for Access Check:\t-"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4659
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4659
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4659.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
MS Learn KEY_* registry rights (winreg.h) https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights

Event ID 4660: An object was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File System
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when an object was deleted. The object could be a file system, kernel, or registry object.

Message #

An object was deleted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Handle ID: %6

Process Information:
	Process ID: %7
	Process Name: %8
	Transaction ID: %9

Fields #

Name	Description
`SubjectUserSid`	SID of the account that requested object deletion.
`SubjectUserName`	Name of the account that requested object deletion.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectServer`	Has "Security" value for this event.
`HandleId`	Hexadecimal handle to the object. Correlates with Event ID 4663.
`ProcessId`	Hexadecimal Process ID of the process that deleted the object.
`ProcessName`	Full path and the name of the executable for the process.
`TransactionId`	GUID of the transaction. Correlates with Event ID 4656.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4660,
    "version": 0,
    "level": 0,
    "task": 12801,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:51:26.7923275+00:00",
    "event_record_id": 1904870,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 2564
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "ObjectServer": "Security",
    "HandleId": "0x1e8",
    "ProcessId": "0x1f9c",
    "ProcessName": "C:\\Windows\\System32\\wevtutil.exe",
    "TransactionId": "{00000000-0000-0000-0000-000000000000}"
  },
  "message": "An object was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tHandle ID:\t0x1e8\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1f9c\r\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`RegistryKeyCreated`	5 rules	kusto
`EventType`	in	`RegistryValueSet`	5 rules	kusto
`ParentImage`	ends_with	`cmd.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell.exe`	1 rule	kusto
`ParentImage`	ends_with	`powershell_ise.exe`	1 rule	kusto
`TargetObject`	contains	`software\\classes\\ms-settings\\shell\\open\\command`	1 rule	kusto

Community Notes #

Could be a filesystem, kernel, or registry object. Does not track names, but is generated only during real deletes (pair with 4663).

Detection Rules #

SecretsDump Credential Harvest (Windows Event Log) (source)

Kusto # view in coverage

Potential Fodhelper UAC Bypass (ASIM Version) source medium: This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.↳ also matches Event ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.
Detect Print Processors Registry Driver Key Creation/Modification source medium: This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.↳ also matches Event ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.
Detect Registry Run Key Creation/Modification source medium: This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.↳ also matches Event ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.

Show 2 more (5 total)

Detect Windows Allow Firewall Rule Addition/Modification source medium: This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.↳ also matches Event ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.
Detect Windows Update Disabled from Registry source medium: This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.↳ also matches Event ID 4657: A registry value was modified., Event ID 4663: An attempt was made to access an object.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4660
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4660.yml

Event ID 4661: A handle to an object was requested.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → SAM
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object. If access was declined, then Failure event is generated. This event generates only if Success auditing is enabled for the Audit Handle Manipulation subcategory.

Message #

A handle to an object was requested.

Subject :
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %15
	Process Name: %16

Access Request Information:
	Transaction ID: %9
	Accesses: %10
	Access Mask: %11
	Privileges Used for Access Check: %12
	Properties: %13
	Restricted SID Count: %14

Fields #

Name	Description	Rules
`SubjectUserSid`	SID of account that requested a handle to an object.	1 detection rule
`SubjectUserName`	The name of the account that requested a handle to an object.	6 detection rules
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectServer`	Has "Security Account Manager" value for this event.	7 detection rules
`ObjectType`	The type or class of the object that was accessed.	13 detection rules
`ObjectName`	The name of an object for which access was requested.	29 detection rules
`HandleId`	Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4662: An operation was performed on an object." This parameter might not be captured in the event, and in that case appears as "0x0".
`TransactionId`	Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the Transaction ID, such as "4660(S): An object was deleted."
`AccessList`	The list of access rights which were requested by Subject\Security ID. These access rights depend on Object Type.	5 detection rules
`AccessReason`
`AccessMask`	Hexadecimal mask for the operation that was requested or performed. Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects	1 detection rule
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".
`Properties` UnicodeString	Depends on Object Type. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in "4661: A handle to an object was requested" from Audit SAM subcategory.	10 detection rules
`RestrictedSidCount`	Number of restricted SIDs in the token. Applicable to only specific Object Types.
`ProcessId`	Hexadecimal Process ID of the process that requested the handle. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
`ProcessName`	Full path and the name of the executable for the process.	6 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4661,
    "version": 1,
    "level": 0,
    "task": 12803,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T10:41:36.4583208+00:00",
    "event_record_id": 2050112,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 5376
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "ObjectServer": "Security Account Manager",
    "ObjectType": "SAM_DOMAIN",
    "ObjectName": "DC=cell-a,DC=ludus,DC=domain",
    "HandleId": "0x2cb76f9d840",
    "TransactionId": "{00000000-0000-0000-0000-000000000000}",
    "AccessList": "%%1537\n\t\t\t\t%%1538\n\t\t\t\t%%1539\n\t\t\t\t%%1540\n\t\t\t\t%%5392\n\t\t\t\t%%5394\n\t\t\t\t%%5395\n\t\t\t\t%%5396\n\t\t\t\t%%5397\n\t\t\t\t%%5398\n\t\t\t\t%%5399\n\t\t\t\t%%5400\n\t\t\t\t",
    "AccessReason": "-",
    "AccessMask": "0xf01fd",
    "PrivilegeList": "-",
    "Properties": "---\n\t{19195a5a-6da0-11d0-afd3-00c04fd930c9}\n%%1537\n%%1538\n%%1539\n%%1540\n%%5392\n%%5394\n%%5395\n%%5396\n%%5397\n%%5398\n%%5399\n%%5400\n\t\t{c7407360-20bf-11d0-a768-00aa006e0529}\n\t\t\t{bf9679a4-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679a5-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679a6-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679bb-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679c2-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679c3-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967a09-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967a0b-0de6-11d0-a285-00aa003049e2}\n\t\t{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}\n\t\t\t{bf967a34-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967a33-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679c5-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967a61-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf967977-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf96795e-0de6-11d0-a285-00aa003049e2}\n\t\t\t{bf9679ea-0de6-11d0-a285-00aa003049e2}\n\t\t{ab721a52-1e2f-11d0-9819-00aa0040529b}\n",
    "RestrictedSidCount": "0",
    "ProcessId": "0x32c",
    "ProcessName": "C:\\Windows\\System32\\lsass.exe"
  },
  "message": "A handle to an object was requested.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity Account Manager\r\n\tObject Type:\tSAM_DOMAIN\r\n\tObject Name:\tDC=cell-a,DC=ludus,DC=domain\r\n\tHandle ID:\t0x2cb76f9d840\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x32c\r\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\tDELETE\r\n\t\t\t\tREAD_CONTROL\r\n\t\t\t\tWRITE_DAC\r\n\t\t\t\tWRITE_OWNER\r\n\t\t\t\tReadPasswordParameters\r\n\t\t\t\tReadOtherParameters\r\n\t\t\t\tWriteOtherParameters\r\n\t\t\t\tCreateUser\r\n\t\t\t\tCreateGlobalGroup\r\n\t\t\t\tCreateLocalGroup\r\n\t\t\t\tGetLocalGroupMembership\r\n\t\t\t\tListAccounts\r\n\t\t\t\t\r\n\tAccess Reasons:\t\t-\r\n\tAccess Mask:\t0xF01FD\r\n\tPrivileges Used for Access Check:\t-\r\n\tProperties:\t---\r\n\t{19195a5a-6da0-11d0-afd3-00c04fd930c9}\r\nDELETE\r\nREAD_CONTROL\r\nWRITE_DAC\r\nWRITE_OWNER\r\nReadPasswordParameters\r\nReadOtherParameters\r\nWriteOtherParameters\r\nCreateUser\r\nCreateGlobalGroup\r\nCreateLocalGroup\r\nGetLocalGroupMembership\r\nListAccounts\r\n\t\t{c7407360-20bf-11d0-a768-00aa006e0529}\r\n\t\t\t{bf9679a4-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a6-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679bb-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c2-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c3-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a09-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a0b-0de6-11d0-a285-00aa003049e2}\r\n\t\t{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}\r\n\t\t\t{bf967a34-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a33-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a61-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967977-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf96795e-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ea-0de6-11d0-a285-00aa003049e2}\r\n\t\t{ab721a52-1e2f-11d0-9819-00aa0040529b}\r\n\r\n\tRestricted SID Count:\t0"
}

Detection Patterns #

Credential Access: Security Account Manager

1 rule

Splunk

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ObjectServer`	eq	`Security Account Manager`	7 rules	sigma
`process_name`	ends_with	`\lsass.exe`	6 rules	sigma
`ObjectName`	ends_with	`-500`	3 rules	sigma
`ObjectName`	ends_with	`-512`	3 rules	sigma
`ObjectName`	starts_with	`S-1-5-21-`	5 rules	sigma
`ObjectName`	starts_with	`S-1-5-32-`	3 rules	sigma
`ObjectName`	starts_with	`DC=`	2 rules	sigma
`ObjectType`	eq	`SAM_USER`	5 rules	sigma
`ObjectType`	eq	`SAM_GROUP`	4 rules	sigma
`ObjectType`	eq	`SAM_DOMAIN`	2 rules	sigma
`AccessList`	contains	`%%5392`	2 rules	sigma
`AccessList`	contains	`%%5447`	2 rules	sigma
`Authentication_Package`	eq	`NTLM`	1 rule	splunk
`SubjectUserSid`	eq	`S-1-5-18`	1 rule	elastic, sigma, splunk
`signature_id`	match	`(?i)4624`	1 rule	splunk

Community Notes #

May indicate BloodHound-style LDAP reads.

This event covers SAM object handle requests. The default bitmask shown uses SAM_DOMAIN rights (the most commonly audited SAM object type). Bits 0x01–0x0400 vary by SAM object subtype:

Bit	SAM_SERVER	SAM_DOMAIN	SAM_GROUP	SAM_ALIAS	SAM_USER
0x01	ConnectToServer	ReadPasswordParameters	ReadInformation	AddMember	ReadGeneralInformation
0x02	ShutdownServer	WritePasswordParameters	WriteAccount	RemoveMember	ReadPreferences
0x04	InitializeServer	ReadOtherParameters	AddMember	ListMembers	WritePreferences
0x08	CreateDomain	WriteOtherParameters	RemoveMember	ReadInformation	ReadLogon
0x10	EnumerateDomains	CreateUser	ListMembers	WriteAccount	ReadAccount
0x20	LookupDomain	CreateGlobalGroup	—	—	WriteAccount

Standard rights are shared: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).

Detection Rules #

Security-Auditing Event ID 4662: An operation was performed on an object.OREvent ID 5136: A directory service object was modified.OREvent ID 5137: A directory service object was created.

Sigma # view in coverage

AD Privileged Users or Groups Reconnaissance source high: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Password Policy Enumerated source medium: Detects when the password policy is enumerated.
Reconnaissance Activity source high: Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Show 6 more (9 total)

Potential SAM database user credentials dumped with DCshadow source high: Detects scenarios where an attacker would dump user passwords using the DCshadow attack.
SAM database user credentials dump with Mimikatz source high: Detects scenarios where an attacker dump the LSASS memory content using Mimikatz (sekurlsa module).
Massive SAM users/groups enumeration (native) source informational: Detects scenarios where an attacker attempts to enumerate sensitive domain users/groups settings and membership. Correlate TargetLogonId from ID 4624 with SubjectLogonId from ID 4661 to identify the source of the enumeration.
Sensitive SAM domain user & groups discovery (native) source high: Detects scenarios where an attacker attempts to enumerate sensitive domain group settings and membership.
Local domain group enumeration source high: Detects scenarios where an attacker attempts to enumerate domain local groups with tools like CME (--local-groups).
Domain password policy enumeration source high: Detects scenarios where an attacker attempts to enumerate the domain password policy with native commands or tools like CME (--pass-pol).

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4661
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4661.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format

Event ID 4662: An operation was performed on an object.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Directory Service Access
Collection Priority: Recommended (mdecrevoisier, others)
Opcode: Info

Description

This event generates every time when an operation was performed on an Active Directory object. This event generates only if appropriate SACL was set for Active Directory object and performed operation meets this SACL. If operation failed then Failure event will be generated. You will get one 4662 for each operation type which was performed.

Message #

An operation was performed on an object.

Subject :
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %9

Operation:
	Operation Type: %8
	Accesses: %10
	Access Mask: %11
	Properties: %12

Additional Information:
	Parameter 1: %13
	Parameter 2: %14

Fields #

Name	Description	Rules
`SubjectUserSid`	SID of account that requested the operation.	1 detection rule
`SubjectUserName`	The name of the account that requested the operation.	11 detection rules
`SubjectDomainName`	Subject's domain or computer name.	1 detection rule
`SubjectLogonId`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectServer`	Has "DS" value for this event.	5 detection rules
`ObjectType`	Type or class of the object that was accessed.	7 detection rules
`ObjectName`	Distinguished name of the object that was accessed.	25 detection rules
`OperationType`	The type of operation which was performed on an object. Typically has "Object Access" value for this event.	3 detection rules
`HandleId`	Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4661: A handle to an object was requested." This parameter might not be captured in the event, and in that case appears as "0x0".
`AccessList`	The type of access used for the operation.
`AccessMask`	Hexadecimal mask for the type of access used for the operation. See. Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects	13 detection rules
`Properties` UnicodeString	First part is the type of access that was used. Typically has the same value as Accesses field.	18 detection rules
`AdditionalInfo`	-.	9 detection rules
`AdditionalInfo2`	-.	1 detection rule

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4662,
    "version": 0,
    "level": 0,
    "task": 14080,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:57:43.3452684+00:00",
    "event_record_id": 2879213,
    "correlation": {},
    "execution": {
      "process_id": 816,
      "thread_id": 964
    },
    "channel": "Security",
    "computer": "telemetry-DC-b.cell-b.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-B$",
    "SubjectDomainName": "cell-b",
    "SubjectLogonId": "0x32e4a1",
    "ObjectServer": "DS",
    "ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
    "ObjectName": "%{58cf85bf-775e-4cbe-91aa-4314eea73f75}",
    "OperationType": "Object Access",
    "HandleId": "0x0",
    "AccessList": "%%7688\n\t\t\t\t",
    "AccessMask": "0x100",
    "Properties": "%%7688\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\n",
    "AdditionalInfo": "-",
    "AdditionalInfo2": ""
  },
  "message": "An operation was performed on an object.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-B$\r\n\tAccount Domain:\t\tcell-b\r\n\tLogon ID:\t\t0x32E4A1\r\n\r\nObject:\r\n\tObject Server:\t\tDS\r\n\tObject Type:\t\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\tObject Name:\t\t%{58cf85bf-775e-4cbe-91aa-4314eea73f75}\r\n\tHandle ID:\t\t0x0\r\n\r\nOperation:\r\n\tOperation Type:\t\tObject Access\r\n\tAccesses:\t\tControl Access\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x100\r\n\tProperties:\t\tControl Access\r\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n\r\n\r\nAdditional Information:\r\n\tParameter 1:\t\t-\r\n\tParameter 2:\t\t"
}

Detection Patterns #

Kerberos Coercion Via DNS

3 rules

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Elastic

Potential Kerberos Coercion via DNS-Based SPN Spoofing (source)

Elastic

Splunk

Security-Auditing Event ID 4662: An operation was performed on an object.OREvent ID 5137: A directory service object was created.

Raven Tait, Splunk

Kerberos Coercion Via DNS

3 rules

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Elastic

Potential Kerberos Coercion via DNS-Based SPN Spoofing (source)

Elastic

Splunk

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4662: An operation was performed on an object.

Raven Tait, Splunk

AD Replication Request Initiated

3 rules

Splunk

Windows AD Replication Request Initiated by User Account (source)

Dean Luxton

Windows AD Replication Request Initiated from Unsanctioned Location (source)

Dean Luxton

Kusto

Non Domain Controller Active Directory Replication (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Properties`	contains	`1131f6aa-9c07-11d1-f79f-00c04fc2dcd2`	6 rules	elastic, kusto, sigma
`Properties`	contains	`1131f6ad-9c07-11d1-f79f-00c04fc2dcd2`	6 rules	elastic, kusto, sigma
`Properties`	contains	`89e95b76-444d-4c62-991a-0facbeda640c`	6 rules	elastic, kusto, sigma
`Properties`	contains	`612cb747-c0e8-4f92-9221-fdd5f15b550d`	2 rules	elastic, sigma
`Properties`	contains	`9923a32a-3607-11d2-b9be-0000f87a36b2`	2 rules	sigma
`Properties`	contains	`b3f93023-9239-4f7c-b99c-6745d87adbc2`	2 rules	elastic, sigma
`Properties`	contains	`b7ff5a38-0818-42b0-8110-d3d154c97f24`	2 rules	elastic, sigma
`Properties`	contains	`b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7`	2 rules	elastic, sigma
`AccessMask`	eq	`0x100`	5 rules	elastic, sigma, splunk
`AccessMask`	eq	`0x40000`	2 rules	elastic, sigma
`ObjectServer`	eq	`DS`	5 rules	kusto, sigma
`ObjectClass`	eq	`dnsNode`	2 rules	elastic, sigma, splunk
`ObjectType`	in	`%{19195a5b-6da0-11d0-afd3-00c04fd930c9}`	2 rules	splunk
`ObjectType`	in	`domainDNS`	2 rules	splunk
`OperationType`	eq	`Object Access`	2 rules	kusto, sigma

Community Notes #

Operation on AD object, may indicate enum of domain trusts, OUs, SPNs, ACLs. Also logged when an attacker uses mimikatz or similar to extract the DPAPI Domain Backup Key.

Detection Rules #

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4663: An attempt was made to access an object.

Sigma # view in coverage

AD Object WriteDAC Access source critical: Detects WRITE_DAC access to a domain object
Active Directory Replication from Non Machine Account source critical: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
Potential AD User Enumeration From Non-Machine Account source medium: Detects read access to a domain user from a non-machine account

Show 9 more (12 total)

Mimikatz DC Sync source high: Detects Mimikatz DC sync security events
DPAPI Domain Backup Key Extraction source high: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
WMI Persistence - Security source medium: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Suspicious Active Directory DPAPI attributes accessed (Mimikatz, DCSync, RiskySPN) source informational: Detects scenarios where an attacker attempts to extract sensitive DPAPI information from Active Directory (RiskySPN PowerShell tool, DCSync and Mimikatz may also trigger this rule).
Group Managed Service Accounts password dump - GoldenGMSA source high: Detects scenarios where an attacker attempts to dump Group Managed Services account (GMSA) passwords stored on writable domain controllers.
Domain group enumeration source high: Detects scenarios where an attacker enumerates domain group with tools like CME (--groups).
Active Directory honeypot enumerated by a suspicious host (Bloodhound) source high: Detects scenarios where an attacker is attempting to discover sensitive accounts using tools like Bloodhound. To find out the source of the enumeration, correlate the SubjectLogonId from ID 4662 with TargetLogonId from ID 4624.
Replication privileges accessed to perform DCSync attack source high: Detects scenarios where an attacker use DCSync or SecretDump tool to exfiltrate Active Directory credentials
Account accessed to attributes related to DCshadow source high: Detects scenarios where an attacker accessed attributes related to DCshadow attack in order to create a fake domain controller.

Elastic # view in coverage

First Time Seen Account Performing DCSync source high: This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
Potential Credential Access via DCSync source medium: This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
Access to a Sensitive LDAP Attribute source medium: Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.

Show 2 more (5 total)

Suspicious Access to LDAP Attributes source low: Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.
WRITEDAC Access on Active Directory Object source low: Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.

Splunk # view in coverage

Windows AD Abnormal Object Access Activity source: The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns,…
Windows AD Privileged Object Access Activity source: The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This…
Excessive DRSGetNCChanges Requests (Windows Event Log) source: Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a…

Show 1 more (4 total)

Potential DCSync (Windows Event Log) source: Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a…

Kusto # view in coverage

ADFS DKM Master Key Export source medium: Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this: https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469 https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339
Large number of AD objects accessed by user source: This query detects a user accessing a large number of Group and User objects from Active Directory which is outside the baseline of normal behavior for that particular user.
Shadow Credentials Added to Account (Alternative) source: This query searches for modifications to the 'msDS-KeyCredentialLink' property in Active Directory. There are two different events which contain information to detect such changes: 5136 and 4662. This detection uses the 4662, which is an alternative if 5136 is not available.

YARA-L # view in coverage

ADFS DKM Key Access source: Detects access to the AD contact object to read the AD FS DKM (distributed key manager) master key value↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-access
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4662.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format

Event ID 4663: An attempt was made to access an object.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File System
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.

Message #

An attempt was made to access an object.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %11
	Process Name: %12

Access Request Information:
	Accesses: %9
	Access Mask: %10

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of the account that accessed the object.
`SubjectUserName` UnicodeString	Name of the account that accessed the object.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectServer` UnicodeString	Has "Security" value for this event.	1 detection rule
`ObjectType` UnicodeString	Type of the object that was accessed. Known values `File` File-system file or directory `Key` Registry key `SAM_DOMAIN` Security Account Manager domain object `SAM_USER` Security Account Manager user account object `SAM_GROUP` Security Account Manager global group object `SAM_ALIAS` Security Account Manager local group (alias) object `SAM_SERVER` Security Account Manager server object `Token` Access token object `Process` Process object `Thread` Thread object	5 detection rules
`ObjectName` UnicodeString	Name and identifying information for the object. For files, includes the full path.	33 detection rules
`HandleId` Pointer	Hexadecimal handle to the object. Correlates with Event ID 4656.
`AccessList` UnicodeString	Access rights used.	5 detection rules
`AccessMask` HexInt32	Hexadecimal access mask for the requested operation. Access mask reference Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects	9 detection rules
`ProcessId` Pointer	Hexadecimal Process ID of the process that accessed the object.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.	63 detection rules
`ResourceAttributes` UnicodeString	Attributes associated with the object. "-" when not applicable.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4663,
    "version": 1,
    "level": 0,
    "task": 12802,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:53.1096939+00:00",
    "event_record_id": 3213666,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "ObjectServer": "Security",
    "ObjectType": "Process",
    "ObjectName": "\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe",
    "HandleId": "0x1150",
    "AccessList": "%%4484\n\t\t\t\t",
    "AccessMask": "0x10",
    "ProcessId": "0x1584",
    "ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "ResourceAttributes": "-"
  },
  "message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tProcess\r\n\tObject Name:\t\t\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe\r\n\tHandle ID:\t\t0x1150\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1584\r\n\tProcess Name:\t\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tRead from process memory\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x10"
}

Detection Patterns #

18 rules

Sigma

Windows Defender Exclusion Registry Key - Write Access Requested (source)

@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)

Roberto Rodriguez @Cyb3rWard0g

Thomas Patzke

RDP File Written by Outlook (Windows Event Log) (source)

Splunk

ISO File in Temp Folder (Windows Event Log) (source)

Browser Credential File Accessed - Windows (Windows Event Log) (source)

Show 3 more (6 total) on the rules page

Kusto

Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access (source)

Microsoft Entra ID Health Monitoring Agent Registry Keys Access (source)

Microsoft Security Research

Microsoft Entra ID Health Service Agents Registry Keys Access (source)

Microsoft Security Research

Security-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreate

10 rules

Kusto

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)

Yaron

SUNBURST and SUPERNOVA backdoor hashes (source)

Google Threat Intelligence - Threat Hunting Hash (source)

Show 7 more (10 total) on the rules page

Credential Access: LSASS Memory

9 rules

Sigma

Roberto Rodriguez @Cyb3rWard0g

Potentially Suspicious AccessMask Requested From LSASS (source)

Thomas Patzke

Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)

Browser Credential File Accessed - Windows (Windows Event Log) (source)

Splunk

Potential Credential Dumping of LSASS (Windows Event Log) (source)

Potential nanodump execution (Windows Event Log) (source)

6 rules

Sigma

Detect Print Processors Registry Driver Key Creation/Modification (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Kusto

Detect Registry Run Key Creation/Modification (source)

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Security-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreateOREvent ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

Sunburst And Supernova Backdoor

4 rules

Kusto

RecordedFuture Threat Hunting Hash All Actors (source)

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)

Yaron

SUNBURST and SUPERNOVA backdoor hashes (source)

Security-Auditing Event ID 4663: An attempt was made to access an object.OREvent ID 4688: A new process has been created.

Show All Detection Patterns

2 rules

Kusto

Identify SysAid Server web shell creation (source)

Microsoft Security Research

Potential Build Process Compromise (source)

Microsoft Security Research

Defense Impairment: Modify Registry

Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.

2 rules

Sigma

Detect Registry Run Key Creation/Modification (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Kusto

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4658: The handle to an object was closed.OREvent ID 4663: An attempt was made to access an object.

1 rule

Sigma

Potential Secure Deletion with SDelete (source)

Thomas Patzke

Collection: Audio Capture

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.

1 rule

Sigma

Processes Accessing the Microphone and Webcam (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Impact: Data Encrypted for Impact

1 rule

Sigma

BlueSky Ransomware Artefacts (source)

j4son

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`FileCreated`	5 rules	kusto
`EventType`	eq	`ProcessCreated`	2 rules	kusto
`EventType`	in	`RegistryKeyCreated`	5 rules	kusto
`EventType`	in	`RegistryValueSet`	5 rules	kusto
`ObjectType`	eq	`File`	5 rules	sigma, splunk
`ObjectType`	eq	`Key`	5 rules	kusto, sigma
`ObjectType`	eq	`Process`	3 rules	elastic, sigma
`ObjectName`	ends_with	`\lsass.exe`	4 rules	sigma
`AccessMask`	eq	`0x6`	3 rules	kusto, sigma
`ObjectServer`	eq	`Security`	3 rules	sigma
`AccessList`	eq	`%%4416`	2 rules	splunk
`Hashes`	is_not_null		2 rules	chronicle, elastic, kusto
`IsActive`	eq	`true`	2 rules	kusto
`ObservableKey`	contains	`file:hashes`	2 rules	kusto
`ObservableValue`	is_not_null		2 rules	kusto

Community Notes #

An attempt was made to access an object. May catch mass permission changes or tampering. Also catches renaming, and may be noisy (pair with 4660).

The AccessMask shown assumes File access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType at runtime. Common alternatives:

Bit	File	Registry	Process	Service
0x01	ReadData / ListDirectory	KEY_QUERY_VALUE	PROCESS_TERMINATE	SERVICE_QUERY_CONFIG
0x02	WriteData / AddFile	KEY_SET_VALUE	PROCESS_CREATE_THREAD	SERVICE_CHANGE_CONFIG
0x04	AppendData / AddSubDir	KEY_CREATE_SUB_KEY	PROCESS_SET_SESSIONID	SERVICE_QUERY_STATUS
0x08	ReadEA	KEY_ENUMERATE_SUB_KEYS	PROCESS_VM_OPERATION	SERVICE_ENUMERATE_DEPENDENTS
0x10	WriteEA	KEY_NOTIFY	PROCESS_VM_READ	SERVICE_START
0x20	Execute / Traverse	KEY_CREATE_LINK	PROCESS_VM_WRITE	SERVICE_STOP

Standard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).

Binary Defense post Windows Defender ACL Blocking: A Silent Technique With Serious Impact — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for WRITE_DAC (0x40000) access to Defender paths paired with 4670 ACL changes.

Detection Rules #

Sigma # view in coverage

ISO Image Mounted source medium: Detects the mount of an ISO image on an endpoint
Service Registry Key Read Access Request source low: Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
File Access Of Signal Desktop Sensitive Data source medium: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.

Show 6 more (9 total)

Suspicious Teams Application Related ObjectAcess Event source high: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Task Manager used for LSASS dump (kernel) source high: Detects scenarios where an attacker attempt to dump the LSASS process via the Task Manager.
CVE-2023-23397 Exploitation Attempt source critical: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.↳ also matches Event ID 4656: A handle to an object was requested.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security source critical: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
ScreenConnect User Database Modification - Security source medium: This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
Access To Browser Credential Files By Uncommon Applications - Security source low: Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.

Splunk # view in coverage

ConnectWise ScreenConnect Path Traversal Windows SACL source: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the…
Non Chrome Process Accessing Chrome Default Dir source: The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is…
Non Firefox Process Access Firefox Profile Dir source: The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs,…

Show 17 more (24 total)

SAM Database File Access Attempt source: The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the windows\system32\config directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to…
Windows Credential Access From Browser Password Store source: The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive…
Windows Credentials from Password Stores Chrome Extension Access source: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because…
Windows Credentials from Password Stores Chrome LocalState Access source: The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this…
Windows Credentials from Password Stores Chrome Login Data Access source: The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security…
Windows GrimResource - MMC Process Accessing APDS DLL source: GrimResource is a code execution technique discovered by Elastic Security in 2024 that abuses a stored XSS vulnerability in apds.dll to achieve arbitrary code execution inside mmc.exe, a signed, trusted Windows binary. The attack is…
Windows Hosts File Access source: This Analytic detects the execution of a process attempting to access the hosts file. The hosts file is a critical file for network configuration and DNS resolution. If an attacker gains access to it, they can redirect traffic to malicious…
Windows Increase in Group or Object Modification Activity source: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing…↳ also matches Event ID 4670: Permissions on an object were changed., Event ID 4727: A security-enabled global group was created., Event ID 4731: A security-enabled local group was created., Event ID 4734: A security-enabled local group was deleted., Event ID 4735: A security-enabled local group was changed., Event ID 4764: A group’s type was changed.
Windows Non Discord App Access Discord LevelDB source: The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes…
Windows Process Accessing Windows Recall Directory source: This detection triggers on a process accessing the Windows Recall directory. Recall is a new feature Microsoft release that takes screenshots every 5 or so seconds to provide context to it's AI features. The initial release of Recall was…
Windows Product Key Registry Query source: This Analytic detects the execution of a process attempting to access the registry for product key recovery purposes. This behavior could be significant as it might indicate potential malware activity or attempts to bypass security…
Windows Query Registry Browser List Application source: The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths.…
Windows Query Registry UnInstall Program List source: The following analytic detects an access request on the uninstall registry key. It leverages Windows Security Event logs, specifically event code 4663. This activity is significant because adversaries or malware can exploit this key to…
Windows Unsecured Outlook Credentials Access In Registry source: The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with…
Windows Unusual FileZilla XML Config Access source: The following analytic identifies processes accessing FileZilla XML config files such as recentservers.xml and sitemanager.xml. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access…
Windows Unusual Intelliform Storage Registry Access source: The following analytic identifies processes accessing Intelliform Storage Registry keys used by Internet Explorer. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This…
ISO Image Mounted - Windows (Windows Event Log) source: Threat actors such as APT29 have used ISO files to deliver malicious code to target systems. Normally, when a file is downloaded from the internet, Windows adds a Zone Identifier to identify the file's origin (known as mark-of-the-web or…

Kusto # view in coverage

Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.↳ also matches Event ID 4688: A new process has been created., Event ID 5156: The Windows Filtering Platform has permitted a connection.
Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matches Event ID 4688: A new process has been created.
WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.

Show 2 more (5 total)

Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:↳ also matches Event ID 4657: A registry value was modified.
Microsoft Recommended Driver Block List source: The query below detects loading or creation of a vulnerable driver that is listed in the Microsoft recommended driver block rules.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4663_v1.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format
MS Learn PROCESS_* access rights https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights

Event ID 4664: An attempt was made to create a hard link.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File System
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when an NTFS hard link was successfully created.

Message #

An attempt was made to create a hard link.

Subject:
	Account Name: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Link Information:
	File Name: %5
	Link Name: %6
	Transaction ID: %7

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made an attempt to create the hard link.
`SubjectUserName` UnicodeString	The name of the account that made an attempt to create the hard link.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`FileName` UnicodeString	The name of a file or folder that new hard link refers to.
`LinkName` UnicodeString	Full path name with new hard link file name.
`TransactionId` GUID	Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID, such as "4660(S): An object was deleted."

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4664,
    "version": 0,
    "level": 0,
    "task": 12800,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:22:20.6573922+00:00",
    "event_record_id": 2926182,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 7864
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "FileName": "C:\\Windows\\servicing\\Packages\\Microsoft-Windows-msmq-adintegration-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.20348.1.cat",
    "LinkName": "C:\\Windows\\WinSxS\\Temp\\InFlight\\c8dec39bf4fadc01df0700009c05c402\\c8dec39bf4fadc01e00700009c05c402_catalog",
    "TransactionId": "{00000000-0000-0000-0000-000000000000}"
  },
  "message": "An attempt was made to create a hard link.\r\n\r\nSubject:\r\n\tAccount Name:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLink Information:\r\n\tFile Name:\tC:\\Windows\\servicing\\Packages\\Microsoft-Windows-msmq-adintegration-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.20348.1.cat\r\n\tLink Name:\tC:\\Windows\\WinSxS\\Temp\\InFlight\\c8dec39bf4fadc01df0700009c05c402\\c8dec39bf4fadc01e00700009c05c402_catalog\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}"
}

Detection Rules #

Security-Auditing Event ID 4670: Permissions on an object were changed.OREvent ID 4727: A security-enabled global group was created.OREvent ID 4731: A security-enabled local group was created.OREvent ID 4734: A security-enabled local group was deleted.OREvent ID 4735: A security-enabled local group was changed.OREvent ID 4764: A group’s type was changed.

Sigma # view in coverage

NTFS hard link creation source medium: Detects scenarios where an attacker attempts to create a hard link.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4664
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4664
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4664.yml

Event ID 4665: An attempt was made to create an application client context.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Application Generated
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An attempt was made to create an application client context.

Message #

An attempt was made to create an application client context.

Subject:
	Client Name: %3
	Client Domain: %4
	Client Context ID: %5

Application Information:
	Application Name: %1
	Application Instance ID: %2

Status: %6

Fields #

Name	Description
`AppName` UnicodeString	[Application Information] Application Name.
`AppInstance` UInt64	[Application Information] Application Instance ID.
`ClientName` UnicodeString	The name of the account that requested the "assign token to process" operation.
`ClientDomain` UnicodeString	[Subject] Client Domain.
`ClientLogonId` UInt64	[Subject] Client Context ID.
`Status` UInt32	[Application Information] Status. NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4665
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4665
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4665.yml

Event ID 4666: An application attempted an operation.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Application Generated
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An application attempted an operation.

Message #

An application attempted an operation:

Subject:
	Client Name: %5
	Client Domain: %6
	Client Context ID: %7

Object:
	Object Name: %3
	Scope Names: %4

Application Information:
	Application Name: %1
	Application Instance ID: %2

Access Request Information:
	Role: %8
	Groups: %9
	Operation Name: %10 (%11)

Fields #

Name	Description
`AppName` UnicodeString	[Application Information] Application Name.
`AppInstance` UInt64	[Application Information] Application Instance ID.
`ObjectName` UnicodeString	[Object] Object Name.
`ScopeName` UnicodeString	[Object] Scope Names.
`ClientName` UnicodeString	The name of the account that requested the "assign token to process" operation.
`ClientDomain` UnicodeString	[Subject] Client Domain.
`ClientLogonId` UInt64	[Subject] Client Context ID.
`Role` UnicodeString	(Access Request Information) Role.
`Group` UnicodeString	[Access Request Information] Groups.
`OperationName` UnicodeString	[Access Request Information] Operation Name.
`OperationId` UInt32	[Access Request Information] (.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4666
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4666
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4666.yml

Event ID 4667: An application client context was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Application Generated
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An application client context was deleted.

Message #

An application client context was deleted.

Subject:
	Client Name: %3
	Client Domain: %4
	Client Context ID: %5

Application Information:
	Application Name: %1
	Application Instance ID: %2

Fields #

Name	Description
`AppName` UnicodeString	[Application Information] Application Name.
`AppInstance` UInt64	[Application Information] Application Instance ID.
`ClientName` UnicodeString	The name of the account that requested the "assign token to process" operation.
`ClientDomain` UnicodeString	[Subject] Client Domain.
`ClientLogonId` UInt64	[Subject] Client Context ID.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4667
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4667
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4667.yml

Event ID 4668: An application was initialized.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Application Generated
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An application was initialized.

Message #

An application was initialized.

Subject:
	Client Name: %3
	Client Domain: %4
	Client ID: %5

Application Information:
	Application Name: %1
	Application Instance ID: %2

Additional Information:
	Policy Store URL: %6

Fields #

Name	Description
`AppName` UnicodeString	[Application Information] Application Name.
`AppInstance` UInt64	[Application Information] Application Instance ID.
`ClientName` UnicodeString	The name of the account that requested the "assign token to process" operation.
`ClientDomain` UnicodeString	[Subject] Client Domain.
`ClientLogonId` UInt64	[Subject] Client ID.
`StoreUrl` UnicodeString	[Additional Information] Policy Store URL.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4668
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4668
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4668.yml

Event ID 4670: Permissions on an object were changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.

Message #

Permissions on an object were changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process:
	Process ID: %11
	Process Name: %12

Permissions Change:
	Original Security Descriptor: %9
	New Security Descriptor: %10

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of the account that changed the object's permissions.
`SubjectUserName` UnicodeString	Name of the account that changed the object's permissions.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectServer` UnicodeString	Has "Security" value for this event.
`ObjectType` UnicodeString	Type of the object whose permissions were changed.	2 detection rules
`ObjectName` UnicodeString	Name and identifying information for the object. For files, includes the full path. "-" for token objects.
`HandleId` Pointer	Hexadecimal handle to the object.
`OldSd` UnicodeString	Previous SDDL security descriptor for the object.
`NewSd` UnicodeString	New SDDL security descriptor for the object.
`ProcessId` Pointer	Hexadecimal Process ID of the process that changed the permissions.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4670,
    "version": 0,
    "level": 0,
    "task": 13570,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:52:27.0312120+00:00",
    "event_record_id": 2141121,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 3844
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "ObjectServer": "Security",
    "ObjectType": "Token",
    "ObjectName": "-",
    "HandleId": "0x280",
    "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)",
    "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)",
    "ProcessId": "0x324",
    "ProcessName": "C:\\Windows\\System32\\services.exe"
  },
  "message": "Permissions on an object were changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tToken\r\n\tObject Name:\t-\r\n\tHandle ID:\t0x280\r\n\r\nProcess:\r\n\tProcess ID:\t0x324\r\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\r\n\r\nPermissions Change:\r\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\r\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)"
}

Detection Patterns #

1 rule

Splunk

Windows Increase in Group or Object Modification Activity (source)

Dean Luxton

Stealth: Impair Defenses

Security-Auditing Event ID 4670: Permissions on an object were changed.OREvent ID 4688: A new process has been created.

1 rule

Kusto

Security Service Registry ACL Modification (source)

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ObjectType`	eq	`Key`	1 rule	kusto, sigma

Community Notes #

Permissions on an object were changed, may detect ACL edits on files, registry, or tokens that grant elevated rights.

Binary Defense post Windows Defender ACL Blocking: A Silent Technique With Serious Impact — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for ACL changes targeting Defender paths (e.g. C:\ProgramData\Microsoft\Windows Defender\) paired with 4663 WRITE_DAC access.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4670
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4670.yml

Event ID 4671: An application attempted to access a blocked ordinal through the TBS.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An application attempted to access a blocked ordinal through the TBS.

Message #

An application attempted to access a blocked ordinal through the TBS.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Ordinal: %5

Fields #

Name	Description
`CallerUserSid` SID	[Subject] Security ID
`CallerUserName` UnicodeString	[Subject] Account Name
`CallerDomainName` UnicodeString	[Subject] Account Domain
`CallerLogonId` HexInt64	[Subject] Logon ID
`Ordinal` UInt32	[Subject] Ordinal.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4671
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4671

Event ID 4672: Special privileges assigned to new logon.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Special Logon
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:

Message #

Special privileges assigned to new logon.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Privileges: %5

Fields #

Name	Description
`SubjectUserSid` SID	SID of account to which special privileges were assigned.
`SubjectUserName` UnicodeString	The name of the account to which special privileges were assigned.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`PrivilegeList` UnicodeString	The list of sensitive privileges, assigned to the new logon. Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4672,
    "version": 0,
    "level": 0,
    "task": 12548,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:49.2401689+00:00",
    "event_record_id": 3213577,
    "correlation": {},
    "execution": {
      "process_id": 896,
      "thread_id": 4272
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x296120d",
    "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege"
  },
  "message": "Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nPrivileges:\t\tSeSecurityPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege\r\n\t\t\tSeEnableDelegationPrivilege"
}

Detection Patterns #

Security-Auditing Event ID 4672: Special privileges assigned to new logon.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.

1 rule

Elastic

Suspicious Remote Registry Access via SeBackupPrivilege (source)

Elastic

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`AuthenticationPackageName`	eq	`NTLM`	1 rule	elastic, kusto, sigma, splunk
`TargetDomainName`	in	`PUT YOUR AD DOMAINS HERE!`	1 rule	kusto
`TargetDomainName`	in	`contoso`	1 rule	kusto
`TargetDomainName`	in	`contoso.local`	1 rule	kusto
`subnet`	is_null		1 rule	kusto
`unique_targets`	gt	`30`	1 rule	splunk

Community Notes #

Detects Administrator or SYSTEM-equivalent sessions at logon time.

Detection Rules #

Task Manager lsass Dump (Windows Event Log) (source)

Splunk # view in coverage

Windows Special Privileged Logon On Multiple Hosts source: The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is…

Kusto # view in coverage

Potentially Relayed NTLM Authentication - Microsoft Sentinel source: The below query detects NTLM logons where Network Address in the logon event doesn't match the Workstation Name's IP. This indicates potentially relayed NTLM authentication. It analyzes only the logons with domain accounts having admin privileges.↳ also matches Event ID 4624: An account was successfully logged on.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4672.yml

Event ID 4673: A privileged service was called.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Privilege Use → Sensitive Privilege Use
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates when an attempt was made to perform privileged system service operations. This event generates, for example, when SeSystemtimePrivilege, SeCreateGlobalPrivilege, or SeTcbPrivilege privilege was used.

Message #

A privileged service was called.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Service:
	Server: %5
	Service Name: %6

Process:
	Process ID: %8
	Process Name: %9

Service Request Information:
	Privileges: %7

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested privileged operation.	1 detection rule
`SubjectUserName` UnicodeString	The name of the account that requested privileged operation.	1 detection rule
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectServer` UnicodeString	Contains the name of the Windows subsystem calling the routine.
`Service` UnicodeString	Supplies a name of the privileged subsystem service or function.	2 detection rules
`PrivilegeList` UnicodeString	The list of user privileges which were requested. Privilege constants reference	2 detection rules
`ProcessId` Pointer	Hexadecimal Process ID of the process that attempted to call the privileged service.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.	22 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4673,
    "version": 0,
    "level": 0,
    "task": 13056,
    "opcode": 0,
    "keywords": -9218868437227405312,
    "time_created": "2026-06-13T14:08:49.2466124+00:00",
    "event_record_id": 3213596,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x296120d",
    "ObjectServer": "Security",
    "Service": "-",
    "PrivilegeList": "SeTcbPrivilege",
    "ProcessId": "0x7f4",
    "ProcessName": "C:\\Windows\\System32\\svchost.exe"
  },
  "message": "A privileged service was called.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nService:\r\n\tServer:\tSecurity\r\n\tService Name:\t-\r\n\r\nProcess:\r\n\tProcess ID:\t0x7f4\r\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\r\n\r\nService Request Information:\r\n\tPrivileges:\t\tSeTcbPrivilege"
}

Detection Patterns #

Credential Access: LSASS Memory

1 rule

Splunk

Community Notes #

Logs use of SeDebugPrivilege (often precedes scraping memory), SeTcbPrivilege.

Detection Rules #

Security-Auditing Event ID 4674: An operation was attempted on a privileged object.OREvent ID 4697: A service was installed in the system.ORService-Control-Manager Event ID 7045: A service was installed in the system.

Sigma # view in coverage

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' source high: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
Potential Privileged System Service Operation - SeLoadDriverPrivilege source medium: Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
Privilege SeMachineAccountPrivilege abuse source medium: Detects scenarios where an attacker abuse the SeMachineAccountPrivilege which allows per default any authenticated user to join a computer to the domain. Later on, this computer account can be manipulated in order to elevate privileges.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4673
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4673.yml

Event ID 4674: An operation was attempted on a privileged object.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Privilege Use → Sensitive Privilege Use
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.

Message #

An operation was attempted on a privileged object.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Object Handle: %8

Process Information:
	Process ID: %11
	Process Name: %12

Requested Operation:
	Desired Access: %9
	Privileges: %10

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested privileged operation.
`SubjectUserName` UnicodeString	The name of the account that requested privileged operation.	1 detection rule
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."	1 detection rule
`ObjectServer` UnicodeString	Contains the name of the Windows subsystem calling the routine.	2 detection rules
`ObjectType` UnicodeString	The type of an object that was accessed during the operation.	2 detection rules
`ObjectName` UnicodeString	The name of the object that was accessed during the operation.	16 detection rules
`HandleId` Pointer	Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4656: A handle to an object was requested" event in appropriate/other subcategory.
`AccessMask` UnicodeString	The desired access mask. This mask depends on Object Server and Object Type parameters values. Access mask reference Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects
`PrivilegeList` UnicodeString	The list of user privileges which were requested. Privilege constants reference	1 detection rule
`ProcessId` Pointer	Hexadecimal Process ID of the process that attempted the operation on the privileged object.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.	4 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4674,
    "version": 0,
    "level": 0,
    "task": 13056,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:52.3798917+00:00",
    "event_record_id": 3213643,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x296120d",
    "ObjectServer": "Security",
    "ObjectType": "-",
    "ObjectName": "-",
    "HandleId": "0x828",
    "AccessMask": "983103",
    "PrivilegeList": "SeTakeOwnershipPrivilege",
    "ProcessId": "0x1eb8",
    "ProcessName": "C:\\Windows\\System32\\wsmprovhost.exe"
  },
  "message": "An operation was attempted on a privileged object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\t-\r\n\tObject Name:\t-\r\n\tObject Handle:\t0x828\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1eb8\r\n\tProcess Name:\tC:\\Windows\\System32\\wsmprovhost.exe\r\n\r\nRequested Operation:\r\n\tDesired Access:\t983103\r\n\tPrivileges:\t\tSeTakeOwnershipPrivilege"
}

Detection Patterns #

Persistence: Windows Service

1 rule

Sigma

PSexec service installation (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ObjectServer`	eq	`SC Manager`	1 rule	kusto, sigma
`ObjectServer`	eq	`Security`	1 rule	sigma
`ObjectType`	eq	`Key`	1 rule	kusto, sigma
`ObjectType`	eq	`SC_MANAGER OBJECT`	1 rule	sigma

Community Notes #

Logs direct interaction with objects that require SeSecurity/SeTakeOwnership, ie SAM hives.

Detection Rules #

Sigma # view in coverage

SCM Database Privileged Operation source medium: Detects non-system users performing privileged operation os the SCM database
Impacket DCOMexec privilege abuse via MMC source high: Detects scenarios where an attacker execute the Impacket DCOMexec tool in order to abuse DCOM services.
Backdoor introduction via registry permission change through WMI (DAMP) source high: Detects scenarios where an attacker modifies registry permissions on a local or remote target in order to introduce a backdoor and dump hashes and credentials.

Elastic # view in coverage

Suspicious SeIncreaseBasePriorityPrivilege Use source high: Identifies attempts to use the SeIncreaseBasePriorityPrivilege privilege by an unusual process. This could be related to hijack execution flow of a process via threats priority manipulation.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4674
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4674.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format

Event ID 4675: SIDs were filtered.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Logon
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

SIDs were filtered.

Message #

SIDs were filtered.

Target Account:
	Security ID: %1
	Account Name: %2
	Account Domain: %3

Trust Information:
	Trust Direction: %4
	Trust Attributes: %5
	Trust Type: %6
	TDO Domain SID: %7

Filtered SIDs: %8

Fields #

Name	Description
`TargetUserSid` SID	[Target Account] Security ID
`TargetUserName` UnicodeString	[Target Account] Account Name
`TargetDomainName` UnicodeString	[Target Account] Account Domain
`TdoDirection` UInt32	[Trust Information] Trust Direction Known values `0` TRUST_DIRECTION_DISABLED - trust relationship exists but has been disabled `1` TRUST_DIRECTION_INBOUND - trusted domain trusts the primary domain for name lookups and authentication `2` TRUST_DIRECTION_OUTBOUND - primary domain trusts the trusted domain for name lookups and authentication `3` TRUST_DIRECTION_BIDIRECTIONAL - both domains trust one another for name lookups and authentication
`TdoAttributes` UInt32	[Trust Information] Trust Attributes
`TdoType` UInt32	[Trust Information] Trust Type Known values `1` TRUST_TYPE_DOWNLEVEL - trusted domain controller runs an OS earlier than Windows 2000 `2` TRUST_TYPE_UPLEVEL - trusted domain controller runs Windows 2000 or later `3` TRUST_TYPE_MIT - non-Windows RFC 4120-compliant Kerberos distribution (no SID required for TDO) `4` TRUST_TYPE_DCE - DCE realm (historical; not used in modern Windows)
`TdoSid` SID	[Trust Information] TDO Domain SID
`SidList` UnicodeString	Filtered SIDs

Detection Patterns #

Stealth: Valid Accounts

1 rule

Kusto

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetUserName`	is_not_null		1 rule	kusto

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4675

Event ID 4688: A new process has been created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Process Creation
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time a new process starts.

Message #

A new process has been created.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Process Information:
	New Process ID: %5
	New Process Name: %6
	Token Elevation Type: %7
	Creator Process ID: %8

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested the "create process" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "create process" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that created the process. Correlates with Event ID 4624.
`NewProcessId` Pointer	Hexadecimal Process ID of the new process.
`NewProcessName` UnicodeString	Full path and the name of the executable for the new process.	158 detection rules
`TokenElevationType` UnicodeString	UAC elevation type of the new process token: Default (no UAC split), Full (elevated administrator), or Limited (standard user UAC split). Known values `%%1936` TokenElevationTypeDefault (1) `%%1937` TokenElevationTypeFull (2) `%%1938` TokenElevationTypeLimited (3) `1` TokenElevationTypeDefault `2` TokenElevationTypeFull `3` TokenElevationTypeLimited
`ProcessId` Pointer	Hexadecimal Process ID of the process which ran the new process.
`CommandLine` UnicodeString	Full command line of the new process. Requires the "Include command line in process creation events" audit policy setting to be enabled; empty otherwise.	1965 detection rules
`TargetUserSid` SID	SID of the account the new process runs as, when different from the creator (e.g., CreateProcessAsUser/RunAs). S-1-0-0 when not applicable.	1 detection rule
`TargetUserName` UnicodeString	Name of the account the new process runs as. Empty when the process runs as the creator's session.	8 detection rules
`TargetDomainName` UnicodeString	Target account's domain or computer name.	6 detection rules
`TargetLogonId` HexInt64	Logon session ID for the target account context. 0x0 when the process runs as the creator's session.
`ParentProcessName` UnicodeString	Full path of the parent process.	182 detection rules
`MandatoryLabel` SID	SID of integrity label which was assigned to the new process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4688,
    "version": 2,
    "level": 0,
    "task": 13312,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:49.2497694+00:00",
    "event_record_id": 3213597,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "NewProcessId": "0x1eb8",
    "NewProcessName": "C:\\Windows\\System32\\wsmprovhost.exe",
    "TokenElevationType": "%%1936",
    "ProcessId": "0x254",
    "CommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding",
    "TargetUserSid": "S-1-0-0",
    "TargetUserName": "domainadmin",
    "TargetDomainName": "cell-c",
    "TargetLogonId": "0x296120d",
    "ParentProcessName": "C:\\Windows\\System32\\svchost.exe",
    "MandatoryLabel": "S-1-16-12288"
  },
  "message": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x296120D\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x1eb8\r\n\tNew Process Name:\tC:\\Windows\\System32\\wsmprovhost.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tMandatory Label:\t\tS-1-16-12288\r\n\tCreator Process ID:\t0x254\r\n\tCreator Process Name:\tC:\\Windows\\System32\\svchost.exe\r\n\tProcess Command Line:\tC:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
}

Detection Patterns #

1288 rules

Sigma

HTML File Opened From Download Folder (source)

Joseph Kamau

Potential PsExec Remote Execution (source)

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Potential Privilege Escalation To LOCAL SYSTEM (source)

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Show 527 more (530 total) on the rules page

Elastic

Potential Masquerading as Business App Installer (source)

Elastic

Potential Fake CAPTCHA Phishing Attack (source)

Elastic

Potential SAP NetWeaver Exploitation (source)

Elastic

Show 195 more (198 total) on the rules page

Splunk

Windows DNS Gather Network Info (source)

Teoderick Contreras, Splunk

Attacker Tools On Endpoint (source)

Bhavin Patel, Splunk, sventec, Github Community

Windows Netspy Network Scanner Execution (source)

Raven Tait, Splunk

Show 512 more (515 total) on the rules page

Kusto

Suspicious parentprocess relationship - Office child processes. (source)

Suspicious MSC File Launched (source)

FalconForce

Persistence Via Scheduled Tasks (source)

FalconForce

Show 42 more (45 total) on the rules page

Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 1: Process creation

81 rules

Sigma

Grixba Malware Reconnaissance Activity (source)

yxinmiracle, Swachchhanda Shrawan Poudel (Nextron Systems)

PsExec/PAExec Escalation to LOCAL SYSTEM (source)

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Suspicious Download from Office Domain (source)

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Show 78 more (81 total) on the rules page

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 3: Network connection

28 rules

Elastic

Suspicious Command Prompt Network Connection (source)

Elastic

Incoming Execution via PowerShell Remoting (source)

Elastic

Potential SharpRDP Behavior (source)

Elastic

Show 25 more (28 total) on the rules page

Sysmon Event ID 3: Network connection→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

25 rules

Elastic

WMI Incoming Lateral Movement (source)

Elastic

Suspicious Command Prompt Network Connection (source)

Elastic

Incoming Execution via PowerShell Remoting (source)

Elastic

Show 22 more (25 total) on the rules page

Sysmon Event ID 7: Image loaded→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 3: Network connection

19 rules

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

Remote XSL Script Execution via COM (source)

Elastic

Incoming DCOM Lateral Movement via MSHTA (source)

Elastic

Show 16 more (19 total) on the rules page

Show All Detection Patterns

Network Connection

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 3: Network connection→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

17 rules

Elastic

Potential Remote File Execution via MSIEXEC (source)

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

InstallUtil Process Making Network Connections (source)

Elastic

Show 14 more (17 total) on the rules page

Sysmon Event ID 3: Network connection→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

13 rules

Elastic

Suspicious Command Prompt Network Connection (source)

Elastic

Incoming Execution via PowerShell Remoting (source)

Elastic

Potential SharpRDP Behavior (source)

Elastic

Show 10 more (13 total) on the rules page

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated

12 rules

Kusto

SUNBURST suspicious SolarWinds child processes (Normalized Process Events) (source)

Yuval Naor

Base64 encoded Windows process command-lines (Normalized Process Events) (source)

Yuval Naor

Process Creation with Suspicious CommandLine Arguments (source)

Show 9 more (12 total) on the rules page

Event Log

Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4688: A new process has been created.

11 rules

Splunk

Command Line Utility Added to Accessibility Features (Windows Event Log) (source)

Wow6432Node Classes Autorun Keys Modification (Windows Event Log) (source)

ComputerDefaults UAC Bypass (Windows Event Log) (source)

Show 8 more (11 total) on the rules page

7 rules

Elastic

Delayed Execution via Ping (source)

Elastic

Local Scheduled Task Creation (source)

Elastic

Execution via MS VisualStudio Pre/Post Build Events (source)

Elastic

Security-Auditing Event ID 4688: A new process has been created.→Sysmon Event ID 1: Process creation

6 rules

Elastic

Execution of File Written or Modified by Microsoft Office (source)

Elastic

Windows Script Interpreter Executing Process via WMI (source)

Elastic

ROT Encoded Python Script Execution (source)

Elastic

Show 3 more (6 total) on the rules page

Sysmon Event ID 11: FileCreate→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

5 rules

Elastic

Suspicious HTML File Creation (source)

Elastic

Execution of a Downloaded Windows Script (source)

Elastic

File with Right-to-Left Override Character (RTLO) Created/Executed (source)

Elastic

Windows Office Product Dropped Cab or Inf File (source)

Splunk

Michael Haag, Splunk

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 7: Image loaded

5 rules

Elastic

Suspicious WMIC XSL Script Execution (source)

Elastic

Veeam Backup Library Loaded by Unusual Process (source)

Elastic

Remote XSL Script Execution via COM (source)

Elastic

Sysmon Event ID 7: Image loaded→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

Xsl Script Execution

4 rules

Elastic

Remote XSL Script Execution via COM (source)

Elastic

Veeam Backup Library Loaded by Unusual Process (source)

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 11: FileCreate

4 rules

Elastic

File with Right-to-Left Override Character (RTLO) Created/Executed (source)

Elastic

Execution of a Downloaded Windows Script (source)

Elastic

Suspicious HTML File Creation (source)

Elastic

(Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 11: FileCreate)OR(Event ID 1: Process creationANDEvent ID 11: FileCreate)

4 rules

Elastic

Suspicious HTML File Creation (source)

Elastic

Splunk

Windows Office Product Dropped Cab or Inf File (source)

Michael Haag, Splunk

Spoolsv Writing a DLL (source)

Mauricio Velazco, Michael Haag, Splunk

Suspicious WAV file in Appdata Folder (source)

Teoderick Contreras, Splunk

Event Log

Security-Auditing Event ID 4648: A logon was attempted using explicit credentials.OREvent ID 4688: A new process has been created.

3 rules

Sigma

SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) (source)

mdecrevoisier

Splunk

WMIC Explicit Credentials (Windows Event Log) (source)

ADExplorer Execution (Windows Event Log) (source)

Event Log

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

3 rules

Splunk

Command Output Redirected to Localhost (Windows Event Log) (source)

Impacket PSexec (Windows Event Log) (source)

Certificate Enumeration - Windows (Windows Event Log) (source)

Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 1: Process creation

2 rules

Elastic

AWS SSM `SendCommand` with Run Shell Command Parameters (source)

Elastic

First Time Seen Remote Monitoring and Management Tool (source)

Elastic

Security-Auditing Event ID 4663: An attempt was made to access an object.OREvent ID 4688: A new process has been created.

2 rules

Kusto

Identify SysAid Server web shell creation (source)

Microsoft Security Research

Potential Build Process Compromise (source)

Microsoft Security Research

Event Log

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4688: A new process has been created.

2 rules

Splunk

Service Stop Commands (Windows Event Log) (source)

Windows - Service Stop (Windows Event Log) (source)

Remote Msi Installation

Security-Auditing Event ID 4688: A new process has been created.ORMsiInstaller Event ID 1040: Beginning a Windows Installer transaction: %0OREvent ID 1042: Ending a Windows Installer transaction: %0

2 rules

Splunk

Remote .msi Installation (Windows Event Log) (source)

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

1 rule

Elastic

Execution of Persistent Suspicious Program (source)

Elastic

Credential Access: DCSync

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4688: A new process has been created.OREvent ID 4690: An attempt was made to duplicate a handle to an object.

1 rule

Splunk

Mimikatz (Windows Event Log) (source)

Security-Auditing Event ID 4688: A new process has been created.ORService-Control-Manager Event ID 7045: A service was installed in the system.

1 rule

Splunk

Impacket SMBexec (Windows Event Log) (source)

Persistence: Account Manipulation

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4720: A user account was created.OREvent ID 4732: A member was added to a security-enabled local group.

1 rule

Splunk

Create_Add Local_Domain User (Windows Event Log) (source)

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

1 rule

Elastic

Potential Remote Desktop Shadowing Activity (source)

Elastic

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4698: A scheduled task was created.

1 rule

Splunk

Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log) (source)

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4778: A session was reconnected to a Window Station.OREvent ID 4779: A session was disconnected from a Window Station.

1 rule

Splunk

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 22: DNSEvent

1 rule

Elastic

MsBuild Making Network Connections (source)

Elastic

Execution: Exploitation for Client Execution

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 1: Process creation

1 rule

Kusto

Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 (source)

Privilege Escalation: Bypass User Account Control

Security-Auditing Event ID 4657: A registry value was modified.ANDEvent ID 4688: A new process has been created.

1 rule

Kusto

Potential Fodhelper UAC Bypass (source)

Stealth: Create Process with Token

Security-Auditing Event ID 4624: An account was successfully logged on.→(Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

1 rule

Elastic

Process Creation via Secondary Logon (source)

Elastic

Stealth: Token Impersonation/Theft

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.

1 rule

Sigma

Anonymous login (RottenPotatoNG) (source)

mdecrevoisier

Stealth: Create Process with Token

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4648: A logon was attempted using explicit credentials.OREvent ID 4688: A new process has been created.

1 rule

Sigma

Privilege escalation via runas (command) (source)

mdecrevoisier

Stealth: Msiexec

(Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

1 rule

Elastic

Windows Installer with Suspicious Properties (source)

Elastic

Stealth: Impair Defenses

Security-Auditing Event ID 4670: Permissions on an object were changed.OREvent ID 4688: A new process has been created.

1 rule

Kusto

Security Service Registry ACL Modification (source)

Microsoft Security Research

Credential Access: LSASS Memory

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4688: A new process has been created.OREvent ID 4703: A user right was adjusted.

1 rule

Splunk

Common LSASS Memory Dump Behavior (Windows Event Log) (source)

Credential Access: LSASS Memory

1 rule

Splunk

Task Manager lsass Dump (Windows Event Log) (source)

Credential Access: Steal or Forge Authentication Certificates

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4886: Certificate Services received a certificate request.OREvent ID 4887: Certificate Services approved a certificate request and issued a certificate.

1 rule

Splunk

Certificate Abuse - Windows (Windows Event Log) (source)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via Remote WMI Execution (source)

Microsoft Security Research

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Exfiltration: Exfiltration Over Alternative Protocol

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Splunk

PuTTY Secure Copy Client Execution (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`event.type`	eq	`start`	242 rules	elastic
`process_name`	eq	`powershell.exe`	91 rules	elastic, splunk
`process_name`	eq	`cmd.exe`	71 rules	elastic, splunk
`process_name`	eq	`pwsh.exe`	55 rules	elastic, splunk
`process_name`	eq	`rundll32.exe`	48 rules	elastic, splunk
`process_name`	eq	`powershell_ise.exe`	46 rules	elastic, splunk
`process_name`	eq	`wmic.exe`	43 rules	elastic, splunk
`Image`	ends_with	`\powershell.exe`	64 rules	sigma
`Image`	ends_with	`\cmd.exe`	56 rules	sigma
`Image`	ends_with	`\pwsh.exe`	53 rules	sigma
`Image`	ends_with	`\cscript.exe`	38 rules	sigma
`Image`	ends_with	`\rundll32.exe`	38 rules	sigma
`Image`	ends_with	`\wscript.exe`	38 rules	sigma
`Image`	ends_with	`\mshta.exe`	34 rules	sigma
`Image`	ends_with	`\regsvr32.exe`	34 rules	sigma

Detection Rules #

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated

Sigma # view in coverage

Chromium Browser Headless Execution To Mockbin Like Site source high: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
NtdllPipe Like Activity Execution source high: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
Potentially Suspicious Child Process Of ClickOnce Application source medium: Detects potentially suspicious child processes of a ClickOnce deployment application

Show 17 more (120 total)

Potential Discovery Activity Via Dnscmd.EXE source medium: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
Uncommon FileSystem Load Attempt By Format.com source high: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Potentially Suspicious GoogleUpdate Child Process source high: Detects potentially suspicious child processes of "GoogleUpdate.exe"
Arbitrary Binary Execution Using GUP Utility source medium: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
HackTool - LaZagne Execution source medium: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
HackTool - Wmiexec Default Powershell Command source high: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
ImagingDevices Unusual Parent/Child Processes source high: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Suspicious Execution of InstallUtil Without Log source medium: Uses the .NET InstallUtil.exe application in order to execute image without log
Suspicious Shells Spawn by Java Utility Keytool source high: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Suspicious Processes Spawned by Java.EXE source high: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Shell Process Spawned by Java.EXE source medium: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Potentially Suspicious Execution Of PDQDeployRunner source medium: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Suspicious Obfuscated PowerShell Code source high: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
Email Exifiltration Via Powershell source high: Detects email exfiltration via powershell cmdlets
Potential Suspicious Windows Feature Enabled - ProcCreation source medium: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Suspicious PowerShell Invocations - Specific - ProcessCreation source medium: Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Mailbox Export to Share source critical: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Elastic # view in coverage

Potential LSASS Clone Creation via PssCaptureSnapShot source high: Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.

Splunk # view in coverage

Unusually Long Command Line source: The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This…
1 or 2 Character Executable (Windows Event Log) source: Adversaries have been known to occasionally use executable files named with only 1 or 2 word characters
3CXDesktopApp.exe Execution (Windows Event Log) source: Malicious activity has been detected on March 29, 2023, originating from a legitimate and signed binary called 3CXDesktopApp, which is a softphone application from 3CX. This malicious activity includes beaconing to infrastructure…

Show 17 more (263 total)

Abuse EQNEDT32.EXE (Windows Event Log) source: Detects potential malicious Microsoft Office payload (CVE-2017-11882 or CVE-2018-0798) on host. Equation Editor
Access Common Package Config file (Windows Event Log) source: Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. An Adversary with access could identify or modify configuration of packages in order to execute code…
Account Password Changed from Command Line - Windows (Windows Event Log) source: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.…
Account set to active via Net.exe (Windows Event Log) source: Adversaries may obtain and abuse credentials of a default or disabled account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the…
ADExplorer Snapshot Creation (Windows Event Log) source: Active Directory Explorer (AD Explorer) is a tool from the Sysinternals suite that allows users to view, search, and analyze objects within Active Directory, and it includes the capability to take snapshots of the AD database for offline…
Adfind Commands (Windows Event Log) source: AdFind is a free command-line query tool that can be used for gathering information from Active Directory. In some instances Adversaries have renamed adfind in order to avoid detection. This use case looks for common commands of Adfind
Adfind Execution (Windows Event Log) source: AdFind is a free command-line query tool that can be used for gathering information from Active Directory. This use case looks for process executions of Adfind
Advanced IP Scanner Execution (Windows Event Log) source: Advanced IP Scanner is a legitimate utility that can perform network scanning. Several threat actors, including UNC2465, Conti, Pysa ransomware and FIN12, have been reported to use Advanced IP Scanner during reconnaissance activities
Advanced Port Scanner Execution (Windows Event Log) source: Advanced Port Scanner is a free network scanner that allows users to quickly find open ports on network computers and retrieve versions of programs running on the ports it detects. Threat actors using Rhysida ransomware have been reported…
AnyDesk Command Line Execution (Windows Event Log) source: For most users, normal AnyDesk activity is executed via the GUI. This use case detects anydesk.exe calls from cmd.exe or PowerShell.exe. Install commands have been filtered out by default
AnyDesk Execution from Suspicious Folder (Windows Event Log) source: Adversaries may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software,…
AnyDesk Silent Install (Windows Event Log) source: An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. BlackByte ransomware group has been observed performing silent installs…
Application Discovery - Windows (Windows Event Log) source: Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on…
ATBroker.exe Execution (Windows Event Log) source: Helper binary for Assistive Technology (AT), Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistive Technology (AT) service entry
Attempted Veeam Database Credential Dump (Windows Event Log) source: Operators from the Diavol ransomware gang were observed using sqlcmd to extract encrypted credentials from Veeam databases that were decrypted using a publicly documented technique on Veeam's R+D forums. This use case detects commands…
Attrib.exe Metasploit File Dropper (Windows Event Log) source: Using attrib.exe, an adversary may display or change file attributes in order to bypass UAC restrictions. Metasploits file_dropper.rb, which is include in some payloads uses this to assist in removing artifacts
AutoHotkey Execution (Windows Event Log) source: Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be…

Kusto # view in coverage

SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
Unusual identity creation using exchange powershell source high: The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/
Identify Mango Sandstorm powershell commands source high: The query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/

Show 17 more (29 total)

Midnight Blizzard - suspicious rundll32.exe execution of vbscript source medium: This query idenifies when rundll32.exe executes a specific set of inline VBScript commands References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
Midnight Blizzard - Script payload stored in Registry source medium: This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
Silk Typhoon New UM Service Child Process source medium: This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Powershell Empire Cmdlets Executed in Command Line source medium: This query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.
DEV-0270 New User Creation source high: The following query tries to detect creation of a new user using a known DEV-0270 username/password schema
Dev-0270 Malicious Powershell usage source high: DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.
Dev-0270 Registry IOC - September 2022 source high: The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes
Dev-0270 WMIC Discovery source high: The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.
Windows Binaries Executed from Non-Default Directory source medium: The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\Windows, C:\Windows\System32 etc.). Ref: https://lolbas-project.github.io/
Base64 encoded Windows process command-lines source medium: Identifies instances of a base64-encoded PE file header seen in the process command line parameter.
Process executed from binary hidden in Base64 encoded file source medium: Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64.
Malware in the recycle bin source medium: The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin. The list of these binaries is sourced from https://lolbas-project.github.io/ References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.
Network endpoint to host executable correlation source medium: 'Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.
Caramel Tsunami Actor IOC - July 2021 source high: Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami
Chia_Crypto_Mining IOC - June 2021 source low: Identifies a match across IOC's related to Chia cryptocurrency farming/plotting activity
NRT Base64 Encoded Windows Process Command-lines source medium: This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.
NRT Process executed from binary hidden in Base64 encoded file source medium: Encoding malicious software is a technique used to obfuscate files from detection. The first CommandLine component is looking for Python decoding base64. The second CommandLine component is looking for Bash/sh command line base64 decoding. The third one is looking for Ruby decoding base64.

YARA-L # view in coverage

GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage source: Alerts when an authorization token originating from GKE activity is subsequently used within a command line on an endpoint system, suggesting potential credential exfiltration and reuse.↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials.
W3WP Launching Encoded Powershell source: Detects on the execution of an encoded powershell command with a parent process of w3wp.exe.
Potential Webshell Process Execution source: Detects on the execution arguments associated with cmd.exe invocations originating from an active ASP.NET webshell.

Show 17 more (69 total)

Base64 Encoded PowerShell Command Detected source: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
ConvertTo-SecureString Cmdlet Usage Via CommandLine source: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
Copy From Or To Admin Share Or Sysvol Folder source: Detects a copy command or a copy utility execution to or from an Admin share or remote
CreateDump Process Dump source: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Direct Autorun Keys Modification source: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe
File Download Using Notepad++ GUP Utility source: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files
File Download Via Windows Defender MpCmpRun.EXE source: Detects the use of Windows Defender MpCmdRun.EXE to download files
Finger.EXE Execution source: Detects execution of the finger.exe utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of finger.exe can be considered suspicious and worth investigating.
HackTool - Dumpert Process Dumper Execution source: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Hacktool - IronSharpPack Execution source: Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
HackTool - Mimikatz Execution source: Detection well-known mimikatz command line arguments
Purple Knight Tool Execution Detected source: This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized reconnaissance by adversaries attempting to map domain weaknesses.
Hacktool - SharpSuccessor Execution source: SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators linked to SharpSuccessor activity, which may signal privilege escalation attempts in Active Directory environments.
Hacktool - WinPEAS Execution Patterns source: This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team assessments and by adversaries seeking to elevate privileges after gaining initial access. WinPEAS checks are well-documented in the HackTricks knowledge base.
Impacket WMIExec CISA Report source: Detects the artifacts generally associated with the use of wmiexec.py
Local Accounts Discovery source: Local accounts, System Owner/User discovery using operating systems utilities
LSASS Dump Keyword In CommandLine source: Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4688-process-created.md
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4688_v2.yml

Event ID 4689: A process has exited.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Process Termination
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time a process has exited.

Message #

A process has exited.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Process Information:
	Process ID: %6
	Process Name: %7
	Exit Status: %5

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "terminate process" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "terminate process" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that terminated the process. Correlates with Event ID 4624.
`Status` HexInt32	Hexadecimal exit code of exited/terminated process. NTSTATUS reference
`ProcessId` Pointer	Hexadecimal Process ID of the ended/terminated process.
`ProcessName` UnicodeString	Full path and the executable name of the exited/terminated process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4689,
    "version": 0,
    "level": 0,
    "task": 13313,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:29.6959757+00:00",
    "event_record_id": 3213424,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4004
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0xbf3b6",
    "Status": "0x0",
    "ProcessId": "0x64c",
    "ProcessName": "C:\\ludus\\background\\bginfo.exe"
  },
  "message": "A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0xBF3B6\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x64c\r\n\tProcess Name:\tC:\\ludus\\background\\bginfo.exe\r\n\tExit Status:\t0x0"
}

Detection Patterns #

12 rules

Kusto

SUNBURST suspicious SolarWinds child processes (Normalized Process Events) (source)

Yuval Naor

Base64 encoded Windows process command-lines (Normalized Process Events) (source)

Yuval Naor

Process Creation with Suspicious CommandLine Arguments (source)

Show 9 more (12 total) on the rules page

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	contains	`-r`	2 rules	kusto, sigma
`CommandLine`	contains	`-s`	2 rules	elastic, kusto, sigma, splunk
`CommandLine`	contains	`-exclusionpath`	1 rule	kusto
`CommandLine`	contains	`-k gpsvcgroup`	1 rule	kusto
`CommandLine`	contains	`-q`	1 rule	kusto, sigma, splunk
`CommandLine`	contains	`-s gpsvc`	1 rule	kusto
`CommandLine`	contains	`/set`	1 rule	kusto, splunk
`CommandLine`	contains	`accepteula`	1 rule	kusto, sigma, splunk
`CommandLine`	contains	`advfirewall`	1 rule	kusto, sigma
`CommandLine`	contains	`delete`	1 rule	kusto, sigma, splunk
`CommandLine`	contains	`execute`	1 rule	kusto, sigma
`CommandLine`	contains	`onstart`	1 rule	kusto, sigma
`CommandLine`	contains	`regread`	1 rule	kusto, sigma
`CommandLine`	contains	`sdelete`	1 rule	kusto
`EventType`	eq	`ProcessCreated`	2 rules	kusto

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4689
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-termination
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4689
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4689.yml

Event ID 4690: An attempt was made to duplicate a handle to an object.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Handle Manipulation
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An attempt was made to duplicate a handle to an object.

Message #

An attempt was made to duplicate a handle to an object.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Source Handle Information:
	Source Handle ID: %5
	Source Process ID: %6

New Handle Information:
	Target Handle ID: %7
	Target Process ID: %8

Fields #

Name	Description
`SubjectUserSid`	SID of account that made an attempt to duplicate a handle to an object.
`SubjectUserName`	The name of the account that made an attempt to duplicate a handle to an object.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`SourceHandleId`	Hexadecimal value of a handle which was duplicated.
`SourceProcessId`	Hexadecimal Process ID of the process which opened the Source Handle ID before it was duplicated.
`TargetHandleId`	Hexadecimal value of the new handle (the copy of Source Handle ID).
`TargetProcessId`	Hexadecimal Process ID of the process which opened the Target Handle ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4690,
    "version": 0,
    "level": 0,
    "task": 12807,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:53.1095914+00:00",
    "event_record_id": 3213663,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "SourceHandleId": "0x1150",
    "SourceProcessId": "0x1584",
    "TargetHandleId": "0x23c",
    "TargetProcessId": "0x4"
  },
  "message": "An attempt was made to duplicate a handle to an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nSource Handle Information:\r\n\tSource Handle ID:\t0x1150\r\n\tSource Process ID:\t0x1584\r\n\r\nNew Handle Information:\r\n\tTarget Handle ID:\t0x23c\r\n\tTarget Process ID:\t0x4"
}

Detection Patterns #

Credential Access: DCSync

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4688: A new process has been created.OREvent ID 4690: An attempt was made to duplicate a handle to an object.

1 rule

Splunk

Mimikatz (Windows Event Log) (source)

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-handle-manipulation
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4690
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4690.yml

Event ID 4691: Indirect access to an object was requested.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event indicates that indirect access to an object was requested.

Message #

Indirect access to an object was requested.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Type: %5
	Object Name: %6

Process Information:
	Process ID: %9

Access Request Information:
	Accesses: %7
	Access Mask: %8

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested an access to the object.
`SubjectUserName` UnicodeString	The name of the account that requested an access to the object.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectType` UnicodeString	The type of an object for which access was requested.
`ObjectName` UnicodeString	Full path and name of the object for which access was requested.
`AccessList` UnicodeString	[Access Request Information] Accesses.
`AccessMask` HexInt32	The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If Desired Access is not presented, then this parameter will have "0" value. Access mask reference Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects
`ProcessId` Pointer	Hexadecimal Process ID of the process through which the access was requested.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4691
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4691
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4691.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format

Event ID 4692: Backup of data protection master key was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → DPAPI Activity
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

This event generates every time that a backup is attempted for the DPAPI Master Key.

Message #

Backup of data protection master key was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Key Information:
	Key Identifier: %5
	Recovery Server: %6
	Recovery Key ID: %7

Status Information:
	Status Code: %8

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested backup operation.
`SubjectUserName` UnicodeString	The name of the account that requested backup operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`MasterKeyId` UnicodeString	Unique identifier of a master key which backup was created.
`RecoveryServer` UnicodeString	The name (typically - DNS name) of the computer that you contacted to back up your Master Key.
`RecoveryKeyId` UnicodeString	[Key Information] Recovery Key ID.
`FailureReason` HexInt32	Hexadecimal unique status code of performed operation. Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used. `0x0` Success (no failure - emitted by DPAPI Activity events 4692/4694/4695 when the master-key backup or auditable-data protect/unprotect operation succeeded, and by IPsec Main Mode success paths on 4652/4653/4654) `New policy invalidated SAs formed with old policy` IPsec Main Mode SA was torn down because a new IPsec policy rendered the existing SA invalid (event 4653 specific reason string)

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4692,
    "version": 0,
    "level": 0,
    "task": 13314,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-14T16:30:04.309269+00:00",
    "event_record_id": 2554242,
    "correlation": {
      "ActivityID": "0375AF68-73B8-434A-AE18-9AF03149A7A2"
    },
    "execution": {
      "process_id": 1092,
      "thread_id": 4244
    },
    "channel": "Security",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0x1470e85",
    "MasterKeyId": "0bb6fb5d-7c2d-44b7-8df0-e4526299350b",
    "RecoveryServer": "",
    "RecoveryKeyId": "fed516d7-c48c-48e4-8eb3-77f6590ccb36",
    "FailureReason": "0x0"
  },
  "message": ""
}

Community Notes #

Backup of a user/computer master key to the DC, rarely seen after first logon. Several events may indicate key theft or mass profile creation.

Detection Rules #

Security-Auditing Event ID 4697: A service was installed in the system.ORService-Control-Manager Event ID 7045: A service was installed in the system.

Sigma # view in coverage

DPAPI Domain Master Key Backup Attempt source medium: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4692
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4692
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4692.yml

Event ID 4693: Recovery of data protection master key was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → DPAPI Activity
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

This event generates every time that recovery is attempted for a DPAPI Master Key.

Message #

Recovery of data protection master key was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Key Information:
	Key Identifier: %5
	Recovery Server: %6
	Recovery Key ID: %8
	Recovery Reason: %7

Status Information:
	Status Code: %9

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "recover" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "recover" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`MasterKeyId` UnicodeString	Unique identifier of a master key which was recovered.
`RecoveryReason` HexInt32	[Key Information] Recovery Server.
`RecoveryServer` UnicodeString	The name (typically - DNS name) of the computer that you contacted to recover your Master Key.
`RecoveryKeyId` UnicodeString	[Key Information] Recovery Key ID.
`FailureId` HexInt32	[Status Information] Status Code.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
    "event_source_name": "",
    "event_id": 4693,
    "version": 0,
    "level": 0,
    "task": 13314,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-05-09T01:44:04.1217572+00:00",
    "event_record_id": 1374202,
    "correlation": {
      "ActivityID": "{8136b4b2-df15-0001-28b5-368115dfdc01}"
    },
    "execution": {
      "process_id": 856,
      "thread_id": 10732
    },
    "channel": "Security",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
    "SubjectUserName": "localuser",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0x9768e82",
    "MasterKeyId": "a4925fae-ad66-4b84-9d47-a6b5f25cb296",
    "RecoveryReason": "0x5c005c",
    "RecoveryServer": "tel2-DC01-2022.ludus.domain",
    "RecoveryKeyId": "",
    "FailureId": "0x660000"
  },
  "message": ""
}

Community Notes #

May appear when an attacker re-uses offline profiles or moves tokens between hosts. Correlate with LogonType 7/9 in 4624. Detecting Credential Stealing Attacks Through Active In-Network Defense

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4693
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4693
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4693.yml

Event ID 4694: Protection of auditable protected data was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → DPAPI Activity
Collection Priority: Recommended (ASD, others)
Opcode: Info

Description

This event generates if DPAPI's CryptProtectData() function was used with CRYPTPROTECT_AUDIT flag (dwFlags) enabled."

Message #

Protection of auditable protected data was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Protected Data:
	Data Description: %6
	Key Identifier: %5
	Protected Data Flags: %7
	Protection Algorithms: %8

Status Information:
	Status Code: %9

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "recover" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "recover" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, 4624 An account was successfully logged on.
`DataDescription` UnicodeString	[Protected Data] Key Identifier.
`MasterKeyId` UnicodeString	[Protected Data] Data Description.
`ProtectedDataFlags` HexInt32	[Protected Data] Protected Data Flags.
`CryptoAlgorithms` UnicodeString	Cryptographic Algorithms of the protection.
`FailureReason` HexInt32	[Status Information] Status Code. Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used. `0x0` Success (no failure - emitted by DPAPI Activity events 4692/4694/4695 when the master-key backup or auditable-data protect/unprotect operation succeeded, and by IPsec Main Mode success paths on 4652/4653/4654) `New policy invalidated SAs formed with old policy` IPsec Main Mode SA was torn down because a new IPsec policy rendered the existing SA invalid (event 4653 specific reason string)

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4694,
    "version": 0,
    "level": 0,
    "task": 13314,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T11:13:17.1720276+00:00",
    "event_record_id": 148419,
    "correlation": {
      "ActivityID": "{AFDF3271-EE92-0002-8732-DFAF92EEDC01}"
    },
    "execution": {
      "process_id": 716,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x3e7",
    "DataDescription": "f473ef67-ece5-43ff-96f1-8e4afb28b032",
    "MasterKeyId": "Microsoft Edge",
    "ProtectedDataFlags": "0x10",
    "CryptoAlgorithms": "AES-256 , SHA2-512 ",
    "FailureReason": "0x0"
  },
  "message": "Protection of auditable protected data was attempted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProtected Data:\r\n\tData Description:\tMicrosoft Edge\r\n\tKey Identifier:\tf473ef67-ece5-43ff-96f1-8e4afb28b032\r\n\tProtected Data Flags:\t0x10\r\n\tProtection Algorithms:\tAES-256 , SHA2-512 \r\n\r\nStatus Information:\r\n\tStatus Code:\t0x0"
}

Community Notes #

When seen outside of software installation it may indicate payload staging hidden in DPAPI.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4694
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4694
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4694.yml

Event ID 4695: Unprotection of auditable protected data was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → DPAPI Activity
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

This event generates if DPAPI CryptUnprotectData() function was used to unprotect "auditable" data that was encrypted using CryptProtectData() function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.

Message #

Unprotection of auditable protected data was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Protected Data:
	Data Description: %6
	Key Identifier: %5
	Protected Data Flags: %7
	Protection Algorithms: %8

Status Information:
	Status Code: %9

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "recover" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "recover" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, 4624 An account was successfully logged on.
`DataDescription` UnicodeString	[Protected Data] Key Identifier.
`MasterKeyId` UnicodeString	[Protected Data] Data Description.
`ProtectedDataFlags` HexInt32	[Protected Data] Protected Data Flags.
`CryptoAlgorithms` UnicodeString	Cryptographic Algorithms of the protection.
`FailureReason` HexInt32	[Status Information] Status Code. Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used. `0x0` Success (no failure - emitted by DPAPI Activity events 4692/4694/4695 when the master-key backup or auditable-data protect/unprotect operation succeeded, and by IPsec Main Mode success paths on 4652/4653/4654) `New policy invalidated SAs formed with old policy` IPsec Main Mode SA was torn down because a new IPsec policy rendered the existing SA invalid (event 4653 specific reason string)

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4695,
    "version": 0,
    "level": 0,
    "task": 13314,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T11:13:16.4858984+00:00",
    "event_record_id": 148405,
    "correlation": {
      "ActivityID": "{AFDF3271-EE92-0002-8732-DFAF92EEDC01}"
    },
    "execution": {
      "process_id": 716,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0xb66c2",
    "DataDescription": "8a90013b-ac90-4aba-b6ae-569774230578",
    "MasterKeyId": "Microsoft Edge",
    "ProtectedDataFlags": "0x0",
    "CryptoAlgorithms": "3DES-192 , SHA1-160 ",
    "FailureReason": "0x0"
  },
  "message": "Unprotection of auditable protected data was attempted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xB66C2\r\n\r\nProtected Data:\r\n\tData Description:\tMicrosoft Edge\r\n\tKey Identifier:\t8a90013b-ac90-4aba-b6ae-569774230578\r\n\tProtected Data Flags:\t0x0\r\n\tProtection Algorithms:\t3DES-192 , SHA1-160 \r\n\r\nStatus Information:\r\n\tStatus Code:\t0x0"
}

Community Notes #

Pair with 4694 to identify which user accessed encrypted blobs.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4695
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4695
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4695.yml

Event ID 4696: A primary token was assigned to process.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Process Creation
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.

Message #

A primary token was assigned to process.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Process Information:
	Process ID: %11
	Process Name: %12

Target Process:
	Target Process ID: %9
	Target Process Name: %10

New Token Information:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "assign token to process" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "assign token to process" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`TargetUserSid` SID	SID of account through which the security token will be assigned to the new process.
`TargetUserName` UnicodeString	The name of the account through which the security token will be assigned to the new process.
`TargetDomainName` UnicodeString	Subject's domain or computer name.
`TargetLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`TargetProcessId` Pointer	Hexadecimal Process ID of the new process with new security token. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
`TargetProcessName` UnicodeString	Full path and the name of the executable for the new process.
`ProcessId` Pointer	Hexadecimal Process ID of the process which started the new process with the new security token.
`ProcessName` UnicodeString	Full path and the name of the executable for the process which ran the new process with new security token.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4696,
    "version": 0,
    "level": 0,
    "task": 13312,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:46.0531218+00:00",
    "event_record_id": 1715898,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 176
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "-",
    "SubjectDomainName": "-",
    "SubjectLogonId": "0x3e7",
    "TargetUserSid": "S-1-0-0",
    "TargetUserName": "-",
    "TargetDomainName": "-",
    "TargetLogonId": "0x3e7",
    "TargetProcessId": "0xac",
    "TargetProcessName": "Registry",
    "ProcessId": "0x4",
    "ProcessName": ""
  },
  "message": "A primary token was assigned to process.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x4\r\n\tProcess Name:\t\r\n\r\nTarget Process:\r\n\tTarget Process ID:\t0xac\r\n\tTarget Process Name:\tRegistry\r\n\r\nNew Token Information:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4696
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4696.yml

Event ID 4697: A service was installed in the system.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Security System Extension
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates when new service was installed in the system.

Message #

A service was installed in the system.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Service Information:
	Service Name: %5
	Service File Name: %6
	Service Type: %7
	Service Start Type: %8
	Service Account: %9

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that was used to install the service.
`SubjectUserName` UnicodeString	The name of the account that was used to install the service.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ServiceName` UnicodeString	The name of installed service.	28 detection rules
`ServiceFileName` UnicodeString	This is the fully rooted path to the file that the Service Control Manager will execute to start the service.	90 detection rules
`ServiceType` HexInt32	Indicates the type of service that was registered with the Service Control Manager. The field is a winsvc.h SERVICE_* bitmask; SCM combines bits when registering (e.g., 0x110 = SERVICE_WIN32_OWN_PROCESS \| SERVICE_INTERACTIVE_PROCESS for an interactive own-process service). The event log renders this field as a hex string (0x1, 0x10, 0x110, etc.) since the field type is HexInt32. Bitmask flags `0x00000001` SERVICE_KERNEL_DRIVER (winsvc.h) `0x00000002` SERVICE_FILE_SYSTEM_DRIVER (winsvc.h) `0x00000004` SERVICE_ADAPTER (winsvc.h) `0x00000008` SERVICE_RECOGNIZER_DRIVER (winsvc.h) `0x00000010` SERVICE_WIN32_OWN_PROCESS (winsvc.h) `0x00000020` SERVICE_WIN32_SHARE_PROCESS (winsvc.h) `0x00000040` SERVICE_USER_OWN_PROCESS (winsvc.h; per-user own-process service) `0x00000050` SERVICE_USER_SHARE_PROCESS (winsvc.h; per-user shared-process service) `0x00000100` SERVICE_INTERACTIVE_PROCESS (winsvc.h; combined with WIN32_* to mark a desktop-interactive service)	1 detection rule
`ServiceStartType` UInt32	The service start type can have one of the following values (see: https://msdn.microsoft.com/library/windows/desktop/ms682450(v=vs.85).aspx). Known values `0` Boot `1` System `2` Automatic `3` Manual `4` Disabled	1 detection rule
`ServiceAccount` UnicodeString	The security context that the service will run as when started.
`ClientProcessStartKey` UInt64
`ClientProcessId` UInt32		1 detection rule
`ParentProcessId` UInt32		1 detection rule

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4697,
    "version": 1,
    "level": 0,
    "task": 12289,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:51:28.3287063+00:00",
    "event_record_id": 1904986,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 7632
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "ServiceName": "KslD",
    "ServiceFileName": "system32\\drivers\\wd\\KslD.sys",
    "ServiceType": "0x1",
    "ServiceStartType": "3",
    "ServiceAccount": "LocalSystem",
    "ClientProcessStartKey": "4222124650660656",
    "ClientProcessId": "4284",
    "ParentProcessId": "804"
  },
  "message": "A service was installed in the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nService Information:\r\n\tService Name: \t\tKslD\r\n\tService File Name:\tsystem32\\drivers\\wd\\KslD.sys\r\n\tService Type: \t\t0x1\r\n\tService Start Type:\t3\r\n\tService Account: \t\tLocalSystem"
}

Detection Patterns #

8 rules

Sigma

Mimikatz driver deployed via service (source)

mdecrevoisier

PSexec service installation (source)

mdecrevoisier

Encoded PowerShell payload deployed via service (source)

mdecrevoisier

Suspicious Service was Installed in the System (source)

Elastic

Elastic

Splunk

Service Installed (Windows Event Log) (source)

SimpleHelp Remote Access Tool Service Installation (Windows Event Log) (source)

Persistence: Windows Service

8 rules

Sigma

PSexec service installation (source)

mdecrevoisier

Mimikatz driver deployed via service (source)

mdecrevoisier

Encoded PowerShell payload deployed via service (source)

mdecrevoisier

Suspicious Service was Installed in the System (source)

Elastic

Elastic

Splunk

Service Installed (Windows Event Log) (source)

SimpleHelp Remote Access Tool Service Installation (Windows Event Log) (source)

Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4697: A service was installed in the system.

2 rules

Elastic

Remote Windows Service Installed (source)

Elastic

Service Creation via Local Kerberos Authentication (source)

Elastic

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ServiceFileName`	contains	`cmd`	5 rules	sigma
`ServiceFileName`	contains	`powershell`	4 rules	sigma
`ServiceFileName`	contains	`&&`	3 rules	sigma
`ServiceFileName`	contains	`/c`	3 rules	sigma
`ServiceFileName`	contains	`%comspec%`	2 rules	sigma
`ServiceFileName`	contains	`-f`	2 rules	sigma
`ServiceFileName`	contains	`invoke`	2 rules	sigma
`ServiceFileName`	contains	`rundll32`	2 rules	sigma
`ServiceFileName`	contains	`shell32.dll`	2 rules	sigma
`ServiceFileName`	contains	`shellexec_rundll`	2 rules	sigma
`EventType`	eq	`service-installed`	3 rules	elastic
`EventType`	eq	`logged-in`	2 rules	elastic
`LogonType`	eq	`Network`	3 rules	elastic, kusto, sigma, splunk
`ClientProcessId`	eq	`0`	2 rules	elastic, sigma
`parent_process_id`	eq	`0`	2 rules	elastic, sigma

Detection Rules #

Security-Auditing Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.

Sigma # view in coverage

CobaltStrike Service Installations - Security source high: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
HybridConnectionManager Service Installation source high: Rule to detect the Hybrid Connection Manager service installation.
Invoke-Obfuscation CLIP+ Launcher - Security source high: Detects Obfuscated use of Clip.exe to execute PowerShell

Show 17 more (22 total)

Invoke-Obfuscation Obfuscated IEX Invocation - Security source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - Security source high: Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - Security source high: Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - Security source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - Security source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - Security source high: Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - Security source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - Security source high: Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - Security source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
Credential Dumping Tools Service Execution - Security source high: Detects well-known credential dumping tools execution via service execution events
Metasploit Or Impacket Service Installation Via SMB PsExec source high: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Meterpreter or Cobalt Strike Getsystem Service Installation - Security source high: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Windows Pcap Drivers source medium: Detects Windows Pcap driver installation based on a list of associated .sys files.
PowerShell Scripts Installed as Services - Security source high: Detects powershell script installed as a Service
Remote Access Tool Services Have Been Installed - Security source medium: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Service Installed By Unusual Client - Security source high: Detects a service installed by a client which has PID 0 or whose parent has PID 0

Elastic # view in coverage

Windows Service Installed via an Unusual Client source high: Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.

YARA-L # view in coverage

Suspicious Windows Service Installation Detected source: This detection rule identifies the creation of a Windows service with a suspicious or known malicious name, as logged by Windows Event ID 7045 (A service was installed in the system). Threat actors, including those associated with ransomware and other advanced persistent threats (APTs), often create services to achieve persistence, lateral movement, remote execution, or privilege escalation. Detection of such activity is critical for identifying early-stage post-compromise behavior.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4697
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4697.yml
MS Learn winsvc.h SERVICE_* dwServiceType bitmask https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicea

Event ID 4698: A scheduled task was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time a new scheduled task is created.

Message #

A scheduled task was created.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Task Information:
	Task Name: %5
	Task Content: %6

Fields #

Name	Description	Rules
`SubjectUserSid`	SID of the account that created the scheduled task.
`SubjectUserName`	Name of the account that created the scheduled task.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TaskName`	Name of the new scheduled task.	26 detection rules
`TaskContent`	The XML content of the new task.	64 detection rules
`ClientProcessStartKey`
`ClientProcessId`
`ParentProcessId`
`RpcCallClientLocality`
`FQDN`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4698,
    "version": 1,
    "level": 0,
    "task": 12804,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T06:01:41.4533033+00:00",
    "event_record_id": 1910118,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 8060
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "TaskName": "\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan",
    "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\n<Task version=\"1.3\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\n  <RegistrationInfo>\n    <Description>Periodic scan task.</Description>\n    <URI>\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan</URI>\n  </RegistrationInfo>\n  <Triggers>\n    <CalendarTrigger>\n      <StartBoundary>2000-01-01T03:11:06</StartBoundary>\n      <EndBoundary>2100-01-01T00:00:00</EndBoundary>\n      <Enabled>true</Enabled>\n      <ScheduleByDay>\n        <DaysInterval>1</DaysInterval>\n      </ScheduleByDay>\n    </CalendarTrigger>\n  </Triggers>\n  <Principals>\n    <Principal id=\"LocalSystem\">\n      <UserId>S-1-5-18</UserId>\n      <RunLevel>HighestAvailable</RunLevel>\n    </Principal>\n  </Principals>\n  <Settings>\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\n    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\n    <AllowHardTerminate>true</AllowHardTerminate>\n    <StartWhenAvailable>true</StartWhenAvailable>\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\n    <IdleSettings>\n      <Duration>PT0H1M0S</Duration>\n      <WaitTimeout>PT4H0M0S</WaitTimeout>\n      <StopOnIdleEnd>false</StopOnIdleEnd>\n      <RestartOnIdle>false</RestartOnIdle>\n    </IdleSettings>\n    <AllowStartOnDemand>true</AllowStartOnDemand>\n    <Enabled>true</Enabled>\n    <Hidden>false</Hidden>\n    <RunOnlyIfIdle>true</RunOnlyIfIdle>\n    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\n    <WakeToRun>false</WakeToRun>\n    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\n    <Priority>7</Priority>\n  </Settings>\n  <Actions Context=\"LocalSystem\">\n    <Exec>\n      <Command>C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\MpCmdRun.exe</Command>\n      <Arguments>Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob</Arguments>\n    </Exec>\n  </Actions>\n</Task>",
    "ClientProcessStartKey": "4222124650660656",
    "ClientProcessId": "4284",
    "ParentProcessId": "804",
    "RpcCallClientLocality": "0",
    "FQDN": "telemetry-DC-a.cell-a.ludus.domain"
  },
  "message": "A scheduled task was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan\r\n\tTask Content: \t\t<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.3\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo>\r\n    <Description>Periodic scan task.</Description>\r\n    <URI>\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan</URI>\r\n  </RegistrationInfo>\r\n  <Triggers>\r\n    <CalendarTrigger>\r\n      <StartBoundary>2000-01-01T03:11:06</StartBoundary>\r\n      <EndBoundary>2100-01-01T00:00:00</EndBoundary>\r\n      <Enabled>true</Enabled>\r\n      <ScheduleByDay>\r\n        <DaysInterval>1</DaysInterval>\r\n      </ScheduleByDay>\r\n    </CalendarTrigger>\r\n  </Triggers>\r\n  <Principals>\r\n    <Principal id=\"LocalSystem\">\r\n      <UserId>S-1-5-18</UserId>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>true</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <Duration>PT0H1M0S</Duration>\r\n      <WaitTimeout>PT4H0M0S</WaitTimeout>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>true</RunOnlyIfIdle>\r\n    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\r\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n    <Priority>7</Priority>\r\n  </Settings>\r\n  <Actions Context=\"LocalSystem\">\r\n    <Exec>\r\n      <Command>C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\MpCmdRun.exe</Command>\r\n      <Arguments>Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task>\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t4222124650660656\r\n\tClientProcessId: \t\t\t4284\r\n\tParentProcessId: \t\t\t804\r\n\tFQDN: \t\t0\r\n\t"
}

Detection Patterns #

Scheduled Task

3 rules

Sigma

Scheduled task created and deleted fastly (ATexec.py) (source)

mdecrevoisier

Elastic

Elastic

Splunk

Security-Auditing Event ID 4698: A scheduled task was created.OREvent ID 4699: A scheduled task was deleted.

Mauricio Velazco, Splunk

Scheduled Task

3 rules

Sigma

Scheduled task created and deleted fastly (ATexec.py) (source)

mdecrevoisier

Elastic

Elastic

Splunk

Security-Auditing Event ID 4698: A scheduled task was created.OREvent ID 4700: A scheduled task was enabled.OREvent ID 4702: A scheduled task was updated.

Mauricio Velazco, Splunk

Scheduled Task With Suspicious

3 rules

Splunk

Windows Scheduled Task with Suspicious Command (source)

Steven Dick

Windows Scheduled Task with Suspicious Name (source)

Steven Dick

Rare Scheduled Task (Windows Event Log) (source)

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4698: A scheduled task was created.

1 rule

Splunk

Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log) (source)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`scheduled-task-created`	3 rules	elastic
`TaskContent`	contains	`rundll32`	2 rules	sigma
`ClientProcessId`	eq	`0`	1 rule	elastic, sigma
`CommandLine`	is_not_null		1 rule	elastic, kusto, splunk
`CommandLine`	match	`(?i)\-(L\|R\|N\|D\|C)\|IdentitiesOnly=yes\|StrictHostKeyChecking=no\|ssh`	1 rule	splunk
`CommandLine`	match	`\d{1,5}:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}`	1 rule	splunk
`CommandLine`	match	`\w+@\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}`	1 rule	splunk
`RelativeTargetName`	eq	`atsvc`	1 rule	kusto, sigma
`RelativeTargetName`	eq	`svcctl`	1 rule	kusto, sigma
`TaskName`	eq	`\Microsoft\DefenderService`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\ATPUpd`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Application Experience\StartupAppTaskCheck`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Application Experience\StartupAppTaskCkeck`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Data Integrity Scan\Data Integrity Update`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\DefenderUPDService`	1 rule	sigma

Community Notes #

May also indicate remote creation via relayed SMB/WinRM session, PS cmdlets, DCOM over RPC, WMI, others.

Detection Rules #

Security-Auditing Event ID 4698: A scheduled task was created.→Event ID 4699: A scheduled task was deleted.

Sigma # view in coverage

Suspicious Scheduled Task Creation source high: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Fortinet APT group abuse on Windows (task) source high: Detects scenarios where APT actors exploits Fortinet vulnerabilities to gain access into Windows infrastructure.
OilRig APT Schedule Task Persistence - Security source critical: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Show 3 more (6 total)

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor source high: Hunts for known SVR-specific scheduled task names↳ also matches Event ID 4699: A scheduled task was deleted., Event ID 4702: A scheduled task was updated.
Diamond Sleet APT Scheduled Task Creation source critical: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Kapeka Backdoor Scheduled Task Creation source high: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.

Elastic # view in coverage

Remote Scheduled Task Creation via RPC source medium: Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.
A scheduled task was created source low: Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.

Splunk # view in coverage

Randomly Generated Scheduled Task Name source: The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the ut_shannon function from the URL ToolBox Splunk application to measure the entropy of the…
Schedule Task with HTTP Command Arguments source: The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their…
Schedule Task with Rundll32 Command Trigger source: The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32.…

Show 8 more (11 total)

Windows Hidden Schedule Task Settings source: The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior…
Windows Level RMM Watchdog Task Created source: Detects the watchdog task created when Level is installed. Level is a commercial remote management tool from Level.io. Remote management tools, when used for legitimate purposes, can help IT professionals and system administrators remotely…
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr source: The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be…
WinEvent Scheduled Task Created to Spawn Shell source: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are…
WinEvent Scheduled Task Created Within Public Path source: The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like…
Hidden Scheduled Task Created - Windows (Windows Event Log) source: A hidden scheduled task in Windows is a task configured to run specified actions silently without displaying any visible program windows or interfaces to the user. Threat actors may abuse this feature to persistently execute malicious…
Impacket atexec.py Scheduled Task Creation (Windows Event Log) source: Impacket's atexec.py is a tool designed for executing commands on a target system via the Windows Task Scheduler to run arbitrary commands with the privileges of the account under which the scheduler is running, often providing a method…
Rare Schedule Task Created (Windows Event Log) source: Schedule tasks are often a form of persistence utilized by threat actors. This use case looks for rare occurrences for when a task is created

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4698
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4698.yml

Event ID 4699: A scheduled task was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time a scheduled task was deleted.

Message #

A scheduled task was deleted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Task Information:
	Task Name: %5
	Task Content: %6

Fields #

Name	Description	Rules
`SubjectUserSid`	SID of the account that deleted the scheduled task.
`SubjectUserName`	Name of the account that deleted the scheduled task.	1 detection rule
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TaskName`	Name of the deleted scheduled task.	10 detection rules
`TaskContent`	The XML of the deleted task.
`ClientProcessStartKey`
`ClientProcessId`
`ParentProcessId`
`RpcCallClientLocality`
`FQDN`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4699,
    "version": 1,
    "level": 0,
    "task": 12804,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:56:25.0128261+00:00",
    "event_record_id": 1249001,
    "correlation": {
      "ActivityID": "{4CADC93F-FB3A-0001-A9C9-AD4C3AFBDC01}"
    },
    "execution": {
      "process_id": 760,
      "thread_id": 8388
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x3e7",
    "TaskName": "\\Microsoft\\Windows\\Server Manager\\RemovewYukon",
    "TaskContent": "",
    "ClientProcessStartKey": "2814749767107018",
    "ClientProcessId": "7364",
    "ParentProcessId": "2000",
    "RpcCallClientLocality": "0",
    "FQDN": "telemetry-DC-d.cell-d.ludus.domain"
  },
  "message": "A scheduled task was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\Server Manager\\RemovewYukon\r\n\tTask Content: \t\t\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t2814749767107018\r\n\tClientProcessId: \t\t\t7364\r\n\tParentProcessId: \t\t\t2000\r\n\tFQDN: \t\t0\r\n\t"
}

Detection Patterns #

Scheduled Task

3 rules

Sigma

Scheduled task created and deleted fastly (ATexec.py) (source)

mdecrevoisier

Elastic

Elastic

Splunk

Security-Auditing Event ID 4698: A scheduled task was created.OREvent ID 4699: A scheduled task was deleted.

Mauricio Velazco, Splunk

Scheduled Task

3 rules

Sigma

Scheduled task created and deleted fastly (ATexec.py) (source)

mdecrevoisier

Elastic

Elastic

Splunk

Security-Auditing Event ID 4699: A scheduled task was deleted.OREvent ID 4701: A scheduled task was disabled.

Mauricio Velazco, Splunk

Execution: Scheduled Task

1 rule

Sigma

Important Scheduled Task Deleted/Disabled (source)

Nasreddine Bencherchali (Nextron Systems)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`scheduled-task-created`	1 rule	elastic
`RelativeTargetName`	eq	`atsvc`	1 rule	kusto, sigma
`RelativeTargetName`	eq	`svcctl`	1 rule	kusto, sigma
`TaskName`	contains	`\windows\bitlocker`	1 rule	sigma
`TaskName`	contains	`\windows\exploitguard`	1 rule	sigma
`TaskName`	contains	`\windows\systemrestore\sr`	1 rule	sigma
`TaskName`	contains	`\windows\windows defender\`	1 rule	sigma
`TaskName`	contains	`\windows\windowsbackup\`	1 rule	sigma
`TaskName`	contains	`\windows\windowsupdate\`	1 rule	sigma
`TaskName`	eq	`\Microsoft\DefenderService`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\ATPUpd`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Application Experience\StartupAppTaskCheck`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Application Experience\StartupAppTaskCkeck`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Data Integrity Scan\Data Integrity Update`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\DefenderUPDService`	1 rule	sigma

Detection Rules #

Security-Auditing Event ID 4698: A scheduled task was created.OREvent ID 4700: A scheduled task was enabled.OREvent ID 4702: A scheduled task was updated.

Sigma # view in coverage

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor source high: Hunts for known SVR-specific scheduled task names↳ also matches Event ID 4698: A scheduled task was created., Event ID 4702: A scheduled task was updated.
Scheduled Task Deletion source low: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4699
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4699.yml

Event ID 4700: A scheduled task was enabled.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time a scheduled task is enabled.

Message #

A scheduled task was enabled.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Task Information:
	Task Name: %5
	Task Content: %6

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "enable scheduled task" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "enable scheduled task" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TaskName` UnicodeString	Name of the enabled scheduled task.
`TaskContent` UnicodeString	XML content of the enabled scheduled task.
`ClientProcessStartKey` UInt64	Creation time of the client process that made the request.
`ClientProcessId` UInt32	Process ID of the client process that made the request.
`ParentProcessId` UInt32	Parent process ID of the client process.
`RpcCallClientLocality` UInt32	RPC call locality indicator for the client.
`FQDN` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4700,
    "version": 1,
    "level": 0,
    "task": 12804,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-08T23:13:42.036906+00:00",
    "event_record_id": 1552683,
    "correlation": {
      "ActivityID": "0973643C-548D-4680-AA95-124DB4FF8472"
    },
    "execution": {
      "process_id": 780,
      "thread_id": 2440
    },
    "channel": "Security",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-20",
    "SubjectUserName": "LAB-WIN11$",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0x3e4",
    "TaskName": "\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTaskLogon",
    "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo>\r\n    <Version>1.0</Version>\r\n    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)</SecurityDescriptor>\r\n    <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\r\n    <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\r\n    <Description>$(@%systemroot%\\system32\\sppc.dll,-202)</Description>\r\n    <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTaskLogon</URI>\r\n  </RegistrationInfo>\r\n  <Principals>\r\n    <Principal id=\"InteractiveUser\">\r\n      <GroupId>S-1-5-4</GroupId>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <AllowHardTerminate>false</AllowHardTerminate>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Hidden>true</Hidden>\r\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n    <RestartOnFailure>\r\n      <Count>3</Count>\r\n      <Interval>PT1M</Interval>\r\n    </RestartOnFailure>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>true</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n  </Settings>\r\n  <Triggers>\r\n    <LogonTrigger />\r\n  </Triggers>\r\n  <Actions Context=\"InteractiveUser\">\r\n    <ComHandler>\r\n      <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\r\n      <Data><![CDATA[logon]]></Data>\r\n    </ComHandler>\r\n  </Actions>\r\n</Task>",
    "ClientProcessStartKey": 1970324836977758,
    "ClientProcessId": 5592,
    "ParentProcessId": 204,
    "RpcCallClientLocality": 0,
    "FQDN": "LAB-WIN11.ludus.domain"
  },
  "message": ""
}

Detection Patterns #

Scheduled Task With Suspicious

3 rules

Splunk

Windows Scheduled Task with Suspicious Command (source)

Steven Dick

Windows Scheduled Task with Suspicious Name (source)

Steven Dick

Rare Scheduled Task (Windows Event Log) (source)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	is_not_null		1 rule	elastic, kusto, splunk
`RelativeTargetName`	eq	`atsvc`	1 rule	kusto, sigma
`RelativeTargetName`	eq	`svcctl`	1 rule	kusto, sigma
`count`	eq	`1`	1 rule	splunk

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4700
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4700
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4700.yml

Event ID 4701: A scheduled task was disabled.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time a scheduled task is disabled.

Message #

A scheduled task was disabled.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Task Information:
	Task Name: %5
	Task Content: %6

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested the "disable scheduled task" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "disable scheduled task" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TaskName` UnicodeString	Name of the disabled scheduled task.	1 detection rule
`TaskContent` UnicodeString	XML content of the disabled scheduled task.
`ClientProcessStartKey` UInt64	Creation time of the client process that made the request.
`ClientProcessId` UInt32	Process ID of the client process that made the request.
`ParentProcessId` UInt32	Parent process ID of the client process.
`RpcCallClientLocality` UInt32	RPC call locality indicator for the client.
`FQDN` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4701,
    "version": 1,
    "level": 0,
    "task": 12804,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-09T18:21:07.550543+00:00",
    "event_record_id": 1753741,
    "correlation": {
      "ActivityID": "B6034439-245E-4C44-9C16-887F1090313D"
    },
    "execution": {
      "process_id": 8,
      "thread_id": 6100
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "LAB-WIN11$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "TaskName": "\\Microsoft\\Windows\\EnterpriseMgmt\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\Wsc Startup event listener created by enrollment client",
    "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.4\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo>\r\n    <SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>\r\n    <Author>Microsoft Corporation</Author>\r\n    <URI>\\Microsoft\\Windows\\EnterpriseMgmt\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\Wsc Startup event listener created by enrollment client</URI>\r\n  </RegistrationInfo>\r\n  <Principals>\r\n    <Principal id=\"LocalSystem\">\r\n      <UserId>S-1-5-18</UserId>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <Enabled>false</Enabled>\r\n    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>\r\n    <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>\r\n    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n  </Settings>\r\n  <Triggers>\r\n    <WnfStateChangeTrigger>\r\n      <StateName>7510BCA33A1D8541</StateName>\r\n    </WnfStateChangeTrigger>\r\n  </Triggers>\r\n  <Actions Context=\"LocalSystem\">\r\n    <Exec>\r\n      <Command>%windir%\\system32\\deviceenroller.exe</Command>\r\n      <Arguments>/s \"69C01DBD-8068-44F9-9507-8A9DF76C127A\" /c /WscStartupAlert</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task>",
    "ClientProcessStartKey": 3940649673950061,
    "ClientProcessId": 9152,
    "ParentProcessId": 840,
    "RpcCallClientLocality": 0,
    "FQDN": "LAB-WIN11"
  },
  "message": ""
}

Detection Patterns #

Execution: Scheduled Task

Security-Auditing Event ID 4699: A scheduled task was deleted.OREvent ID 4701: A scheduled task was disabled.

1 rule

Sigma

Important Scheduled Task Deleted/Disabled (source)

Nasreddine Bencherchali (Nextron Systems)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`RelativeTargetName`	eq	`atsvc`	1 rule	kusto, sigma
`RelativeTargetName`	eq	`svcctl`	1 rule	kusto, sigma
`TaskName`	contains	`\windows\bitlocker`	1 rule	sigma
`TaskName`	contains	`\windows\exploitguard`	1 rule	sigma
`TaskName`	contains	`\windows\systemrestore\sr`	1 rule	sigma
`TaskName`	contains	`\windows\windows defender\`	1 rule	sigma
`TaskName`	contains	`\windows\windowsbackup\`	1 rule	sigma
`TaskName`	contains	`\windows\windowsupdate\`	1 rule	sigma

Detection Rules #

Security-Auditing Event ID 4698: A scheduled task was created.OREvent ID 4700: A scheduled task was enabled.OREvent ID 4702: A scheduled task was updated.

Sigma # view in coverage

Defrag Deactivation - Security source medium: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4701
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4701.yml

Event ID 4702: A scheduled task was updated.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time scheduled task was updated/changed.

Message #

A scheduled task was updated.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Task Information:
	Task Name: %5
	Task New Content: %6

Fields #

Name	Description	Rules
`SubjectUserSid`	SID of the account that updated the scheduled task.
`SubjectUserName`	Name of the account that updated the scheduled task.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TaskName`	Name of the updated scheduled task.
`TaskContentNew`	The new XML for the updated task.	32 detection rules
`ClientProcessStartKey`
`ClientProcessId`
`ParentProcessId`
`RpcCallClientLocality`
`FQDN`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4702,
    "version": 1,
    "level": 0,
    "task": 12804,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:52:57.3167039+00:00",
    "event_record_id": 2141356,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 968
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-20",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e4",
    "TaskName": "\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask",
    "TaskContentNew": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\n<Task version=\"1.6\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\n  <RegistrationInfo>\n    <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\n    <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\n    <Version>1.0</Version>\n    <Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>\n    <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>\n    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>\n  </RegistrationInfo>\n  <Triggers>\n    <CalendarTrigger>\n      <StartBoundary>2026-06-14T05:38:57Z</StartBoundary>\n      <Enabled>true</Enabled>\n      <ScheduleByDay>\n        <DaysInterval>1</DaysInterval>\n      </ScheduleByDay>\n    </CalendarTrigger>\n  </Triggers>\n  <Principals>\n    <Principal id=\"NetworkService\">\n      <UserId>S-1-5-20</UserId>\n      <RunLevel>LeastPrivilege</RunLevel>\n    </Principal>\n  </Principals>\n  <Settings>\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\n    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\n    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>\n    <AllowHardTerminate>false</AllowHardTerminate>\n    <StartWhenAvailable>true</StartWhenAvailable>\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\n    <IdleSettings>\n      <StopOnIdleEnd>true</StopOnIdleEnd>\n      <RestartOnIdle>false</RestartOnIdle>\n    </IdleSettings>\n    <AllowStartOnDemand>true</AllowStartOnDemand>\n    <Enabled>true</Enabled>\n    <Hidden>true</Hidden>\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\n    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\n    <WakeToRun>false</WakeToRun>\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\n    <Priority>7</Priority>\n    <RestartOnFailure>\n      <Interval>PT1M</Interval>\n      <Count>3</Count>\n    </RestartOnFailure>\n  </Settings>\n  <Actions Context=\"NetworkService\">\n    <ComHandler>\n      <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\n      <Data><![CDATA[timer]]></Data>\n    </ComHandler>\n  </Actions>\n</Task>",
    "ClientProcessStartKey": "4222124650661718",
    "ClientProcessId": "1888",
    "ParentProcessId": "804",
    "RpcCallClientLocality": "0",
    "FQDN": "telemetry-DC-a.cell-a.ludus.domain"
  },
  "message": "A scheduled task was updated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-20\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E4\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\r\n\tTask New Content: \t\t<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.6\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo>\r\n    <Source>$(@%systemroot%\\system32\\sppc.dll,-200)</Source>\r\n    <Author>$(@%systemroot%\\system32\\sppc.dll,-200)</Author>\r\n    <Version>1.0</Version>\r\n    <Description>$(@%systemroot%\\system32\\sppc.dll,-201)</Description>\r\n    <URI>\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask</URI>\r\n    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>\r\n  </RegistrationInfo>\r\n  <Triggers>\r\n    <CalendarTrigger>\r\n      <StartBoundary>2026-06-14T05:38:57Z</StartBoundary>\r\n      <Enabled>true</Enabled>\r\n      <ScheduleByDay>\r\n        <DaysInterval>1</DaysInterval>\r\n      </ScheduleByDay>\r\n    </CalendarTrigger>\r\n  </Triggers>\r\n  <Principals>\r\n    <Principal id=\"NetworkService\">\r\n      <UserId>S-1-5-20</UserId>\r\n      <RunLevel>LeastPrivilege</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>false</AllowHardTerminate>\r\n    <StartWhenAvailable>true</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>true</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>true</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>\r\n    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>7</Priority>\r\n    <RestartOnFailure>\r\n      <Interval>PT1M</Interval>\r\n      <Count>3</Count>\r\n    </RestartOnFailure>\r\n  </Settings>\r\n  <Actions Context=\"NetworkService\">\r\n    <ComHandler>\r\n      <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>\r\n      <Data><![CDATA[timer]]></Data>\r\n    </ComHandler>\r\n  </Actions>\r\n</Task>\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t4222124650661718\r\n\tClientProcessId: \t\t\t1888\r\n\tParentProcessId: \t\t\t804\r\n\tFQDN: \t\t0\r\n\t"
}

Detection Patterns #

Scheduled Task With Suspicious

3 rules

Splunk

Windows Scheduled Task with Suspicious Command (source)

Steven Dick

Windows Scheduled Task with Suspicious Name (source)

Steven Dick

Rare Scheduled Task (Windows Event Log) (source)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	is_not_null		1 rule	elastic, kusto, splunk
`TaskName`	eq	`\Microsoft\DefenderService`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\ATPUpd`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Application Experience\StartupAppTaskCheck`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Application Experience\StartupAppTaskCkeck`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Data Integrity Scan\Data Integrity Update`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\DefenderUPDService`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\IISUpdateService`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Speech\SpeechModelInstallTask`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\WiMSDFS`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Windows Defender\Defender Update Service`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Windows Defender\Service Update`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Windows Error Reporting\CheckReporting`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Windows Error Reporting\SubmitReporting`	1 rule	sigma
`TaskName`	eq	`\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart`	1 rule	sigma

Community Notes #

May indicate path or trigger edits.

Detection Rules #

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4688: A new process has been created.OREvent ID 4703: A user right was adjusted.

Sigma # view in coverage

Suspicious Scheduled Task Update source high: Detects update to a scheduled task event that contain suspicious keywords.
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor source high: Hunts for known SVR-specific scheduled task names↳ also matches Event ID 4698: A scheduled task was created., Event ID 4699: A scheduled task was deleted.

Elastic # view in coverage

Unusual Scheduled Task Update source low: Identifies first-time modifications to scheduled tasks by user accounts, excluding system activity and machine accounts.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4702
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4702.yml

Event ID 4703: A user right was adjusted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Token Right Adjusted Events
Collection Priority: Recommended (mdecrevoisier, others)
Opcode: Info

Description

A token right was adjusted.

Message #

A token right was adjusted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Target Account:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Process Information:
	Process ID: %10
	Process Name: %9

Enabled Privileges:
			%11

Disabled Privileges:
			%12

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested the "enable" or "disable" operation for Target Account privileges.
`SubjectUserName` UnicodeString	The name of the account that requested the "enable" or "disable" operation for Target Account privileges.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`TargetUserSid` SID	SID of account for which privileges were enabled or disabled.
`TargetUserName` UnicodeString	The name of the account for which privileges were enabled or disabled.
`TargetDomainName` UnicodeString	Subject's domain or computer name.
`TargetLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ProcessName` UnicodeString	Full path and the name of the executable for the process.	5 detection rules
`ProcessId` Pointer	Hexadecimal Process ID of the process that enabled or disabled token privileges.
`EnabledPrivilegeList` UnicodeString	The list of enabled user rights. Privilege constants reference	2 detection rules
`DisabledPrivilegeList` UnicodeString	The list of disabled user rights. Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4703,
    "version": 0,
    "level": 0,
    "task": 13317,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:53.1401365+00:00",
    "event_record_id": 3213669,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "TargetUserSid": "S-1-0-0",
    "TargetUserName": "TELEMETRY-DC-C$",
    "TargetDomainName": "cell-c",
    "TargetLogonId": "0x3e7",
    "ProcessName": "C:\\Windows\\System32\\svchost.exe",
    "ProcessId": "0xf1c",
    "EnabledPrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeIncreaseQuotaPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeSystemtimePrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeShutdownPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeUndockPrivilege\n\t\t\tSeManageVolumePrivilege",
    "DisabledPrivilegeList": "-"
  },
  "message": "A token right was adjusted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0xf1c\r\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe\r\n\r\nEnabled Privileges:\r\n\t\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeIncreaseQuotaPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeSystemtimePrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeShutdownPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeUndockPrivilege\r\n\t\t\tSeManageVolumePrivilege\r\n\r\nDisabled Privileges:\r\n\t\t\t-"
}

Detection Patterns #

Credential Access: LSASS Memory

1 rule

Splunk

Common LSASS Memory Dump Behavior (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`event_count`	lt	`5`	1 rule	splunk
`signature_id`	contains	`4656`	1 rule	splunk

Community Notes #

Generated when token privileges are changed (tracks rights like SeDebugPrivilege, SeLoadDriverPrivilege).

Detection Rules #

Security-Auditing Event ID 4704: A user right was assigned.OREvent ID 4717: System security access was granted to an account.

Elastic # view in coverage

SeDebugPrivilege Enabled by a Suspicious Process source medium: Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate privileges and bypass access controls.

Splunk # view in coverage

Windows Access Token Manipulation SeDebugPrivilege source: The following analytic detects a process enabling the "SeDebugPrivilege" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-token-right-adjusted
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4703
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4703.yml

Event ID 4704: A user right was assigned.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authorization Policy Change
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time local user right policy is changed and user right was assigned to an account.

Message #

A user right was assigned.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Target Account:
	Account Name: %5

New Right:
	User Right: %6

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that made a change to local user right policy.
`SubjectUserName` UnicodeString	The name of the account that made a change to local user right policy.	1 detection rule
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`TargetSid` SID	The SID of security principal for which user rights were assigned.
`PrivilegeList` UnicodeString	The list of assigned user rights. Privilege constants reference	1 detection rule

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4704,
    "version": 0,
    "level": 0,
    "task": 13570,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:35:55.2201193+00:00",
    "event_record_id": 3189915,
    "correlation": {
      "ActivityID": "{AA583517-FAF4-0001-8535-58AAF4FADC01}"
    },
    "execution": {
      "process_id": 896,
      "thread_id": 7952
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "TargetSid": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415",
    "PrivilegeList": "SeAuditPrivilege"
  },
  "message": "A user right was assigned.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Account:\r\n\tAccount Name:\t\tS-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\r\n\r\nNew Right:\r\n\tUser Right:\t\tSeAuditPrivilege"
}

Detection Patterns #

Stealth: Access Token Manipulation

1 rule

Sigma

New rights granted to an account for privilege escalation (source)

mdecrevoisier

Community Notes #

Tracks changes to token privileges.

Detection Rules #

Sigma # view in coverage

Enabled User Right in AD to Control User Objects source high: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Elastic # view in coverage

Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal source high: Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a security principal. This right enables computer and user accounts to be trusted for delegation. Attackers can abuse it to compromise Active Directory accounts and elevate their privileges.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4704
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4704.yml

Event ID 4705: A user right was removed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authorization Policy Change
Collection Priority: Recommended (ASD, others)
Opcode: Info

Description

This event generates every time local user right policy is changed and user right was removed from an account.

Message #

A user right was removed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Target Account:
	Account Name: %5

Removed Right:
	User Right: %6

Fields #

Name	Description
`SubjectUserSid`	SID of account that made a change to local user right policy.
`SubjectUserName`	The name of the account that made a change to local user right policy.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`TargetSid`	The SID of security principal for which user rights were removed.
`PrivilegeList`	The list of removed user rights.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4705,
    "version": 0,
    "level": 0,
    "task": 13570,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-12T20:23:39.973927Z",
    "event_record_id": 1239002,
    "correlation": {},
    "execution": {
      "process_id": 464,
      "thread_id": 2980
    },
    "channel": "Security",
    "computer": "fs02.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x202dac8",
    "TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1158",
    "PrivilegeList": "SeCreateTokenPrivilege"
  }
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4705
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4705
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4705.yml

Event ID 4706: A new trust was created to a domain.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates when a new trust was created to a domain.

Message #

A new trust was created to a domain.

Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6

Trusted Domain:
	Domain Name: %1
	Domain ID: %2

Trust Information:
	Trust Type: %7
	Trust Direction: %8
	Trust Attributes: %9
	SID Filtering: %10

Fields #

Name	Description
`DomainName`	The name of new trusted domain.
`DomainSid`	SID of new trusted domain.
`SubjectUserSid`	SID of account that requested the "create domain trust" operation.
`SubjectUserName`	The name of the account that requested the "create domain trust" operation.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`TdoType`	The type of new trust. Known values `1` TRUST_TYPE_DOWNLEVEL - trusted domain controller runs an OS earlier than Windows 2000 `2` TRUST_TYPE_UPLEVEL - trusted domain controller runs Windows 2000 or later `3` TRUST_TYPE_MIT - non-Windows RFC 4120-compliant Kerberos distribution (no SID required for TDO) `4` TRUST_TYPE_DCE - DCE realm (historical; not used in modern Windows)
`TdoDirection`	The direction of new trust. Known values `0` TRUST_DIRECTION_DISABLED - trust relationship exists but has been disabled `1` TRUST_DIRECTION_INBOUND - trusted domain trusts the primary domain for name lookups and authentication `2` TRUST_DIRECTION_OUTBOUND - primary domain trusts the trusted domain for name lookups and authentication `3` TRUST_DIRECTION_BIDIRECTIONAL - both domains trust one another for name lookups and authentication
`TdoAttributes`	The decimal value of attributes for new trust.
`SidFilteringEnabled`	SID Filtering state for the new trust.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4706,
    "version": 0,
    "level": 0,
    "task": 13569,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2024-06-22T14:02:41.639162Z",
    "event_record_id": 3175612,
    "correlation": {},
    "execution": {
      "process_id": 596,
      "thread_id": 11064
    },
    "channel": "Security",
    "computer": "CDCWTRDC01.mypartner.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DomainName": "rootblue.lan",
    "DomainSid": "S-1-5-21-392370121-190461309-2151315433",
    "SubjectUserSid": "S-1-5-21-1407145384-2259788832-4099636412-500",
    "SubjectUserName": "Administrator",
    "SubjectDomainName": "MYPARTNER",
    "SubjectLogonId": "0xffad8559",
    "TdoType": 2,
    "TdoDirection": 3,
    "TdoAttributes": 8,
    "SidFilteringEnabled": "%%1796"
  }
}

Detection Rules #

Security-Auditing Event ID 4704: A user right was assigned.OREvent ID 4717: System security access was granted to an account.

Sigma # view in coverage

A New Trust Was Created To A Domain source medium: Addition of domains is seldom and should be verified for legitimacy.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4706
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4706.yml

Event ID 4707: A trust to a domain was removed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when a domain trust was removed.

Message #

A trust to a domain was removed.

Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6

Domain Information:
	Domain Name: %1
	Domain ID: %2

Fields #

Name	Description
`DomainName` UnicodeString	[Domain Information] Domain Name.
`DomainSid` SID	[Domain Information] Domain ID.
`SubjectUserSid` SID	SID of account that requested the "remove domain trust" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "remove domain trust" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4707
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4707.yml

Event ID 4709: The IPsec Policy Agent service was started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The IPsec Policy Agent service was started.

Message #

The IPsec Policy Agent service was started.

%1

Policy Source: %2

%3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString	Policy Source
`param3` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4709
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4709

Event ID 4710: The IPsec Policy Agent service was disabled.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The IPsec Policy Agent service was disabled.

Message #

The IPsec Policy Agent service was disabled.

%1
%2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4710
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4710

Event ID 4711: param1

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

param1

Message #

%1

Fields #

Name	Description
`param1` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4711
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4711

Event ID 4712: IPsec Policy Agent encountered a potentially serious failure.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent encountered a potentially serious failure.

Message #

IPsec Policy Agent encountered a potentially serious failure.
%1

Fields #

Name	Description
`param1` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4712
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4712

Event ID 4713: Kerberos policy was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates when Kerberos policy was changed.

Message #

Kerberos policy was changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Changes Made:
('--' means no changes, otherwise each change is shown as:
(Parameter Name):	(new value) (old value))
%5

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made a change to Kerberos policy.
`SubjectUserName` UnicodeString	The name of the account that made a change to Kerberos policy.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`KerberosPolicyChange` UnicodeString	'--' means no changes, otherwise each change is shown as: Parameter_Name: new_value (old_value).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4713,
    "version": 0,
    "level": 0,
    "task": 13569,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:28:27.466929+00:00",
    "event_record_id": 16696941,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 11540
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "LAB-DC01$",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0x3e7",
    "KerberosPolicyChange": "KerMaxT: 0x430e234000 (0x53d1ac1000);  KerLogoff: 0x7ffdce8d4d08 (0x1);  "
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4713
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4713
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4713.yml

Event ID 4714: Data Recovery Agent group policy for Encrypting File System (EFS) has changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Data Recovery Agent group policy for Encrypting File System (EFS) has changed. The new changes have been applied.

Message #

Data Recovery Agent group policy for Encrypting File System (EFS) has changed. The new changes have been applied.

Fields #

Name	Description
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).
`EfsPolicyChange` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
    "event_source_name": "",
    "event_id": 4714,
    "version": 0,
    "level": 0,
    "task": 13573,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:18:12.649403+00:00",
    "event_record_id": 16250501,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 7468
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4714
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4714

Event ID 4715: The audit policy (SACL) on an object was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time local audit policy security descriptor changes.

Message #

The audit policy (SACL) on an object was changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Audit Policy Change:
	Original Security Descriptor: %5
	New Security Descriptor: %6

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "change local audit policy security descriptor (SACL)" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change local audit policy security descriptor (SACL)" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`OldSd` UnicodeString	The old Security Descriptor Definition Language (SDDL) value for the audit policy.
`NewSd` UnicodeString	New Security Descriptor Definition Language (SDDL) value for the audit policy.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4715
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4715.yml

Event ID 4716: Trusted domain information was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

Trusted domain information was modified.

Message #

Trusted domain information was modified.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Trusted Domain:
	Domain Name: %5
	Domain ID: %6

New Trust Information:
	Trust Type: %7
	Trust Direction: %8
	Trust Attributes: %9
	SID Filtering: %10

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "modify domain trust settings" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "modify domain trust settings" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`DomainName` UnicodeString	The name of changed trusted domain. If this attribute was not changed, then it will have "-" value.
`DomainSid` SID	The name of changed trusted domain. If this attribute was not changed, then it will have "-" value.
`TdoType` UInt32	The type of new trust. If this attribute was not changed, then it will have "-" value or its old value. Known values `1` TRUST_TYPE_DOWNLEVEL - trusted domain controller runs an OS earlier than Windows 2000 `2` TRUST_TYPE_UPLEVEL - trusted domain controller runs Windows 2000 or later `3` TRUST_TYPE_MIT - non-Windows RFC 4120-compliant Kerberos distribution (no SID required for TDO) `4` TRUST_TYPE_DCE - DCE realm (historical; not used in modern Windows)
`TdoDirection` UInt32	The direction of new trust. If this attribute was not changed, then it will have "-" value or its old value. Known values `0` TRUST_DIRECTION_DISABLED - trust relationship exists but has been disabled `1` TRUST_DIRECTION_INBOUND - trusted domain trusts the primary domain for name lookups and authentication `2` TRUST_DIRECTION_OUTBOUND - primary domain trusts the trusted domain for name lookups and authentication `3` TRUST_DIRECTION_BIDIRECTIONAL - both domains trust one another for name lookups and authentication
`TdoAttributes` UInt32	[New Trust Information] Trust Attributes.
`SidFilteringEnabled` UnicodeString	[New Trust Information] SID Filtering.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4716
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4716.yml

Event ID 4717: System security access was granted to an account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time local logon user right policy is changed and logon right was granted to an account. You will see unique event for every user if logon user rights were granted to multiple accounts.

Message #

System security access was granted to an account.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Account Modified:
	Account Name: %5

Access Granted:
	Access Right: %6

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made a change to local logon right user policy.
`SubjectUserName` UnicodeString	The name of the account that made a change to local logon right user policy.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TargetSid` SID	The SID of the security principal for which logon right was granted.
`AccessGranted` UnicodeString	The name of granted logon right.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4717,
    "version": 0,
    "level": 0,
    "task": 13569,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:35:55.2159844+00:00",
    "event_record_id": 3189912,
    "correlation": {
      "ActivityID": "{AA583517-FAF4-0001-8535-58AAF4FADC01}"
    },
    "execution": {
      "process_id": 896,
      "thread_id": 7952
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "TargetSid": "S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415",
    "AccessGranted": "SeServiceLogonRight"
  },
  "message": "System security access was granted to an account.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount Modified:\r\n\tAccount Name:\t\tS-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\r\n\r\nAccess Granted:\r\n\tAccess Right:\t\tSeServiceLogonRight"
}

Detection Patterns #

Stealth: Access Token Manipulation

1 rule

Sigma

New rights granted to an account for privilege escalation (source)

mdecrevoisier

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4717
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4717
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4717.yml

Event ID 4718: System security access was removed from an account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time local logon user right policy is changed and logon right was removed from an account. You will see unique event for every user if logon user rights were removed for multiple accounts.

Message #

System security access was removed from an account.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Account Modified:
	Account Name: %5

Access Removed:
	Access Right: %6

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made a change to local logon right user policy.
`SubjectUserName` UnicodeString	The name of the account that made a change to local logon right user policy.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TargetSid` SID	The SID of the security principal for which logon right was removed.
`AccessRemoved` UnicodeString	The name of removed logon right.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4718,
    "version": 0,
    "level": 0,
    "task": 13569,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2022-04-07T16:44:47.045997+00:00",
    "event_record_id": 89,
    "correlation": {
      "ActivityID": "C1DC836A-4A9E-0000-8485-DCC19E4AD801"
    },
    "execution": {
      "process_id": 648,
      "thread_id": 700
    },
    "channel": "Security",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "MINWINPC$",
    "SubjectDomainName": "",
    "SubjectLogonId": "0x3e7",
    "TargetSid": "S-1-5-90-0",
    "AccessRemoved": "SeInteractiveLogonRight"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4718
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4718
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4718.yml

Event ID 4719: System audit policy was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when the computer's audit policy changes.

Message #

System audit policy was changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Audit Policy Change:
	Category: %5
	Subcategory: %6
	Subcategory GUID: %7
	Changes: %8

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that made a change to local audit policy.
`SubjectUserName` UnicodeString	He name of the account that made a change to local audit policy.	1 detection rule
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`CategoryId` UnicodeString	The name of auditing Category which subcategory was changed. Known values `%%8272` System `%%8273` Logon/Logoff `%%8274` Object Access `%%8275` Privilege Use `%%8276` Detailed Tracking `%%8277` Policy Change `%%8278` Account Management `%%8279` DS Access `%%8280` Account Logon
`SubcategoryId` UnicodeString	The name of auditing Subcategory which was changed. Known values `%%12288` Security State Change `%%12289` Security System Extension `%%12290` System Integrity `%%12291` IPsec Driver `%%12292` Other System Events `%%12544` Logon `%%12545` Logoff `%%12546` Account Lockout `%%12547` IPsec Main Mode `%%12548` Special Logon `%%12549` IPsec Quick Mode `%%12550` IPsec Extended Mode `%%12551` Other Logon/Logoff Events `%%12552` Network Policy Server `%%12553` User / Device Claims `%%12554` Group Membership `%%12800` File System `%%12801` Registry `%%12802` Kernel Object `%%12803` SAM `%%12804` Other Object Access Events `%%12805` Certification Services `%%12806` Application Generated `%%12807` Handle Manipulation `%%12808` File Share `%%12809` Filtering Platform Packet Drop `%%12810` Filtering Platform Connection `%%12811` Detailed File Share `%%12812` Removable Storage `%%12813` Central Policy Staging `%%13056` Sensitive Privilege Use `%%13057` Non Sensitive Privilege Use `%%13058` Other Privilege Use Events `%%13312` Process Creation `%%13313` Process Termination `%%13314` DPAPI Activity `%%13315` RPC Events `%%13316` Plug and Play Events `%%13317` Token Right Adjusted Events `%%13568` Audit Policy Change `%%13569` Authentication Policy Change `%%13570` Authorization Policy Change `%%13571` MPSSVC Rule-Level Policy Change `%%13572` Filtering Platform Policy Change `%%13573` Other Policy Change Events `%%13824` User Account Management `%%13825` Computer Account Management `%%13826` Security Group Management `%%13827` Distribution Group Management `%%13828` Application Group Management `%%13829` Other Account Management Events `%%14080` Directory Service Access `%%14081` Directory Service Changes `%%14082` Directory Service Replication `%%14083` Detailed Directory Service Replication `%%14336` Credential Validation `%%14337` Kerberos Service Ticket Operations `%%14338` Other Account Logon Events `%%14339` Kerberos Authentication Service
`SubcategoryGuid` GUID	The unique subcategory GUID. Known values `%%12288` Security State Change `%%12289` Security System Extension `%%12290` System Integrity `%%12291` IPsec Driver `%%12292` Other System Events `%%12544` Logon `%%12545` Logoff `%%12546` Account Lockout `%%12547` IPsec Main Mode `%%12548` Special Logon `%%12549` IPsec Quick Mode `%%12550` IPsec Extended Mode `%%12551` Other Logon/Logoff Events `%%12552` Network Policy Server `%%12553` User / Device Claims `%%12554` Group Membership `%%12800` File System `%%12801` Registry `%%12802` Kernel Object `%%12803` SAM `%%12804` Other Object Access Events `%%12805` Certification Services `%%12806` Application Generated `%%12807` Handle Manipulation `%%12808` File Share `%%12809` Filtering Platform Packet Drop `%%12810` Filtering Platform Connection `%%12811` Detailed File Share `%%12812` Removable Storage `%%12813` Central Policy Staging `%%13056` Sensitive Privilege Use `%%13057` Non Sensitive Privilege Use `%%13058` Other Privilege Use Events `%%13312` Process Creation `%%13313` Process Termination `%%13314` DPAPI Activity `%%13315` RPC Events `%%13316` Plug and Play Events `%%13317` Token Right Adjusted Events `%%13568` Audit Policy Change `%%13569` Authentication Policy Change `%%13570` Authorization Policy Change `%%13571` MPSSVC Rule-Level Policy Change `%%13572` Filtering Platform Policy Change `%%13573` Other Policy Change Events `%%13824` User Account Management `%%13825` Computer Account Management `%%13826` Security Group Management `%%13827` Distribution Group Management `%%13828` Application Group Management `%%13829` Other Account Management Events `%%14080` Directory Service Access `%%14081` Directory Service Changes `%%14082` Directory Service Replication `%%14083` Detailed Directory Service Replication `%%14336` Credential Validation `%%14337` Kerberos Service Ticket Operations `%%14338` Other Account Logon Events `%%14339` Kerberos Authentication Service `0CCE923B-69AE-11D9-BED3-505054503030` Resolved-GUID alias for %%14080 (Directory Service Access subcategory; ntsecapi.h Audit_DSAccess_DSAccess = 0x0cce923b; matches the SubcategoryId %%14080 carried by the catalog sample for event 4719)	30 detection rules
`AuditPolicyChanges` UnicodeString	Changes which were made for "Subcategory" Known values `%%8448` Success removed `%%8449` Success Added `%%8450` Failure removed `%%8451` Failure added `%%8452` Success include removed `%%8453` Success include added `%%8454` Success exclude removed `%%8455` Success exclude added `%%8456` Failure include removed `%%8457` Failure include added `%%8458` Failure exclude removed `%%8459` Failure exclude added	13 detection rules
`ClientProcessId` UInt32
`ClientProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4719,
    "version": 0,
    "level": 0,
    "task": 13568,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:18:24.9057236+00:00",
    "event_record_id": 2172904,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 7776
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x333bffe",
    "CategoryId": "%%8279",
    "SubcategoryId": "%%14083",
    "SubcategoryGuid": "{0cce923e-69ae-11d9-bed3-505054503030}",
    "AuditPolicyChanges": "%%8449, %%8451"
  },
  "message": "System audit policy was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x333BFFE\r\n\r\nAudit Policy Change:\r\n\tCategory:\t\tDS Access\r\n\tSubcategory:\t\tDetailed Directory Service Replication\r\n\tSubcategory GUID:\t{0cce923e-69ae-11d9-bed3-505054503030}\r\n\tChanges:\t\tSuccess Added, Failure added"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`AuditPolicyChanges`	contains	`%%8448`	3 rules	sigma
`AuditPolicyChanges`	contains	`%%8450`	3 rules	sigma
`AuditPolicyChanges`	in	`%%8448`	2 rules	splunk
`AuditPolicyChanges`	in	`%%8448, %%8450`	2 rules	splunk
`AuditPolicyChanges`	in	`%%8450`	2 rules	splunk
`Changes`	in	`Failure removed`	2 rules	splunk
`Changes`	in	`Success removed`	2 rules	splunk
`Changes`	in	`Success removed, Failure removed`	2 rules	splunk
`SubCategory`	in	`User Account Management`	1 rule	elastic, kusto

Community Notes #

System audit policy changed. Attackers often disable auditing to reduce detection.

Detection Rules #

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4722: A user account was enabled.OREvent ID 4723: An attempt was made to change an account's password.OREvent ID 4724: An attempt was made to reset an account's password.OREvent ID 4725: A user account was disabled.OREvent ID 4726: A user account was deleted.OREvent ID 4728: A member was added to a security-enabled global group.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4733: A member was removed from a security-enabled local group.OREvent ID 4738: A user account was changed.OREvent ID 4743: A computer account was deleted.OREvent ID 4780: The ACL was set on accounts which are members of administrators groups.

Sigma # view in coverage

Windows Event Auditing Disabled source low: Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Important Windows Event Auditing Disabled source high: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
Audit policy disabled by command line source high: Detects scenarios where an attacker attempts disbaled the audit policy for defense evasion purposes.

Elastic # view in coverage

Sensitive Audit Policy Sub-Category Disabled source medium: Identifies attempts to disable auditing for some security sensitive audit policy sub-categories. This is often done by attackers in an attempt to evade detection and forensics on a system.

Splunk # view in coverage

Windows AD Domain Controller Audit Policy Disabled source: The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is…
Windows Important Audit Policy Disabled source: The following analytic detects the disabling of important audit policies. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4719
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4719.yml
Win32 ntsecapi.h audit-subcategory GUID DEFINE_GUID block https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/

Event ID 4720: A user account was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time a new user object is created. This event generates on domain controllers, member servers, and workstations.

Message #

A user account was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

New Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Attributes:
	SAM Account Name: %9
	Display Name: %10
	User Principal Name: %11
	Home Directory: %12
	Home Drive: %13
	Script Path: %14
	Profile Path: %15
	User Workstations: %16
	Password Last Set: %17
	Account Expires: %18
	Primary Group ID: %19
	Allowed To Delegate To: %20
	Old UAC Value: %21
	New UAC Value: %22
	User Account Control: %23
	User Parameters: %24
	SID History: %25
	Logon Hours: %26

Additional Information:
	Privileges		%8

Fields #

Name	Description	Rules
`TargetUserName` UnicodeString	The name of the user account that was created.	9 detection rules
`TargetDomainName` UnicodeString	Domain name of created user account.
`TargetSid` SID	SID of created user account.	2 detection rules
`SubjectUserSid` SID	SID of account that requested the "create user account" operation.	1 detection rule
`SubjectUserName` UnicodeString	The name of the account that requested the "create user account" operation.	1 detection rule
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	Pre-Windows 2000 logon name of the new account (sAMAccountName attribute).	3 detection rules
`DisplayName` UnicodeString	Display name of the new account (displayName attribute).
`UserPrincipalName` UnicodeString	User Principal Name of the new account (e.g., user@domain.com). "-" for local accounts.
`HomeDirectory` UnicodeString	Home directory path (homeDirectory attribute). Must be a UNC path if HomePath is set. "-" if not configured.
`HomePath` UnicodeString	Drive letter mapped to the home directory (homeDrive attribute), e.g., "H:". "-" if not configured.
`ScriptPath` UnicodeString	Logon script path (scriptPath attribute). "-" if not configured.
`ProfilePath` UnicodeString	Profile path (profilePath attribute). "-" if not configured.
`UserWorkstations` UnicodeString	Comma-separated list of workstations the account can log on from (userWorkstations attribute). "-" if unrestricted.
`PasswordLastSet` UnicodeString	Time the account's password was last set (pwdLastSet attribute).
`AccountExpires` UnicodeString	Date when the account expires (accountExpires attribute). Empty if not set.
`PrimaryGroupId` UnicodeString	RID of the account's primary group. 513 (Domain Users) for typical user accounts.
`AllowedToDelegateTo` UnicodeString	SPNs to which this account can present delegated Kerberos credentials (AllowedToDelegateTo attribute). "-" for most accounts.
`OldUacValue` UnicodeString	Previous userAccountControl value. Always "0x0" for newly created accounts. UAC flags reference
`NewUacValue` UnicodeString	New userAccountControl value applied to the account. UAC flags reference
`UserAccountControl` UnicodeString	Human-readable list of userAccountControl attribute changes applied during creation.
`UserParameters` UnicodeString	Opaque Dial-in settings blob. Shows \<value changed, but not displayed> in Event ID 4738 when any Dial-in tab setting is modified. "-" if not configured.
`SidHistory` UnicodeString	Previous SIDs if the account was migrated from another domain (sIDHistory attribute). Usually "-" for new accounts.
`LogonHours` UnicodeString	Permitted logon hours (logonHours attribute). Typically "\\" for new manually created accounts; "All" for local accounts.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4720,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T00:51:32.2049172+00:00",
    "event_record_id": 6330,
    "correlation": {},
    "execution": {
      "process_id": 680,
      "thread_id": 3716
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "domainadmin",
    "TargetDomainName": "cell-d",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
    "SubjectUserName": "localuser",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0xa30bd",
    "PrivilegeList": "-",
    "SamAccountName": "domainadmin",
    "DisplayName": "-",
    "UserPrincipalName": "-",
    "HomeDirectory": "-",
    "HomePath": "-",
    "ScriptPath": "-",
    "ProfilePath": "-",
    "UserWorkstations": "-",
    "PasswordLastSet": "%%1794",
    "AccountExpires": "%%1794",
    "PrimaryGroupId": "513",
    "AllowedToDelegateTo": "-",
    "OldUacValue": "0x0",
    "NewUacValue": "0x211",
    "UserAccountControl": "\n\t\t%%2080\n\t\t%%2084\n\t\t%%2089",
    "UserParameters": "-",
    "SidHistory": "-",
    "LogonHours": "%%1793"
  },
  "message": "A user account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xA30BD\r\n\r\nNew Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\r\nAttributes:\r\n\tSAM Account Name:\tdomainadmin\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t<never>\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t513\r\n\tAllowed To Delegate To:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x211\r\n\tUser Account Control:\t\r\n\t\tAccount Disabled\r\n\t\t'Normal Account' - Enabled\r\n\t\t'Don't Expire Password' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-"
}

Detection Patterns #

7 rules

Sigma

Hidden account creation (with fast deletion) (source)

mdecrevoisier

Elastic

Windows Increase in User Modification Activity (source)

Elastic

Splunk

Dean Luxton

Create_Add Local_Domain User (Windows Event Log) (source)

Kusto

User account created and deleted within 10 mins (source)

Microsoft Security Research

New user created and added to the built-in administrators group (source)

Microsoft Security Research

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4720: A user account was created.OREvent ID 4732: A member was added to a security-enabled local group.

Persistence: Account Manipulation

5 rules

Splunk

Create_Add Local_Domain User (Windows Event Log) (source)

Windows Increase in User Modification Activity (source)

Dean Luxton

New user created and added to the built-in administrators group (source)

David Dorsey, Splunk

Kusto

Microsoft Security Research

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4726: A user account was deleted.

4 rules

Sigma

Hidden account creation (with fast deletion) (source)

mdecrevoisier

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Short Lived Windows Accounts (source)

David Dorsey, Bhavin Patel, Splunk

Kusto

User account created and deleted within 10 mins (source)

Microsoft Security Research

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4732: A member was added to a security-enabled local group.

4 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Create_Add Local_Domain User (Windows Event Log) (source)

Kusto

New user created and added to the built-in administrators group (source)

Microsoft Security Research

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4738: A user account was changed.

Persistence: Account Manipulation

4 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Create_Add Local_Domain User (Windows Event Log) (source)

Kusto

New user created and added to the built-in administrators group (source)

Microsoft Security Research

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4781: The name of an account was changed.

Show All Detection Patterns

User Account

2 rules

Sigma

User account creation disguised in a computer account (source)

mdecrevoisier

New or Renamed User Account with '$' Character (source)

Ilyas Ochkov, oscd.community

Persistence: Additional Local or Domain Groups

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4723: An attempt was made to change an account's password.

2 rules

Elastic

Windows Increase in User Modification Activity (source)

Elastic

Splunk

Dean Luxton

Persistence: Local Account

Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4732: A member was added to a security-enabled local group.

2 rules

Splunk

Create_Add Local_Domain User (Windows Event Log) (source)

David Dorsey, Splunk

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetUserName`	ends_with	`$`	3 rules	kusto, sigma
`AccountType`	eq	`User`	2 rules	kusto
`All_Changes.result_id`	eq	`4720`	2 rules	splunk
`CommandLine`	match	`(?i)(\-u)\|(user)\|(localgroup)\|(group)`	1 rule	splunk
`CommandLine`	match	`(?i).add`	1 rule	splunk
`NewTargetUserName`	ends_with	`$`	1 rule	sigma
`SubjectUserName`	ends_with	`$`	1 rule	sigma
`SubjectUserSid`	starts_with	`S-1-5-21-`	1 rule	sigma
`TargetSid`	eq	`S-1-5-32-544`	1 rule	kusto, sigma
`TimeDelta`	ge	`0`	1 rule	kusto
`event.type`	in	`change`	1 rule	elastic
`event.type`	in	`creation`	1 rule	elastic
`process_name`	is_not_null		1 rule	elastic, panther
`signature_id`	match	`(?i)4720`	1 rule	splunk
`user_group`	match	`(?i)(users)\|(administrators)\|(remote)`	1 rule	splunk

Detection Rules #

Windows Increase in User Modification Activity (source)

Sigma # view in coverage

Hidden Local User Creation source high: Detects the creation of a local hidden user account which should not happen for event ID 4720.
Suspicious Windows ANONYMOUS LOGON Local Account Created source high: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Local User Creation source low: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Show 2 more (5 total)

User account created by a computer account source high: Detects scenarios where an attacker would abuse some privileges while realying host credentials to escalate privileges.
Fortinet APT group abuse on Windows (user) source high: Detects scenarios where APT actors exploits Fortinet vulnerabilities to gain access into Windows infrastructure.

Splunk # view in coverage

Windows Create Local Account source: The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is…

Kusto # view in coverage

Fake computer account created source medium: This query detects domain user accounts creation (event ID 4720) where the username ends with $. Accounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.

YARA-L # view in coverage

Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4726: A user account was deleted.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/evtx-4720-account-created.md
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4720.yml

Event ID 4722: A user account was enabled.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time user or computer object is enabled.

Message #

A user account was enabled.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Fields #

Name	Description	Rules
`TargetUserName` UnicodeString	The name of the account that was enabled.	5 detection rules
`TargetDomainName` UnicodeString	Target account's domain or computer name.
`TargetSid` SID	SID of account that was enabled.
`SubjectUserSid` SID	SID of account that requested the "enable account" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "enable account" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4722,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T00:58:03.3603916+00:00",
    "event_record_id": 6613,
    "correlation": {},
    "execution": {
      "process_id": 680,
      "thread_id": 2500
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "TELEMETRY-W11-D$",
    "TargetDomainName": "cell-d",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x27dc13"
  },
  "message": "A user account was enabled.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x27DC13\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\tAccount Domain:\t\tcell-d"
}

Detection Patterns #

3 rules

Splunk

Dean Luxton

Kusto

User account enabled and disabled within 10 mins (source)

Microsoft Security Research

AD user enabled and password not set within 48 hours (source)

Security-Auditing Event ID 4722: A user account was enabled.OREvent ID 4725: A user account was disabled.

2 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

User account enabled and disabled within 10 mins (source)

Microsoft Security Research

Persistence: Account Manipulation

Security-Auditing Event ID 4722: A user account was enabled.OREvent ID 4723: An attempt was made to change an account's password.

2 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

AD user enabled and password not set within 48 hours (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TimeDelta`	ge	`0`	1 rule	kusto

Detection Rules #

Sigma # view in coverage

Disabled guest or builtin account activated source medium: Detects scenarios where an attacker enables a disabled builtin account.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4722.yml

Event ID 4723: An attempt was made to change an account's password.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

An attempt was made to change an account's password.

Message #

An attempt was made to change an account's password.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Additional Information:
	Privileges		%8

Fields #

Name	Description	Rules
`TargetUserName`	The name of the account for which the password change was requested.
`TargetDomainName`	Target account's domain or computer name.
`TargetSid`	SID of account for which the password change was requested.	1 detection rule
`SubjectUserSid`	SID of account that made an attempt to change Target's Account password.	1 detection rule
`SubjectUserName`	The name of the account that made an attempt to change Target's Account password.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4723,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2021-12-04T22:47:47.872773Z",
    "event_record_id": 233289145,
    "correlation": {
      "#attributes": {
        "ActivityID": "D96638DA-E4F9-0001-F038-66D9F9E4D701"
      }
    },
    "execution": {
      "process_id": 596,
      "thread_id": 3492
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "hacker2",
    "TargetDomainName": "OFFSEC",
    "TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1242",
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x10e7c4430",
    "PrivilegeList": "-"
  }
}

Detection Patterns #

4 rules

Elastic

Windows Increase in User Modification Activity (source)

Elastic

Splunk

Dean Luxton

PingID New MFA Method After Credential Reset (source)

Kusto

AD user enabled and password not set within 48 hours (source)

Password Reset

Security-Auditing Event ID 4723: An attempt was made to change an account's password.OREvent ID 4724: An attempt was made to reset an account's password.

2 rules

Sigma

Bruteforce via password reset (source)

mdecrevoisier

Kusto

Multiple Password Reset by user (source)

Microsoft Security Research

Persistence: Additional Local or Domain Groups

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4723: An attempt was made to change an account's password.

2 rules

Elastic

Windows Increase in User Modification Activity (source)

Elastic

Splunk

Dean Luxton

Security-Auditing Event ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.

2 rules

Splunk

PingID New MFA Method After Credential Reset (source)

Windows Increase in User Modification Activity (source)

Dean Luxton

Persistence: Account Manipulation

Security-Auditing Event ID 4722: A user account was enabled.OREvent ID 4723: An attempt was made to change an account's password.

2 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

AD user enabled and password not set within 48 hours (source)

Show All Detection Patterns

Security-Auditing Event ID 4723: An attempt was made to change an account's password.OREvent ID 4738: A user account was changed.

1 rule

Splunk

Rubeus Password Change (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Result`	eq	`success`	1 rule	kusto
`SubjectUserSid`	starts_with	`S-1-5-21-`	1 rule	sigma
`TargetSid`	starts_with	`S-1-5-21-`	1 rule	sigma
`Total`	gt	`5`	1 rule	kusto
`event.type`	in	`change`	1 rule	elastic
`event.type`	in	`creation`	1 rule	elastic
`process_name`	is_not_null		1 rule	elastic, panther

Detection Rules #

Security-Auditing Event ID 4723: An attempt was made to change an account's password.OREvent ID 4724: An attempt was made to reset an account's password.

Sigma # view in coverage

User password change using current hash password - ChangeNTLM (Mimikatz) source high: Detects scenarios where an attacker resets a user account by using the compromised NTLM password hash. The newly clear text password defined by the attacker can be then used in order to login into services like Outlook Web Access (OWA), RDP, SharePoint... As ID 4723 refers to user changing is own password, the SubjectSid and TargetSid should be equal. However in a change initiated by Mimikatz, they will be different. Correlate the event ID 4723, 4624 and 5145 using the "SubjectLogonId" field to identify the source of the reset.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4723
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4723.yml

Event ID 4724: An attempt was made to reset an account's password.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time an account attempted to reset the password for another account.

Message #

An attempt was made to reset an account's password.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Fields #

Name	Description	Rules
`TargetUserName` UnicodeString	The name of the account for which password reset was requested.	1 detection rule
`TargetDomainName` UnicodeString	Target account's domain or computer name.
`TargetSid` SID	SID of account for which password reset was requested.	1 detection rule
`SubjectUserSid` SID	SID of account that made an attempt to reset Target's Account password.
`SubjectUserName` UnicodeString	The name of the account that made an attempt to reset Target's Account password.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4724,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T00:51:32.6147700+00:00",
    "event_record_id": 1404479,
    "correlation": {},
    "execution": {
      "process_id": 808,
      "thread_id": 3064
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "domainadmin",
    "TargetDomainName": "cell-a",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
    "SubjectUserName": "localuser",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x1a69fef"
  },
  "message": "An attempt was made to reset an account's password.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x1A69FEF\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-a"
}

Detection Patterns #

Password Reset

2 rules

Sigma

Bruteforce via password reset (source)

mdecrevoisier

Kusto

Multiple Password Reset by user (source)

Microsoft Security Research

Security-Auditing Event ID 4624: An account was successfully logged on.→Event ID 4724: An attempt was made to reset an account's password.

2 rules

Sigma

User password change without previous password known - SetNTLM (Mimikatz) (source)

mdecrevoisier

Elastic

Windows Increase in User Modification Activity (source)

Elastic

2 rules

Splunk

Dean Luxton

PingID New MFA Method After Credential Reset (source)

Security-Auditing Event ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.

2 rules

Splunk

PingID New MFA Method After Credential Reset (source)

Windows Increase in User Modification Activity (source)

Dean Luxton

Persistence: Account Manipulation

2 rules

Sigma

User password change without previous password known - SetNTLM (Mimikatz) (source)

mdecrevoisier

Elastic

Security-Auditing Event ID 4724: An attempt was made to reset an account's password.OREvent ID 4742: A computer account was changed.

Elastic

Show All Detection Patterns

Lateral Movement: Exploitation of Remote Services

1 rule

Sigma

Remote domain controller password reset (Zerologon) (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`AuthenticationPackageName`	eq	`NTLM`	1 rule	elastic, kusto, sigma, splunk
`Computer`	eq	`%domain_controllers%`	1 rule	sigma
`EventType`	eq	`logged-in`	1 rule	elastic
`LogonType`	eq	`Network`	1 rule	elastic, kusto, sigma, splunk
`RelativeTargetName`	eq	`samr`	1 rule	sigma
`Result`	eq	`success`	1 rule	kusto
`ShareName`	wildcard	`\\*\IPC$`	1 rule	sigma
`SubjectUserSid`	starts_with	`S-1-5-21-`	1 rule	sigma
`TargetSid`	starts_with	`S-1-5-21-`	1 rule	sigma
`TargetUserName`	ends_with	`$`	1 rule	kusto, sigma
`Total`	gt	`5`	1 rule	kusto
`status`	eq	`success`	1 rule	sigma, splunk
`unique_users`	gt	`5`	1 rule	splunk

Detection Rules #

Security-Auditing Event ID 4722: A user account was enabled.OREvent ID 4725: A user account was disabled.

Sigma # view in coverage

Suspicious Kerberos password account reset to issue potential Golden ticket source medium: Detects scenarios where a suspicious password reset of the Krbtgt account is performed by attacker to issue a potential Golden ticket.

Splunk # view in coverage

Windows Multiple Account Passwords Changed source: The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4724.yml

Event ID 4725: A user account was disabled.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time user or computer object is disabled.

Message #

A user account was disabled.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the account that was disabled.
`TargetDomainName` UnicodeString	Target account's domain or computer name.
`TargetSid` SID	SID of account that was disabled.
`SubjectUserSid` SID	SID of account that requested the "disable account" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "disable account" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4725,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-10-25T22:53:19.612560+00:00",
    "event_record_id": 2634,
    "correlation": {
      "ActivityID": "D5BBEBF4-0795-0001-A8EC-BBD59507DA01"
    },
    "execution": {
      "process_id": 824,
      "thread_id": 880
    },
    "channel": "Security",
    "computer": "WinDevEval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "Administrator",
    "TargetDomainName": "WINDEVEVAL",
    "TargetSid": "S-1-5-21-2533829718-189860685-2477588761-500",
    "SubjectUserSid": "S-1-5-21-2533829718-189860685-2477588761-500",
    "SubjectUserName": "Administrator",
    "SubjectDomainName": "WINDEVEVAL",
    "SubjectLogonId": "0x42eea"
  },
  "message": ""
}

Detection Patterns #

2 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

User account enabled and disabled within 10 mins (source)

Microsoft Security Research

2 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

User account enabled and disabled within 10 mins (source)

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TimeDelta`	ge	`0`	1 rule	kusto
`status`	eq	`success`	1 rule	sigma, splunk
`unique_users`	gt	`5`	1 rule	splunk

Detection Rules #

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4726: A user account was deleted.

Splunk # view in coverage

Windows Multiple Accounts Disabled source: The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4725
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4725.yml

Event ID 4726: A user account was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time user object was deleted. This event generates on domain controllers, member servers, and workstations.

Message #

A user account was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Additional Information:
	Privileges	%8

Fields #

Name	Description
`TargetUserName`	The name of the account that was deleted.
`TargetDomainName`	Target account's domain or computer name.
`TargetSid`	SID of account that was deleted.
`SubjectUserSid`	SID of account that requested the "delete user account" operation.
`SubjectUserName`	The name of the account that requested the "delete user account" operation.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4726,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2022-01-24T17:03:25.009874Z",
    "event_record_id": 1934526,
    "correlation": {},
    "execution": {
      "process_id": 480,
      "thread_id": 1496
    },
    "channel": "Security",
    "computer": "fs03vuln.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "3teamssixf$",
    "TargetDomainName": "FS03VULN",
    "TargetSid": "S-1-5-21-2721507831-1374043488-2540227515-1008",
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x14f509e2",
    "PrivilegeList": "-"
  }
}

Detection Patterns #

4 rules

Sigma

Hidden account creation (with fast deletion) (source)

mdecrevoisier

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Short Lived Windows Accounts (source)

David Dorsey, Bhavin Patel, Splunk

Kusto

User account created and deleted within 10 mins (source)

Microsoft Security Research

3 rules

Sigma

Hidden account creation (with fast deletion) (source)

mdecrevoisier

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

User account created and deleted within 10 mins (source)

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`All_Changes.result_id`	eq	`4720`	1 rule	splunk
`TimeDelta`	ge	`0`	1 rule	kusto
`status`	eq	`success`	1 rule	sigma, splunk
`unique_users`	gt	`5`	1 rule	splunk

Detection Rules #

Security-Auditing Event ID 4727: A security-enabled global group was created.OREvent ID 4728: A member was added to a security-enabled global group.OREvent ID 4731: A security-enabled local group was created.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4754: A security-enabled universal group was created.OREvent ID 4756: A member was added to a security-enabled universal group.

Splunk # view in coverage

Windows Multiple Accounts Deleted source: The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the wineventlog_security dataset, segmenting data…

YARA-L # view in coverage

Windows Short Term Account Use source: Detects the creation, login, and deletion of a user account over a predefined timeframe↳ also matches Event ID 4624: An account was successfully logged on., Event ID 4625: An account failed to log on., Event ID 4648: A logon was attempted using explicit credentials., Event ID 4720: A user account was created.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4726.yml

Event ID 4727: A security-enabled global group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Event 4727 is the same as 4731, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4727(S) generates only for domain groups, so the Local sections in event 4731 do not apply.

Message #

A security-enabled global group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

New Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description	Rules
`TargetUserName` UnicodeString	The name of the group that was created.	23 detection rules
`TargetDomainName` UnicodeString	Domain or computer name of the created group.
`TargetSid` SID	[New Group] Security ID.
`SubjectUserSid` SID	SID of account that requested the "create group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "create group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply a name of new group.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and in that case appears as "-". For local groups it is not applicable and always has "-" value.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4727,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2022-04-07T16:44:41.241410+00:00",
    "event_record_id": 51,
    "correlation": {
      "ActivityID": "C1DC836A-4A9E-0000-8485-DCC19E4AD801"
    },
    "execution": {
      "process_id": 648,
      "thread_id": 652
    },
    "channel": "Security",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "Storage Replica Administrators",
    "TargetDomainName": "Builtin",
    "TargetSid": "S-1-5-32-582",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "MINWINPC$",
    "SubjectDomainName": "",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-",
    "SamAccountName": "Storage Replica Administrators",
    "SidHistory": "-"
  },
  "message": ""
}

Detection Patterns #

2 rules

Splunk

Windows Increase in Group or Object Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

2 rules

Splunk

Windows Increase in Group or Object Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Persistence: Domain Account

Security-Auditing Event ID 4727: A security-enabled global group was created.OREvent ID 4730: A security-enabled global group was deleted.OREvent ID 4737: A security-enabled global group was changed.

1 rule

Splunk

Windows ESX Admins Group Creation Security Event (source)

Michael Haag, Splunk

Persistence: Domain Account

Security-Auditing Event ID 4727: A security-enabled global group was created.OREvent ID 4731: A security-enabled local group was created.OREvent ID 4744: A security-disabled local group was created.OREvent ID 4749: A security-disabled global group was created.OREvent ID 4754: A security-enabled universal group was created.OREvent ID 4756: A member was added to a security-enabled universal group.OREvent ID 4759: A security-disabled universal group was created.OREvent ID 4783: A basic application group was created.OREvent ID 4790: An LDAP query group was created.

1 rule

Splunk

Brandon Sternfield, Optiv + ClearShark

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`AccountType`	eq	`User`	1 rule	kusto
`TargetSid`	regex_match	`S-1-5-21-[0-9]-[0-9]-[0-9]-5[0-9][0-9]$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1102$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1103$\|S-1-5-21-[0-9]-[0-9]-[0-9]-498$\|S-1-5-21-[0-9]-[0-9]-[0-9]*-1000$`	1 rule	kusto
`TargetSid`	regex_match	`S-1-5-32-5[0-9][0-9]$`	1 rule	kusto

Detection Rules #

Security-Auditing Event ID 4728: A member was added to a security-enabled global group.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4756: A member was added to a security-enabled universal group.

Sigma # view in coverage

Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matches Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4727
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4727
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4727.yml

Event ID 4728: A member was added to a security-enabled global group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

Event 4728 is the same as 4732, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4728(S) generates only for domain groups, so the Local sections in event 4732 do not apply.

Message #

A member was added to a security-enabled global group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description	Rules
`MemberName` UnicodeString	Distinguished name (DN) of the account added to the group. "-" for local groups even when the member is a domain account.	2 detection rules
`MemberSid` SID	SID of account that was added to the group.
`TargetUserName` UnicodeString	The name of the group to which new member was added.	43 detection rules
`TargetDomainName` UnicodeString	Domain or computer name of the group to which the new member was added.
`TargetSid` SID	SID of the group to which new member was added.	11 detection rules
`SubjectUserSid` SID	SID of account that requested the "add member to the group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "add member to the group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`MembershipExpirationTime`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4728,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T00:51:32.6079798+00:00",
    "event_record_id": 6344,
    "correlation": {},
    "execution": {
      "process_id": 680,
      "thread_id": 3716
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "CN=domainadmin,CN=Users,DC=cell-d,DC=ludus,DC=domain",
    "MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "TargetUserName": "Group Policy Creator Owners",
    "TargetDomainName": "cell-d",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-520",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
    "SubjectUserName": "localuser",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0xa30bd",
    "PrivilegeList": "-"
  },
  "message": "A member was added to a security-enabled global group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xA30BD\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tCN=domainadmin,CN=Users,DC=cell-d,DC=ludus,DC=domain\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-520\r\n\tGroup Name:\t\tGroup Policy Creator Owners\r\n\tGroup Domain:\t\tcell-d\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

15 rules

Sigma

High risk Active Directory group membership change (source)

mdecrevoisier

Medium risk Active Directory group membership change (source)

mdecrevoisier

Show 7 more (10 total) on the rules page

mdecrevoisier

Elastic

User Added to Privileged Group in Active Directory (source)

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

14 rules

Sigma

High risk Active Directory group membership change (source)

mdecrevoisier

Medium risk Active Directory group membership change (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Security-Auditing Event ID 4728: A member was added to a security-enabled global group.OREvent ID 4729: A member was removed from a security-enabled global group.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4733: A member was removed from a security-enabled local group.OREvent ID 4756: A member was added to a security-enabled universal group.OREvent ID 4757: A member was removed from a security-enabled universal group.

14 rules

Sigma

High risk Active Directory group membership change (source)

mdecrevoisier

Medium risk Active Directory group membership change (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Persistence: Account Manipulation

Security-Auditing Event ID 4728: A member was added to a security-enabled global group.OREvent ID 4756: A member was added to a security-enabled universal group.

13 rules

Sigma

High risk Active Directory group membership change (source)

mdecrevoisier

Medium risk Active Directory group membership change (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Member Added

12 rules

Sigma

mdecrevoisier

New member added to an Exchange administration group (high risk) (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetSid`	ends_with	`-520`	2 rules	sigma
`TargetSid`	regex_match	`S-1-5-21-[0-9]-[0-9]-[0-9]-5[0-9][0-9]$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1102$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1103$\|S-1-5-21-[0-9]-[0-9]-[0-9]-498$\|S-1-5-21-[0-9]-[0-9]-[0-9]*-1000$`	3 rules	kusto
`TargetSid`	regex_match	`S-1-5-32-5[0-9][0-9]$`	3 rules	kusto
`TargetSid`	starts_with	`S-1-5-21-`	2 rules	sigma
`AccountType`	eq	`User`	2 rules	kusto
`SubjectUserSid`	eq	`S-1-5-18`	1 rule	elastic, sigma, splunk
`TargetUserName`	eq	`DnsAdmins`	1 rule	sigma, splunk

Community Notes #

Member added to security-enabled global group. May indicate domain-level privilege escalation, ie membership in Domain Admins.

Detection Rules #

Account added and removed from privileged groups (source)

Sigma # view in coverage

A Member Was Added to a Security-Enabled Global Group source low: Detects activity when a member is added to a security-enabled global group
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matches Event ID 4727: A security-enabled global group was created., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.

Elastic # view in coverage

Active Directory Group Modification by SYSTEM source medium: Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.

Splunk # view in coverage

Windows AD add Self to Group source: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or…
Windows AD Privileged Group Modification source: This detection identifies when users are added to privileged Active Directory groups by leveraging the Windows Security Event Code 4728 along with a lookup of privileged AD groups provided by Splunk Enterprise Security. Attackers often add…
Member added to security-enabled global group (Windows Event Log) source: In Active Directory Users and Computers "Security Enabled" groups are simply referred to as Security groups. This use case looks for when a member has been added to a security enabled global group.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4728
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4728.yml

Event ID 4729: A member was removed from a security-enabled global group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Event 4729 is the same as 4733, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4729(S) generates only for domain groups, so the Local sections in event 4733 do not apply.

Message #

A member was removed from a security-enabled global group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName`	Distinguished name (DN) of the account removed from the group. "-" for local groups even when the member is a domain account.
`MemberSid`	SID of account that was removed from the group.
`TargetUserName`	The name of the group from which the member was removed. For example: ServiceDesk.
`TargetDomainName`	Domain or computer name of the group from which the member was removed.
`TargetSid`	SID of the group from which the member was removed.
`SubjectUserSid`	SID of account that requested the "remove member from the group" operation.
`SubjectUserName`	The name of the account that requested the "remove member from the group" operation.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4729,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2022-01-24T17:03:25.009874Z",
    "event_record_id": 1934525,
    "correlation": {},
    "execution": {
      "process_id": 480,
      "thread_id": 1496
    },
    "channel": "Security",
    "computer": "fs03vuln.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "-",
    "MemberSid": "S-1-5-21-2721507831-1374043488-2540227515-1008",
    "TargetUserName": "None",
    "TargetDomainName": "FS03VULN",
    "TargetSid": "S-1-5-21-2721507831-1374043488-2540227515-513",
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x14f509e2",
    "PrivilegeList": "-"
  }
}

Detection Patterns #

1 rule

Kusto

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetSid`	regex_match	`S-1-5-21-[0-9]-[0-9]-[0-9]-5[0-9][0-9]$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1102$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1103$\|S-1-5-21-[0-9]-[0-9]-[0-9]-498$\|S-1-5-21-[0-9]-[0-9]-[0-9]*-1000$`	1 rule	kusto
`TargetSid`	regex_match	`S-1-5-32-5[0-9][0-9]$`	1 rule	kusto

Community Notes #

A member was removed from a security-enabled global group, may be an effort to slow IR or clean-up after escalation. Security-enabled local group changed, indicates changes to local Administrators or Remote Desktop Users.

Detection Rules #

Security-Auditing Event ID 4727: A security-enabled global group was created.OREvent ID 4730: A security-enabled global group was deleted.OREvent ID 4737: A security-enabled global group was changed.

Sigma # view in coverage

A Member Was Removed From a Security-Enabled Global Group source low: Detects activity when a member is removed from a security-enabled global group

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4729
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4729
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4729.yml

Event ID 4730: A security-enabled global group was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Event 4730 is the same as 4734, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4730(S) generates only for domain groups, so the Local sections in event 4734 do not apply.

Message #

A security-enabled global group was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Deleted Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was deleted. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain or computer name of the deleted group.
`TargetSid` SID	SID of deleted group.
`SubjectUserSid` SID	SID of account that requested the "delete group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4730,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:16:14.140561+00:00",
    "event_record_id": 16240240,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 6288
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "evtgen_global",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1118",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "PrivilegeList": "-"
  },
  "message": ""
}

Detection Patterns #

Persistence: Domain Account

1 rule

Splunk

Windows ESX Admins Group Creation Security Event (source)

Michael Haag, Splunk

Detection Rules #

Windows Increase in Group or Object Modification Activity (source)

Sigma # view in coverage

A Security-Enabled Global Group Was Deleted source low: Detects activity when a security-enabled global group is deleted

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4730
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4730
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4730.yml

Event ID 4731: A security-enabled local group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time a new security-enabled (security) local group was created. This event generates on domain controllers, member servers, and workstations.

Message #

A security-enabled local group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

New Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was created.
`TargetDomainName` UnicodeString	Domain or computer name of the created group.
`TargetSid` SID	[New Group] Security ID.
`SubjectUserSid` SID	SID of account that requested the "create group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "create group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply a name of new group.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and in that case appears as "-". For local groups it is not applicable and always has "-" value.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4731,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:18:54.2855734+00:00",
    "event_record_id": 822701,
    "correlation": {},
    "execution": {
      "process_id": 712,
      "thread_id": 5924
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "Access-Denied Assistance Users",
    "TargetDomainName": "cell-d",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-2602",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-",
    "SamAccountName": "Access-Denied Assistance Users",
    "SidHistory": "-"
  },
  "message": "A security-enabled local group was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nNew Group:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-2602\r\n\tGroup Name:\t\tAccess-Denied Assistance Users\r\n\tGroup Domain:\t\tcell-d\r\n\r\nAttributes:\r\n\tSAM Account Name:\tAccess-Denied Assistance Users\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

2 rules

Splunk

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

2 rules

Splunk

Windows Increase in Group or Object Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Persistence: Domain Account

1 rule

Splunk

Brandon Sternfield, Optiv + ClearShark

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`AccountType`	eq	`User`	1 rule	kusto
`TargetSid`	regex_match	`S-1-5-21-[0-9]-[0-9]-[0-9]-5[0-9][0-9]$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1102$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1103$\|S-1-5-21-[0-9]-[0-9]-[0-9]-498$\|S-1-5-21-[0-9]-[0-9]-[0-9]*-1000$`	1 rule	kusto
`TargetSid`	regex_match	`S-1-5-32-5[0-9][0-9]$`	1 rule	kusto

Detection Rules #

Sigma # view in coverage

Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matches Event ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4731
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4731
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4731.yml

Event ID 4732: A member was added to a security-enabled local group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time a new member was added to a security-enabled (security) local group.

Message #

A member was added to a security-enabled local group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description	Rules
`MemberName` UnicodeString	Distinguished name (DN) of the account added to the group. "-" for local groups even when the member is a domain account.
`MemberSid` SID	SID of account that was added to the group.	1 detection rule
`TargetUserName` UnicodeString	The name of the group to which new member was added.	3 detection rules
`TargetDomainName` UnicodeString	Domain or computer name of the group to which the new member was added.
`TargetSid` SID	SID of the group to which new member was added.	24 detection rules
`SubjectUserSid` SID	SID of account that requested the "add member to the group" operation.	2 detection rules
`SubjectUserName` UnicodeString	The name of the account that requested the "add member to the group" operation.	1 detection rule
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`MembershipExpirationTime`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4732,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:40:38.0272728+00:00",
    "event_record_id": 1207739,
    "correlation": {},
    "execution": {
      "process_id": 736,
      "thread_id": 944
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "-",
    "MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1001",
    "TargetUserName": "RDS Remote Access Servers",
    "TargetDomainName": "Builtin",
    "TargetSid": "S-1-5-32-575",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-"
  },
  "message": "A member was added to a security-enabled local group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1001\r\n\tAccount Name:\t\t-\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-575\r\n\tGroup Name:\t\tRDS Remote Access Servers\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

15 rules

Sigma

mdecrevoisier

New member added to an Exchange administration group (high risk) (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Create_Add Local_Domain User (Windows Event Log) (source)

Kusto

New user created and added to the built-in administrators group (source)

Microsoft Security Research

Group created then added to built in domain local or global group (source)

Microsoft Security Research

13 rules

Sigma

mdecrevoisier

New member added to an Exchange administration group (high risk) (source)

mdecrevoisier

mdecrevoisier

Show 5 more (8 total) on the rules page

Elastic

User Added to Privileged Group in Active Directory (source)

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Member Added

12 rules

Sigma

mdecrevoisier

New member added to an Exchange administration group (high risk) (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Member Added

12 rules

Sigma

mdecrevoisier

New member added to an Exchange administration group (high risk) (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Persistence: Account Manipulation

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4720: A user account was created.OREvent ID 4732: A member was added to a security-enabled local group.

5 rules

Splunk

Create_Add Local_Domain User (Windows Event Log) (source)

Windows Increase in User Modification Activity (source)

Dean Luxton

New user created and added to the built-in administrators group (source)

David Dorsey, Splunk

Kusto

Microsoft Security Research

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4732: A member was added to a security-enabled local group.

Show All Detection Patterns

4 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Create_Add Local_Domain User (Windows Event Log) (source)

Kusto

New user created and added to the built-in administrators group (source)

Microsoft Security Research

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4738: A user account was changed.

Persistence: Account Manipulation

4 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Create_Add Local_Domain User (Windows Event Log) (source)

Kusto

New user created and added to the built-in administrators group (source)

Microsoft Security Research

Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4732: A member was added to a security-enabled local group.

Persistence: Local Account

2 rules

Splunk

Create_Add Local_Domain User (Windows Event Log) (source)

David Dorsey, Splunk

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`AccountType`	eq	`User`	3 rules	kusto
`TargetSid`	eq	`S-1-5-32-544`	2 rules	kusto, sigma
`TargetSid`	regex_match	`S-1-5-21-[0-9]-[0-9]-[0-9]-5[0-9][0-9]$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1102$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1103$\|S-1-5-21-[0-9]-[0-9]-[0-9]-498$\|S-1-5-21-[0-9]-[0-9]-[0-9]*-1000$`	3 rules	kusto
`TargetSid`	regex_match	`S-1-5-32-5[0-9][0-9]$`	3 rules	kusto
`TargetSid`	starts_with	`S-1-5-32`	2 rules	sigma
`TargetUserName`	eq	`DnsAdmins`	2 rules	sigma, splunk
`TargetUserName`	starts_with	`Administr`	1 rule	sigma
`CommandLine`	match	`(?i)(\-u)\|(user)\|(localgroup)\|(group)`	1 rule	splunk
`CommandLine`	match	`(?i).add`	1 rule	splunk
`signature_id`	match	`(?i)4720`	1 rule	splunk
`user_group`	match	`(?i)(users)\|(administrators)\|(remote)`	1 rule	splunk

Detection Rules #

Windows Increase in User Modification Activity (source)

Sigma # view in coverage

User Added to Local Administrator Group source medium: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
High risk local/domain local group membership change source high: Detects scenarios where a suspicious group membership is changed. Having Microsoft LAPS installed may trigger false positive events for the builtin administrators group triggered by the system account (S-1-5-18).
Medium risk local/domain local group membership change source high: Detects scenarios where a suspicious group membership is changed.

Splunk # view in coverage

Windows DnsAdmins New Member Added source: The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4732.yml

Event ID 4733: A member was removed from a security-enabled local group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

This event generates every time member was removed from security-enabled (security) local group.

Message #

A member was removed from a security-enabled local group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName`	Distinguished name (DN) of the account removed from the group. "-" for local groups even when the member is a domain account.
`MemberSid`	SID of account that was removed from the group.
`TargetUserName`	The name of the group from which the member was removed. For example: ServiceDesk.
`TargetDomainName`	Domain or computer name of the group from which the member was removed.
`TargetSid`	SID of the group from which the member was removed.
`SubjectUserSid`	SID of account that requested the "remove member from the group" operation.
`SubjectUserName`	The name of the account that requested the "remove member from the group" operation.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4733,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:13:10.3360440+00:00",
    "event_record_id": 2882805,
    "correlation": {},
    "execution": {
      "process_id": 852,
      "thread_id": 4760
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "-",
    "MemberSid": "S-1-5-17",
    "TargetUserName": "IIS_IUSRS",
    "TargetDomainName": "Builtin",
    "TargetSid": "S-1-5-32-568",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-"
  },
  "message": "A member was removed from a security-enabled local group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-17\r\n\tAccount Name:\t\t-\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-568\r\n\tGroup Name:\t\tIIS_IUSRS\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

2 rules

Splunk

Dean Luxton

Kusto

Account added and removed from privileged groups (source)

Microsoft Security Research

2 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Account added and removed from privileged groups (source)

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetSid`	regex_match	`S-1-5-21-[0-9]-[0-9]-[0-9]-5[0-9][0-9]$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1102$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1103$\|S-1-5-21-[0-9]-[0-9]-[0-9]-498$\|S-1-5-21-[0-9]-[0-9]-[0-9]*-1000$`	1 rule	kusto
`TargetSid`	regex_match	`S-1-5-32-5[0-9][0-9]$`	1 rule	kusto

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4733.yml

Event ID 4734: A security-enabled local group was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time security-enabled (security) local group is deleted. This event generates on domain controllers, member servers, and workstations.

Message #

A security-enabled local group was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was deleted. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain or computer name of the deleted group.
`TargetSid` SID	SID of deleted group.
`SubjectUserSid` SID	SID of account that requested the "delete group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4734,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:16:14.168517+00:00",
    "event_record_id": 16240246,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 1756
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "evtgen_domlocal",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1119",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "PrivilegeList": "-"
  },
  "message": ""
}

Detection Patterns #

1 rule

Splunk

Windows Increase in Group or Object Modification Activity (source)

Dean Luxton

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4734
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4734
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4734.yml

Event ID 4735: A security-enabled local group was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time a security-enabled (security) local group is changed.

Message #

A security-enabled local group was changed.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Changed Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was changed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	SID of changed group.
`TargetSid` SID	SID of changed group.
`SubjectUserSid` SID	SID of account that requested the "change group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. For local groups it is not applicable and always has "-" value.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4735,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:13:10.3426710+00:00",
    "event_record_id": 2882816,
    "correlation": {},
    "execution": {
      "process_id": 852,
      "thread_id": 4760
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "IIS_IUSRS",
    "TargetDomainName": "Builtin",
    "TargetSid": "S-1-5-32-568",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-",
    "SamAccountName": "-",
    "SidHistory": "-"
  },
  "message": "A security-enabled local group was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-568\r\n\tGroup Name:\t\tIIS_IUSRS\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

1 rule

Splunk

Windows Increase in Group or Object Modification Activity (source)

Dean Luxton

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4735
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4735.yml

Event ID 4737: A security-enabled global group was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Event 4737 is the same as 4735, but it is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4737(S) generates only for domain groups, so the Local sections in event 4735 do not apply.

Message #

A security-enabled global group was changed.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Changed Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was changed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	SID of changed group.
`TargetSid` SID	SID of changed group.
`SubjectUserSid` SID	SID of account that requested the "change group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. For local groups it is not applicable and always has "-" value.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4737,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T01:01:27.8749648+00:00",
    "event_record_id": 6842,
    "correlation": {},
    "execution": {
      "process_id": 680,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "Domain Controllers",
    "TargetDomainName": "cell-d",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-516",
    "SubjectUserSid": "S-1-5-7",
    "SubjectUserName": "ANONYMOUS LOGON",
    "SubjectDomainName": "NT AUTHORITY",
    "SubjectLogonId": "0x3e6",
    "PrivilegeList": "-",
    "SamAccountName": "-",
    "SidHistory": "-"
  },
  "message": "A security-enabled global group was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E6\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-516\r\n\tGroup Name:\t\tDomain Controllers\r\n\tGroup Domain:\t\tcell-d\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

Persistence: Domain Account

Security-Auditing Event ID 4727: A security-enabled global group was created.OREvent ID 4730: A security-enabled global group was deleted.OREvent ID 4737: A security-enabled global group was changed.

1 rule

Splunk

Windows ESX Admins Group Creation Security Event (source)

Michael Haag, Splunk

Detection Rules #

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 4742: A computer account was changed.

Sigma # view in coverage

Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matches Event ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4737
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4737.yml

Event ID 4738: A user account was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time user object is changed.

Message #

A user account was changed.

Subject:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Target Account:
	Security ID: %4
	Account Name: %2
	Account Domain: %3

Changed Attributes:
	SAM Account Name: %10
	Display Name: %11
	User Principal Name: %12
	Home Directory: %13
	Home Drive: %14
	Script Path: %15
	Profile Path: %16
	User Workstations: %17
	Password Last Set: %18
	Account Expires: %19
	Primary Group ID: %20
	AllowedToDelegateTo: %21
	Old UAC Value: %22
	New UAC Value: %23
	User Account Control: %24
	User Parameters: %25
	SID History: %26
	Logon Hours: %27

Additional Information:
	Privileges: %9

Fields #

Name	Description	Rules
`Dummy` UnicodeString
`TargetUserName` UnicodeString	The name of the account that was changed.
`TargetDomainName` UnicodeString	Target account's domain or computer name.
`TargetSid` SID	SID of account that was changed.
`SubjectUserSid` SID	SID of account that requested the "change user account" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change user account" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	Logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ladmin. Local accounts always populate it.
`DisplayName` UnicodeString	It is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name. Local accounts always populate it.
`UserPrincipalName` UnicodeString	Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. For local accounts, this field is not applicable and always has "-" value.
`HomeDirectory` UnicodeString	User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. Local accounts always populate it.
`HomePath` UnicodeString	Specifies the drive letter to which to map the UNC path specified by homeDirectory account's attribute. The drive letter must be specified in the form "DRIVE_LETTER:". For example - "H:". Local accounts always populate it.
`ScriptPath` UnicodeString	Specifies the path of the account's logon script. Local accounts always populate it.
`ProfilePath` UnicodeString	Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. Local accounts always populate it.
`UserWorkstations` UnicodeString	Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. For local accounts, this field is not applicable and always appears as "\."
`PasswordLastSet` UnicodeString	Last time the account's password was modified. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual user account password reset. Local accounts always populate it.
`AccountExpires` UnicodeString	The date when the account expires. For example, "9/21/2015 12:00:00 AM". Local accounts always populate it.
`PrimaryGroupId` UnicodeString	Relative Identifier (RID) of user's object primary group.
`AllowedToDelegateTo` UnicodeString	The list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of user account, if at least one SPN is registered for user account. If the SPNs list on Delegation tab of a user account was changed, you will see the new SPNs list in AllowedToDelegateTo field (note that you will see the new list instead of changes) of this event.	1 detection rule
`OldUacValue` UnicodeString	Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of userAccountControl attribute of user object. UAC flags reference	24 detection rules
`NewUacValue` UnicodeString	Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. UAC flags reference	24 detection rules
`UserAccountControl` UnicodeString	Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. In the "User Account Control field text" column, you can see the text that will be displayed in the User Account Control field in 4738 event.	8 detection rules
`UserParameters` UnicodeString	If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user's account properties, then you will see \<value changed, but not displayed> in this field. For local accounts, this field is not applicable and always has "\" value.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property.	8 detection rules
`LogonHours` UnicodeString	Hours that the account is allowed to logon to the domain.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4738,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T00:51:32.6146449+00:00",
    "event_record_id": 1404478,
    "correlation": {},
    "execution": {
      "process_id": 808,
      "thread_id": 3064
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Dummy": "-",
    "TargetUserName": "domainadmin",
    "TargetDomainName": "cell-a",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
    "SubjectUserName": "localuser",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x1a69fef",
    "PrivilegeList": "-",
    "SamAccountName": "-",
    "DisplayName": "-",
    "UserPrincipalName": "-",
    "HomeDirectory": "-",
    "HomePath": "-",
    "ScriptPath": "-",
    "ProfilePath": "-",
    "UserWorkstations": "-",
    "PasswordLastSet": "5/28/2026 12:51:32 AM",
    "AccountExpires": "-",
    "PrimaryGroupId": "-",
    "AllowedToDelegateTo": "-",
    "OldUacValue": "-",
    "NewUacValue": "-",
    "UserAccountControl": "-",
    "UserParameters": "-",
    "SidHistory": "-",
    "LogonHours": "-"
  },
  "message": "A user account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x1A69FEF\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-a\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t5/28/2026 12:51:32 AM\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

Domain Sid History Addition

3 rules

Splunk

Windows AD Cross Domain SID History Addition (source)

Dean Luxton

Windows AD Privileged Account SID History Addition (source)

Dean Luxton

Windows AD Same Domain SID History Addition (source)

Dean Luxton

2 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 5136: A directory service object was modified.

Persistence: Account Manipulation

2 rules

Sigma

Active Directory User Backdoors (source)

@neu5ron

Elastic

Account Configured with Never-Expiring Password (source)

Elastic

Persistence: Account Manipulation

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4732: A member was added to a security-enabled local group.OREvent ID 4738: A user account was changed.

2 rules

Splunk

Windows Increase in User Modification Activity (source)

Dean Luxton

Kusto

Security-Auditing Event ID 4723: An attempt was made to change an account's password.OREvent ID 4738: A user account was changed.

1 rule

Splunk

Rubeus Password Change (Windows Event Log) (source)

Show All Detection Patterns

Stealth: SID-History Injection

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 4765: SID History was added to an account.OREvent ID 4766: An attempt to add SID History to an account failed.

1 rule

Sigma

Addition of SID History to Active Directory Object (source)

Thomas Patzke, @atc_project (improvements)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`AttributeLDAPDisplayName`	eq	`msds-allowedtoactonbehalfofotheridentity`	1 rule	kusto, sigma
`AttributeLDAPDisplayName`	eq	`serviceprincipalname`	1 rule	elastic, kusto, sigma, splunk
`ObjectClass`	eq	`user`	1 rule	elastic, kusto, sigma, splunk
`OperationType`	eq	`%%14674`	1 rule	elastic, sigma, splunk
`match`	is_not_null		1 rule	splunk
`user.id`	ne	`S-1-5-18`	1 rule	elastic

Community Notes #

User account changed, may capture priv-esc, password changes, or UAC flag changes.

Detection Rules #

Security-Auditing Event ID 4741: A computer account was created.OREvent ID 4743: A computer account was deleted.

Sigma # view in coverage

Weak Encryption Enabled and Kerberoast source high: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Account password set to never expire. source medium: Detects scenarios where an account password is set to never expire.
Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction) source high: Detects scenarios where an attacker removes security protection from a sensitive account to escalate privileges

Show 4 more (7 total)

Account set with Kerberos DES encryption activated (weakness introduction) source high: Detects scenarios where an attacker set an account with DES Kerberos encryption to perform ticket brutforce.
Account set with Kerberos pre-authentication not required (AS-REP Roasting) source high: Detects scenarios where an attacker set an account with Kerberos pre-authentication not required to perform offline brutforce. Account with this status can be checked with the following command > "Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol".
Account set with password not required (weakness introduction) source medium: Detects scenarios where an attacker set an account with password not required to perform privilege escalation attack.
Account set with reversible encryption (weakness introduction) source high: Detects scenarios where an attacker set an account with reversible encryption to facilitate brutforce or cracking operations.

Elastic # view in coverage

Kerberos Pre-authentication Disabled for User source medium: Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.
KRBTGT Delegation Backdoor source high: Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

Splunk # view in coverage

Kerberos Pre-Authentication Flag Disabled in UserAccountControl source: The following analytic detects when the Kerberos Pre-Authentication flag is disabled in a user account, using Windows Security Event 4738. This event indicates a change in the UserAccountControl property of a domain user object. Disabling…

Kusto # view in coverage

AD account with Don't Expire Password source low: Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to "Don't Expire Password - Enabled".

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4738
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4738.yml

Event ID 4739: Domain Policy was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when one of the following changes was made to local computer security policy: Computer's "\Security Settings\Account Policies\Account Lockout Policy" settings were modified. Computer's "\Security Settings\Account Policies\Password Policy" settings were modified. "Network security: Force logoff when logon hours expire" group policy setting was changed. Domain functional level was changed or some other attributes changed (see details in event description).

Message #

Domain Policy was changed.

Change Type: %1 modified

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Domain:
	Domain Name: %2
	Domain ID: %3

Changed Attributes:
	Min. Password Age: %9
	Max. Password Age: %10
	Force Logoff: %11
	Lockout Threshold: %12
	Lockout Observation Window: %13
	Lockout Duration: %14
	Password Properties: %15
	Min. Password Length: %16
	Password History Length: %17
	Machine Account Quota: %18
	Mixed Domain Mode: %19
	Domain Behavior Version: %20
	OEM Information: %21

Additional Information:
	Privileges: %8

Fields #

Name	Description
`DomainPolicyChanged` UnicodeString	The type of change which was made. The format is "policy_name modified".
`DomainName` UnicodeString	The name of domain for which policy changes were made.
`DomainSid` SID	The SID of domain for which policy changes were made.
`SubjectUserSid` SID	SID of account that made a change to specific local policy.
`SubjectUserName` UnicodeString	The name of the account that made a change to specific local policy.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`MinPasswordAge` UnicodeString	"\Security Settings\Account Policies\Password Policy\Minimum password age" group policy. Numeric value.
`MaxPasswordAge` UnicodeString	"\Security Settings\Account Policies\Password Policy\Maximum password age" group policy. Numeric value.
`ForceLogoff` UnicodeString	"\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire" group policy.
`LockoutThreshold` UnicodeString	"\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold" group policy. Numeric value.
`LockoutObservationWindow` UnicodeString	"\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after" group policy. Numeric value.
`LockoutDuration` UnicodeString	"\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration" group policy. Numeric value.
`PasswordProperties` UnicodeString	[Changed Attributes] Password Properties.
`MinPasswordLength` UnicodeString	"\Security Settings\Account Policies\Password Policy\Minimum password length" group policy. Numeric value.
`PasswordHistoryLength` UnicodeString	"\Security Settings\Account Policies\Password Policy\Enforce password history" group policy. Numeric value.
`MachineAccountQuota` UnicodeString	Ms-DS-MachineAccountQuota domain attribute was modified. Numeric value.
`MixedDomainMode` UnicodeString	[Changed Attributes] Mixed Domain Mode.
`DomainBehaviorVersion` UnicodeString	MsDS-Behavior-Version domain attribute was modified. Numeric value.
`OemInformation` UnicodeString	Not used. present for backward compatibility.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4739,
    "version": 0,
    "level": 0,
    "task": 13569,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:34.991613+00:00",
    "event_record_id": 2783,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DomainPolicyChanged": "Password Policy",
    "DomainName": "WINDEV2310EVAL",
    "DomainSid": "S-1-5-21-1992711665-1655669231-58201500",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-",
    "MinPasswordAge": "ퟏ~",
    "MaxPasswordAge": "ퟏ~",
    "ForceLogoff": "-",
    "LockoutThreshold": "-",
    "LockoutObservationWindow": "-",
    "LockoutDuration": "-",
    "PasswordProperties": "8",
    "MinPasswordLength": "0",
    "PasswordHistoryLength": "0",
    "MachineAccountQuota": "-",
    "MixedDomainMode": "-",
    "DomainBehaviorVersion": "-",
    "OemInformation": "-"
  },
  "message": ""
}

Community Notes #

Attackers with Domain Admin may weaken password/lockout requirements to speed credential attacks. May precede password spraying or Kerberos ticket forgery. Pair with 4768 and 4771. Also a prelude to DCShadow or other directory-level attacks.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4739
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4739.yml

Event ID 4740: A user account was locked out.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time a user account is locked out. For user accounts, this event generates on domain controllers, member servers, and workstations.

Message #

A user account was locked out.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Account That Was Locked Out:
	Security ID: %3
	Account Name: %1

Additional Information:
	Caller Computer Name: %2

Fields #

Name	Description
`TargetUserName` UnicodeString	[Account That Was Locked Out] Account Name.
`TargetDomainName` UnicodeString	The name of computer account from which logon attempt was received and after which target account was locked out.
`TargetSid` SID	[Account That Was Locked Out] Security ID.
`SubjectUserSid` SID	SID of account that performed the lockout operation.
`SubjectUserName` UnicodeString	The name of the account that performed the lockout operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4740,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:03:33.513406+00:00",
    "event_record_id": 16594636,
    "correlation": {},
    "execution": {
      "process_id": 936,
      "thread_id": 10928
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "KrbTestLockout",
    "TargetDomainName": "LAB-DC01",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1268",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "LAB-DC01$",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0x3e7"
  },
  "message": ""
}

Community Notes #

Pair with 4625 and related IPs during investigation. Review Caller_Computer_Name.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4740.yml

Event ID 4741: A computer account was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Computer Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time a new computer object is created. This event generates only on domain controllers.

Message #

A computer account was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

New Computer Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Attributes:
	SAM Account Name: %9
	Display Name: %10
	User Principal Name: %11
	Home Directory: %12
	Home Drive: %13
	Script Path: %14
	Profile Path: %15
	User Workstations: %16
	Password Last Set: %17
	Account Expires: %18
	Primary Group ID: %19
	AllowedToDelegateTo: %20
	Old UAC Value: %21
	New UAC Value: %22
	User Account Control: %23
	User Parameters: %24
	SID History: %25
	Logon Hours: %26
	DNS Host Name: %27
	Service Principal Names: %28

Additional Information:
	Privileges		%8

Fields #

Name	Description	Rules
`TargetUserName`	The name of the computer account that was created. For example: WIN81$.	1 detection rule
`TargetDomainName`	Domain name of created computer account.
`TargetSid`	SID of created computer account.
`SubjectUserSid`	SID of account that requested the "create Computer object" operation.	1 detection rule
`SubjectUserName`	The name of the account that requested the "create Computer object" operation.	1 detection rule
`SubjectDomainName`	Subject's domain name.	2 detection rules
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".	1 detection rule
`SamAccountName`	Logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
`DisplayName`	The value of displayName attribute of new computer object. It is a name displayed in the address book for a particular account (typically - user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set.
`UserPrincipalName`	Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of userPrincipalName attribute of new computer object.
`HomeDirectory`	User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new computer object.
`HomePath`	Specifies the drive letter to which to map the UNC path specified by homeDirectory account's attribute. The drive letter must be specified in the form "DRIVE_LETTER:".
`ScriptPath`	Specifies the path of the account's logon script. This parameter contains the value of scriptPath attribute of new computer object. For computer objects, it is optional, and typically is not set.
`ProfilePath`	Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new computer object. For computer objects, it is optional, and typically is not set.
`UserWorkstations`	Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. This parameter contains the value of userWorkstations attribute of new computer object.
`PasswordLastSet`	Last time the account's password was modified. For manually created computer account, using Active Directory Users and Computers snap-in, this field typically has value "\".
`AccountExpires`	The date when the account expires. This parameter contains the value of accountExpires attribute of new computer object.
`PrimaryGroupId`	Relative Identifier (RID) of computer's object primary group.
`AllowedToDelegateTo` UnicodeString	The list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of computer account.
`OldUacValue`	Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. Old UAC value always "0x0" for new computer accounts. This parameter contains the previous value of userAccountControl attribute of computer object.
`NewUacValue`	Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of userAccountControl attribute of new computer object.	2 detection rules
`UserAccountControl`	Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the userAccountControl value was considered to be "0x0", and then it was changed from "0x0" to the real value for the account's userAccountControl attribute.
`UserParameters`	If you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer's account properties, then you will see \<value changed, but not displayed> in this field in "4742(S): A computer account was changed."
`SidHistory`	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID.
`LogonHours`	Hours that the account is allowed to logon to the domain. The value of logonHours attribute of new computer object. For computer objects, it is optional, and typically is not set. You will see \ value for new created computer accounts in event 4741.
`DnsHostName`	Name of computer account as registered in DNS. The value of dNSHostName attribute of new computer object. For manually created computer account objects this field has value "-".
`ServicePrincipalNames`	The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of servicePrincipalName attribute of new computer object. For manually created computer objects it is typically equals "-". This is an example of Service Principal Names field for new domain joined workstation:	4 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4741,
    "version": 0,
    "level": 0,
    "task": 13825,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T00:58:03.3602699+00:00",
    "event_record_id": 6612,
    "correlation": {},
    "execution": {
      "process_id": 680,
      "thread_id": 2500
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "TELEMETRY-W11-D$",
    "TargetDomainName": "cell-d",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x27dc13",
    "PrivilegeList": "-",
    "SamAccountName": "TELEMETRY-W11-D$",
    "DisplayName": "-",
    "UserPrincipalName": "-",
    "HomeDirectory": "-",
    "HomePath": "-",
    "ScriptPath": "-",
    "ProfilePath": "-",
    "UserWorkstations": "-",
    "PasswordLastSet": "5/28/2026 12:58:03 AM",
    "AccountExpires": "%%1794",
    "PrimaryGroupId": "515",
    "AllowedToDelegateTo": "-",
    "OldUacValue": "0x0",
    "NewUacValue": "0x80",
    "UserAccountControl": "\n\t\t%%2087",
    "UserParameters": "-",
    "SidHistory": "-",
    "LogonHours": "%%1793",
    "DnsHostName": "telemetry-W11-d.cell-d.ludus.domain",
    "ServicePrincipalNames": "\n\t\tHOST/telemetry-W11-d.cell-d.ludus.domain\n\t\tRestrictedKrbHost/telemetry-W11-d.cell-d.ludus.domain\n\t\tHOST/TELEMETRY-W11-D\n\t\tRestrictedKrbHost/TELEMETRY-W11-D"
  },
  "message": "A computer account was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x27DC13\r\n\r\nNew Computer Account:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\tAccount Domain:\t\tcell-d\r\n\r\nAttributes:\r\n\tSAM Account Name:\tTELEMETRY-W11-D$\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t5/28/2026 12:58:03 AM\r\n\tAccount Expires:\t\t<never>\r\n\tPrimary Group ID:\t515\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t0x0\r\n\tNew UAC Value:\t\t0x80\r\n\tUser Account Control:\t\r\n\t\t'Workstation Trust Account' - Enabled\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t<value not set>\r\n\tDNS Host Name:\t\ttelemetry-W11-d.cell-d.ludus.domain\r\n\tService Principal Names:\t\r\n\t\tHOST/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tRestrictedKrbHost/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tHOST/TELEMETRY-W11-D\r\n\t\tRestrictedKrbHost/TELEMETRY-W11-D\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-"
}

Detection Patterns #

Defense Impairment: Rogue Domain Controller

1 rule

Sigma

Add or Remove Computer from DC (source)

frack113

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`SubjectUserName`	ends_with	`$`	1 rule	sigma
`SubjectUserSid`	starts_with	`S-1-5-21-`	1 rule	sigma
`TargetUserName`	ends_with	`$`	1 rule	kusto, sigma

Community Notes #

May alert on golden ticket style attacks.

Detection Rules #

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 4742: A computer account was changed.

Sigma # view in coverage

Suspicious computer account created by a computer account source high: Detects scenarios where an attacker abuse MachineAccountQuota privilege and pre-create a computer object for abusing RBCD delegation.
Computer account created with privileges source high: Detects scenarios where an attacker creates a computer account with privileges for later exploitation.

Splunk # view in coverage

Windows Computer Account Created by Computer Account source: The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to…
Windows Computer Account With SPN source: The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4741
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4741.yml

Event ID 4742: A computer account was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Computer Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time a computer object is changed.

Message #

A computer account was changed.

Subject:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Computer Account That Was Changed:
	Security ID: %4
	Account Name: %2
	Account Domain: %3

Changed Attributes:
	SAM Account Name: %10
	Display Name: %11
	User Principal Name: %12
	Home Directory: %13
	Home Drive: %14
	Script Path: %15
	Profile Path: %16
	User Workstations: %17
	Password Last Set: %18
	Account Expires: %19
	Primary Group ID: %20
	AllowedToDelegateTo: %21
	Old UAC Value: %22
	New UAC Value: %23
	User Account Control: %24
	User Parameters: %25
	SID History: %26
	Logon Hours: %27
	DNS Host Name: %28
	Service Principal Names: %29

Additional Information:
	Privileges: %9

Fields #

Name	Description	Rules
`ComputerAccountChange`
`TargetUserName`	The name of the computer account that was changed.
`TargetDomainName`	Domain name of changed computer account.
`TargetSid`	SID of changed computer account.
`SubjectUserSid`	SID of account that requested the "change Computer object" operation.
`SubjectUserName`	The name of the account that requested the "change Computer object" operation.	4 detection rules
`SubjectDomainName`	Subject's domain name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".
`SamAccountName`	Logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name).
`DisplayName`	It is a name displayed in the address book for a particular account (typically - user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set.
`UserPrincipalName`	Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. For computer objects, it is optional, and typically is not set.
`HomeDirectory`	User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. For computer objects, it is optional, and typically is not set.
`HomePath`	Specifies the drive letter to which to map the UNC path specified by homeDirectory account's attribute. The drive letter must be specified in the form "DRIVE_LETTER:". For example - "H:". For computer objects, it is optional, and typically is not set.
`ScriptPath`	Specifies the path of the account's logon script. For computer objects, it is optional, and typically is not set.
`ProfilePath`	Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. For computer objects, it is optional, and typically is not set.
`UserWorkstations`	Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. For computer objects, it is optional, and typically is not set.
`PasswordLastSet`	Last time the account's password was modified. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual computer account reset action or automatically every 30 days by default for computer objects.	2 detection rules
`AccountExpires`	The date when the account expires. For computer objects, it is optional, and typically is not set.
`PrimaryGroupId`	Relative Identifier (RID) of computer's object primary group.
`AllowedToDelegateTo` UnicodeString	The list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of computer account. If the SPNs list on Delegation tab of a computer account was changed, you will see the new SPNs list in AllowedToDelegateTo field (note that you will see the new list instead of changes) of this event.	3 detection rules
`OldUacValue`	Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of userAccountControlattribute of computer object.
`NewUacValue`	Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account.
`UserAccountControl`	Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. In the "User Account Control field text" column, you can see text that will be displayed in the User Account Controlfield in 4742 event.	7 detection rules
`UserParameters`	If you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer's account properties, then you will see \<value changed, but not displayed> in this field.
`SidHistory`	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property.
`LogonHours`	Hours that the account is allowed to logon to the domain. For computer objects, it is optional, and typically is not set.
`DnsHostName`	Name of computer account as registered in DNS.
`ServicePrincipalNames`	The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in Service Principal Names field (note that you will see the new list instead of changes).	6 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4742,
    "version": 0,
    "level": 0,
    "task": 13825,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T01:00:57.5443661+00:00",
    "event_record_id": 6811,
    "correlation": {},
    "execution": {
      "process_id": 680,
      "thread_id": 5112
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ComputerAccountChange": "-",
    "TargetUserName": "TELEMETRY-W11-D$",
    "TargetDomainName": "cell-d",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
    "SubjectUserName": "TELEMETRY-W11-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x282eb3",
    "PrivilegeList": "-",
    "SamAccountName": "-",
    "DisplayName": "-",
    "UserPrincipalName": "-",
    "HomeDirectory": "-",
    "HomePath": "-",
    "ScriptPath": "-",
    "ProfilePath": "-",
    "UserWorkstations": "-",
    "PasswordLastSet": "-",
    "AccountExpires": "-",
    "PrimaryGroupId": "-",
    "AllowedToDelegateTo": "-",
    "OldUacValue": "-",
    "NewUacValue": "-",
    "UserAccountControl": "-",
    "UserParameters": "-",
    "SidHistory": "-",
    "LogonHours": "-",
    "DnsHostName": "-",
    "ServicePrincipalNames": "\n\t\tHOST/telemetry-W11-d.cell-d.ludus.domain\n\t\tRestrictedKrbHost/telemetry-W11-d.cell-d.ludus.domain\n\t\tHOST/TELEMETRY-W11-D\n\t\tRestrictedKrbHost/TELEMETRY-W11-D\n\t\tTERMSRV/telemetry-W11-d.cell-d.ludus.domain\n\t\tTERMSRV/TELEMETRY-W11-D\n\t\tWSMAN/telemetry-W11-d.cell-d.ludus.domain\n\t\tWSMAN/telemetry-W11-d"
  },
  "message": "A computer account was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x282EB3\r\n\r\nComputer Account That Was Changed:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\tAccount Domain:\t\tcell-d\r\n\r\nChanged Attributes:\r\n\tSAM Account Name:\t-\r\n\tDisplay Name:\t\t-\r\n\tUser Principal Name:\t-\r\n\tHome Directory:\t\t-\r\n\tHome Drive:\t\t-\r\n\tScript Path:\t\t-\r\n\tProfile Path:\t\t-\r\n\tUser Workstations:\t-\r\n\tPassword Last Set:\t-\r\n\tAccount Expires:\t\t-\r\n\tPrimary Group ID:\t-\r\n\tAllowedToDelegateTo:\t-\r\n\tOld UAC Value:\t\t-\r\n\tNew UAC Value:\t\t-\r\n\tUser Account Control:\t-\r\n\tUser Parameters:\t-\r\n\tSID History:\t\t-\r\n\tLogon Hours:\t\t-\r\n\tDNS Host Name:\t\t-\r\n\tService Principal Names:\t\r\n\t\tHOST/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tRestrictedKrbHost/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tHOST/TELEMETRY-W11-D\r\n\t\tRestrictedKrbHost/TELEMETRY-W11-D\r\n\t\tTERMSRV/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tTERMSRV/TELEMETRY-W11-D\r\n\t\tWSMAN/telemetry-W11-d.cell-d.ludus.domain\r\n\t\tWSMAN/telemetry-W11-d\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

Domain Sid History Addition

3 rules

Splunk

Windows AD Cross Domain SID History Addition (source)

Dean Luxton

Windows AD Privileged Account SID History Addition (source)

Dean Luxton

Windows AD Same Domain SID History Addition (source)

Dean Luxton

Defense Impairment: Rogue Domain Controller

Security-Auditing Event ID 4742: A computer account was changed.OREvent ID 5136: A directory service object was modified.

1 rule

Sigma

Possible DC Shadow Attack (source)

Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah

Defense Impairment: Rogue Domain Controller

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 4742: A computer account was changed.

1 rule

Splunk

Windows AD Domain Controller Promotion (source)

Dean Luxton

Lateral Movement: Exploitation of Remote Services

Security-Auditing Event ID 4724: An attempt was made to reset an account's password.OREvent ID 4742: A computer account was changed.

1 rule

Sigma

Remote domain controller password reset (Zerologon) (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ServicePrincipalNames`	contains	`gc/`	2 rules	sigma
`UserAccountControl`	eq	`%%2093`	2 rules	sigma
`UserAccountControl`	eq	`%%2098`	2 rules	sigma
`AttributeLDAPDisplayName`	eq	`serviceprincipalname`	1 rule	elastic, kusto, sigma, splunk
`AttributeValue`	starts_with	`GC/`	1 rule	sigma
`Computer`	eq	`%domain_controllers%`	1 rule	sigma
`SubjectUserName`	eq	`ANONYMOUS LOGON`	1 rule	sigma, splunk
`TargetUserName`	ends_with	`$`	1 rule	kusto, sigma
`match`	is_not_null		1 rule	splunk
`user.id`	starts_with	`S-1-12-1-`	1 rule	elastic
`user.id`	starts_with	`S-1-5-21-`	1 rule	elastic

Detection Rules #

Windows Increase in User Modification Activity (source)

Sigma # view in coverage

Host set with constrained delegation source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
Host set with unconstrained delegation source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.

Show 4 more (7 total)

Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
Host unconstrained delegation settings changed for potential abuse (Rubeus) source high: Detects scenarios where an attacker modifies host delegation settings for privilege escalation.
Suspicious modification of a fake domain controller SPN (DCshadow) source high: Detects scenarios where an attacker updates the Service Principal Name (SPN) of a fake domain controller account in order to perform DCshadow attack.
Suspicious modification of a computer account SPN source high: Detects scenarios where an attacker update the Service Principal Name (SPN) of a computer account in order to perform "Kerberos redirection" and escalate privileges.

Elastic # view in coverage

Remote Computer Account DnsHostName Update source high: Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.

Splunk # view in coverage

Detect Computer Changed with Anonymous Account source: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON". This activity can be significant…
Windows Computer Account Changed to Domain Controller source: Detects a modification to the User Account Control flags for a computer account where the SERVER_TRUST_ACCOUNT flag is set. This flag is normally associated with domain controller computer accounts. This activity may indicate a…
ZeroLogon CVE-2020-1472 (Windows Event Log) source: The vulnerability allows an attacker to set a password for the computer account of an Active Directory Domain Controller, which can then be abused to pull credentials from the Domain Controller

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4742
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4742.yml

Event ID 4743: A computer account was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Computer Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time a computer object is deleted. This event generates only on domain controllers.

Message #

A computer account was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Computer:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName`	The name of the computer account that was deleted. For example: WIN81$.
`TargetDomainName`	Domain name of deleted computer account.
`TargetSid`	SID of deleted computer account.
`SubjectUserSid`	SID of account that requested the "delete Computer object" operation.
`SubjectUserName`	The name of the account that requested the "delete Computer object" operation.
`SubjectDomainName`	Subject's domain name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4743,
    "version": 0,
    "level": 0,
    "task": 13825,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-12T19:36:44.227880Z",
    "event_record_id": 16334944,
    "correlation": {},
    "execution": {
      "process_id": 528,
      "thread_id": 3156
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "YOURPC$",
    "TargetDomainName": "OFFSEC",
    "TargetSid": "S-1-5-21-4230534742-2542757381-3142984815-1167",
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1158",
    "SubjectUserName": "lambda-user",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x87e482b",
    "PrivilegeList": "-"
  }
}

Detection Patterns #

1 rule

Splunk

Dean Luxton

Defense Impairment: Rogue Domain Controller

Security-Auditing Event ID 4741: A computer account was created.OREvent ID 4743: A computer account was deleted.

1 rule

Sigma

Add or Remove Computer from DC (source)

frack113

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4743
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4743.yml

Event ID 4744: A security-disabled local group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

Event 4744 is the same as 4749, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A security-disabled local group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

New Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was created.
`TargetDomainName` UnicodeString	[New Group] Group Domain.
`TargetSid` SID	SID of created group.
`SubjectUserSid` SID	SID of account that requested the "create group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "create group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4744,
    "version": 0,
    "level": 0,
    "task": 13827,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T14:07:43.9070682+00:00",
    "event_record_id": 23552272,
    "correlation": {},
    "execution": {
      "process_id": 868,
      "thread_id": 3620
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "SAA-LocalDist-140743",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1389",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xaf6fd24",
    "PrivilegeList": "-",
    "SamAccountName": "SAA-LocalDist-140743",
    "SidHistory": "-"
  },
  "message": "A security-disabled local group was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tludus\r\n\tLogon ID:\t\t0xAF6FD24\r\n\r\nNew Group:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1389\r\n\tGroup Name:\t\tSAA-LocalDist-140743\r\n\tGroup Domain:\t\tludus\r\n\r\nAttributes:\r\n\tSAM Account Name:\tSAA-LocalDist-140743\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

Persistence: Domain Account

1 rule

Splunk

Brandon Sternfield, Optiv + ClearShark

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4744
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4744
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4744.yml

Event ID 4745: A security-disabled local group was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

Event 4745 is the same as 4750, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A security-disabled local group was changed.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Changed Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was changed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	SID of changed group.
`SubjectUserSid` SID	SID of account that requested the "change group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4745
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4745
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4745.yml

Event ID 4746: A member was added to a security-disabled local group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

Event 4746 is the same as 4751, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A member was added to a security-disabled local group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	Distinguished name of account that was added to the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-".
`MemberSid` SID	SID of account that was added to the group.
`TargetUserName` UnicodeString	The name of the group to which new member was added. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain name of the group to which new member was added.
`TargetSid` SID	SID of the group to which new member was added.
`SubjectUserSid` SID	SID of account that requested the "add member to the group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "add member to the group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`MembershipExpirationTime` FILETIME	Expiration time.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4746
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4746
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4746.yml

Event ID 4747: A member was removed from a security-disabled local group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

Event 4747 is the same as 4752, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A member was removed from a security-disabled local group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	Distinguished name of account that was removed from the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-".
`MemberSid` SID	SID of account that was removed from the group.
`TargetUserName` UnicodeString	The name of the group from which the member was removed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain name of the group from which the member was removed.
`TargetSid` SID	SID of the group from which the member was removed.
`SubjectUserSid` SID	SID of account that requested the "remove member from the group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "remove member from the group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4747
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4747
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4747.yml

Event ID 4748: A security-disabled local group was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Event 4748 is the same as 4753, except it is generated for a local distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A security-disabled local group was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was deleted.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	SID of deleted group.
`SubjectUserSid` SID	SID of account that requested the "delete group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4748
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4748
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4748.yml

Event ID 4749: A security-disabled global group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates every time a new security-disabled (distribution) global group was created. This event generates only on domain controllers.

Message #

A security-disabled global group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was created.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	SID of created group.
`SubjectUserSid` SID	SID of account that requested the "create group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "create group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4749,
    "version": 0,
    "level": 0,
    "task": 13827,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:16:04.301935+00:00",
    "event_record_id": 16239926,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 6292
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "evtgen_distro",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1121",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "PrivilegeList": "-",
    "SamAccountName": "evtgen_distro",
    "SidHistory": "-"
  },
  "message": ""
}

Detection Patterns #

Persistence: Domain Account

1 rule

Splunk

Group created then added to built in domain local or global group (source)

Brandon Sternfield, Optiv + ClearShark

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4749
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4749
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4749.yml

Event ID 4750: A security-disabled global group was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

This event generates every time security-disabled (distribution) global group is changed.This event generates only on domain controllers.

Message #

A security-disabled global group was changed.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Changed Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was changed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	SID of changed group.
`SubjectUserSid` SID	SID of account that requested the "change group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4750,
    "version": 0,
    "level": 0,
    "task": 13827,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:06:45.668811+00:00",
    "event_record_id": 16619490,
    "correlation": {},
    "execution": {
      "process_id": 936,
      "thread_id": 7768
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "TestAuditGroup_Distribution",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec",
    "PrivilegeList": "-",
    "SamAccountName": "-",
    "SidHistory": "-"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4750
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4750
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4750.yml

Event ID 4751: A member was added to a security-disabled global group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates every time a new member was added to a security-disabled (distribution) global group. This event generates only on domain controllers. For every added member you will get separate 4751 event. You will typically see "4750: A security-disabled global group was changed." event without any changes in it prior to 4751 event.

Message #

A member was added to a security-disabled global group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	Distinguished name of account that was added to the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-".
`MemberSid` SID	SID of account that was added to the group.
`TargetUserName` UnicodeString	The name of the group to which new member was added. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain name of the group to which new member was added.
`TargetSid` SID	SID of the group to which new member was added.
`SubjectUserSid` SID	SID of account that requested the "add member to the group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "add member to the group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`MembershipExpirationTime` FILETIME	Expiration time.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4751,
    "version": 0,
    "level": 0,
    "task": 13827,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:06:45.668821+00:00",
    "event_record_id": 16619491,
    "correlation": {},
    "execution": {
      "process_id": 936,
      "thread_id": 7768
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "CN=testaudit1,CN=Users,DC=ludus,DC=domain",
    "MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1290",
    "TargetUserName": "TestAuditGroup_Distribution",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec",
    "PrivilegeList": "-"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4751
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4751
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4751.yml

Event ID 4752: A member was removed from a security-disabled global group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates every time member was removed from the security-disabled (distribution) global group. This event generates only on domain controllers. For every removed member you will get separate 4752 event.

Message #

A member was removed from a security-disabled global group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	Distinguished name of account that was removed from the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-".
`MemberSid` SID	SID of account that was removed from the group.
`TargetUserName` UnicodeString	The name of the group from which the member was removed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain name of the group from which the member was removed.
`TargetSid` SID	SID of the group from which the member was removed.
`SubjectUserSid` SID	SID of account that requested the "remove member from the group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "remove member from the group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4752,
    "version": 0,
    "level": 0,
    "task": 13827,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:06:46.319360+00:00",
    "event_record_id": 16619502,
    "correlation": {},
    "execution": {
      "process_id": 936,
      "thread_id": 3104
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "CN=testaudit1,CN=Users,DC=ludus,DC=domain",
    "MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1290",
    "TargetUserName": "TestAuditGroup_Distribution",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1287",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec",
    "PrivilegeList": "-"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4752
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4752
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4752.yml

Event ID 4753: A security-disabled global group was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates every time security-disabled (distribution) global group is deleted. This event generates only on domain controllers.

Message #

A security-disabled global group was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was deleted.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	SID of deleted group.
`SubjectUserSid` SID	SID of account that requested the "delete group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4753,
    "version": 0,
    "level": 0,
    "task": 13827,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:24:00.966756+00:00",
    "event_record_id": 16290238,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 7132
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "TestDistGroup",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1132",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "PrivilegeList": "-"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4753
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4753
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4753.yml

Event ID 4754: A security-enabled universal group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Event 4754 is the same as 4731, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4754(S) generates only for domain groups, so the Local sections in event 4731 do not apply.

Message #

A security-enabled universal group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was created.
`TargetDomainName` UnicodeString	Domain or computer name of the created group.
`TargetSid` SID	[Group] Security ID.
`SubjectUserSid` SID	SID of account that requested the "create group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "create group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply a name of new group.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and in that case appears as "-". For local groups it is not applicable and always has "-" value.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4754,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:16:04.236865+00:00",
    "event_record_id": 16239922,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 1756
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "evtgen_universal",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "PrivilegeList": "-",
    "SamAccountName": "evtgen_universal",
    "SidHistory": "-"
  },
  "message": ""
}

Detection Patterns #

1 rule

Kusto

Microsoft Security Research

Persistence: Domain Account

1 rule

Splunk

Brandon Sternfield, Optiv + ClearShark

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetSid`	regex_match	`S-1-5-21-[0-9]-[0-9]-[0-9]-5[0-9][0-9]$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1102$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1103$\|S-1-5-21-[0-9]-[0-9]-[0-9]-498$\|S-1-5-21-[0-9]-[0-9]-[0-9]*-1000$`	1 rule	kusto
`TargetSid`	regex_match	`S-1-5-32-5[0-9][0-9]$`	1 rule	kusto

Detection Rules #

Sigma # view in coverage

Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matches Event ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4755: A security-enabled universal group was changed., Event ID 4756: A member was added to a security-enabled universal group.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4754
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4754
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4754.yml

Event ID 4755: A security-enabled universal group was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Event 4737 is the same as 4735, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4755(S) generates only for domain groups, so the Local sections in event 4735 do not apply.

Message #

A security-enabled universal group was changed.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Changed Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was changed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	[Group] Security ID.
`SubjectUserSid` SID	SID of account that requested the "change group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property. For local groups it is not applicable and always has "-" value.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4755,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:16:04.432295+00:00",
    "event_record_id": 16239937,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 6292
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "evtgen_universal",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "PrivilegeList": "-",
    "SamAccountName": "-",
    "SidHistory": "-"
  },
  "message": ""
}

Detection Rules #

High risk Active Directory group membership change (source)

Sigma # view in coverage

Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matches Event ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4756: A member was added to a security-enabled universal group.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4755
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4755.yml

Event ID 4756: A member was added to a security-enabled universal group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

Event 4756 is the same as 4732, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4756(S) generates only for domain groups, so the Local sections in event 4732 do not apply.

Message #

A member was added to a security-enabled universal group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Account Name: %3
	Account Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName`	Distinguished name (DN) of the account added to the group. "-" for local groups even when the member is a domain account.
`MemberSid`	SID of account that was added to the group.
`TargetUserName`	The name of the group to which new member was added.
`TargetDomainName`	Domain or computer name of the group to which the new member was added.
`TargetSid`	SID of the group to which new member was added.
`SubjectUserSid`	SID of account that requested the "add member to the group" operation.
`SubjectUserName`	The name of the account that requested the "add member to the group" operation.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList`	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-".
`MembershipExpirationTime`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4756,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T00:51:32.5934865+00:00",
    "event_record_id": 6342,
    "correlation": {},
    "execution": {
      "process_id": 680,
      "thread_id": 3712
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "CN=domainadmin,CN=Users,DC=cell-d,DC=ludus,DC=domain",
    "MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "TargetUserName": "Schema Admins",
    "TargetDomainName": "cell-d",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-518",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1000",
    "SubjectUserName": "localuser",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0xa30bd",
    "PrivilegeList": "-"
  },
  "message": "A member was added to a security-enabled universal group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1000\r\n\tAccount Name:\t\tlocaluser\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xA30BD\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tCN=domainadmin,CN=Users,DC=cell-d,DC=ludus,DC=domain\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-518\r\n\tAccount Name:\t\tSchema Admins\r\n\tAccount Domain:\t\tcell-d\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

14 rules

Sigma

mdecrevoisier

Medium risk Active Directory group membership change (source)

mdecrevoisier

Show 7 more (10 total) on the rules page

mdecrevoisier

Elastic

User Added to Privileged Group in Active Directory (source)

Elastic, Skoetting

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

13 rules

Sigma

High risk Active Directory group membership change (source)

mdecrevoisier

Medium risk Active Directory group membership change (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

13 rules

Sigma

High risk Active Directory group membership change (source)

mdecrevoisier

Medium risk Active Directory group membership change (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Persistence: Account Manipulation

Security-Auditing Event ID 4728: A member was added to a security-enabled global group.OREvent ID 4756: A member was added to a security-enabled universal group.

13 rules

Sigma

High risk Active Directory group membership change (source)

mdecrevoisier

Medium risk Active Directory group membership change (source)

mdecrevoisier

mdecrevoisier

User Added to Privileged Group in Active Directory (source)

Elastic

Elastic, Skoetting

Kusto

Group created then added to built in domain local or global group (source)

Microsoft Security Research

Account added and removed from privileged groups (source)

Microsoft Security Research

User account added to built in domain local or global group (source)

Microsoft Security Research

Persistence: Domain Account

1 rule

Splunk

Brandon Sternfield, Optiv + ClearShark

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetSid`	ends_with	`-520`	2 rules	sigma
`TargetSid`	regex_match	`S-1-5-21-[0-9]-[0-9]-[0-9]-5[0-9][0-9]$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1102$\|S-1-5-21-[0-9]-[0-9]-[0-9]-1103$\|S-1-5-21-[0-9]-[0-9]-[0-9]-498$\|S-1-5-21-[0-9]-[0-9]-[0-9]*-1000$`	3 rules	kusto
`TargetSid`	regex_match	`S-1-5-32-5[0-9][0-9]$`	3 rules	kusto
`TargetSid`	starts_with	`S-1-5-21-`	2 rules	sigma
`AccountType`	eq	`User`	2 rules	kusto
`TargetUserName`	eq	`DnsAdmins`	1 rule	sigma, splunk

Community Notes #

May capture cross-domain privilege escalation in a multi-forest trust.

Detection Rules #

Account added and removed from privileged groups (source)

Sigma # view in coverage

Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity source high: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.↳ also matches Event ID 4727: A security-enabled global group was created., Event ID 4728: A member was added to a security-enabled global group., Event ID 4731: A security-enabled local group was created., Event ID 4737: A security-enabled global group was changed., Event ID 4754: A security-enabled universal group was created., Event ID 4755: A security-enabled universal group was changed.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4756
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4756
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4756.yml

Event ID 4757: A member was removed from a security-enabled universal group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Event 4757 is the same as 4733, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4757(S) generates only for domain groups, so the Local sections in event 4733 do not apply.

Message #

A member was removed from a security-enabled universal group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	Distinguished name (DN) of the account removed from the group. "-" for local groups even when the member is a domain account.
`MemberSid` SID	SID of account that was removed from the group.
`TargetUserName` UnicodeString	The name of the group from which the member was removed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain or computer name of the group from which the member was removed.
`TargetSid` SID	SID of the group from which the member was removed.
`SubjectUserSid` SID	SID of account that requested the "remove member from the group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "remove member from the group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4757,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T14:07:43.8693306+00:00",
    "event_record_id": 23552269,
    "correlation": {},
    "execution": {
      "process_id": 868,
      "thread_id": 4912
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "MemberName": "CN=saa-mem-140743,OU=SecAuditAD-Test,DC=ludus,DC=domain",
    "MemberSid": "S-1-5-21-1006758700-2167138679-1475694448-1388",
    "TargetUserName": "SAA-UniSec-140743",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1387",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xaf6fd24",
    "PrivilegeList": "-"
  },
  "message": "A member was removed from a security-enabled universal group.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tludus\r\n\tLogon ID:\t\t0xAF6FD24\r\n\r\nMember:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1388\r\n\tAccount Name:\t\tCN=saa-mem-140743,OU=SecAuditAD-Test,DC=ludus,DC=domain\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1387\r\n\tGroup Name:\t\tSAA-UniSec-140743\r\n\tGroup Domain:\t\tludus\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

1 rule

Kusto

Microsoft Security Research

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4757
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4757
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4757.yml

Event ID 4758: A security-enabled universal group was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Event 4758 is the same as 4734, but it is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. Event 4758(S) generates only for domain groups, so the Local sections in event 4734 do not apply.

Message #

A security-enabled universal group was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was deleted. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain or computer name of the deleted group.
`TargetSid` SID	SID of deleted group.
`SubjectUserSid` SID	SID of account that requested the "delete group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4758,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:16:14.194447+00:00",
    "event_record_id": 16240252,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 6288
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "evtgen_universal",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1120",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "PrivilegeList": "-"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4758
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4758
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4758.yml

Event ID 4759: A security-disabled universal group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

Event 4759 is the same as 4749, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A security-disabled universal group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was created.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	SID of created group.
`SubjectUserSid` SID	SID of account that requested the "create group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "create group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a name of new group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new group object. For example: ServiceDesk.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4759,
    "version": 0,
    "level": 0,
    "task": 13827,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T14:07:43.9472572+00:00",
    "event_record_id": 23552281,
    "correlation": {},
    "execution": {
      "process_id": 868,
      "thread_id": 3620
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "SAA-UniDist-140743",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1390",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xaf6fd24",
    "PrivilegeList": "-",
    "SamAccountName": "SAA-UniDist-140743",
    "SidHistory": "-"
  },
  "message": "A security-disabled universal group was created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tludus\r\n\tLogon ID:\t\t0xAF6FD24\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1390\r\n\tGroup Name:\t\tSAA-UniDist-140743\r\n\tGroup Domain:\t\tludus\r\n\r\nAttributes:\r\n\tSAM Account Name:\tSAA-UniDist-140743\r\n\tSID History:\t\t-\r\n\r\nAdditional Information:\r\n\tPrivileges:\t\t-"
}

Detection Patterns #

Persistence: Domain Account

1 rule

Splunk

Windows Increase in Group or Object Modification Activity (source)

Brandon Sternfield, Optiv + ClearShark

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4759
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4759
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4759.yml

Event ID 4760: A security-disabled universal group was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

Event 4760 is the same as 4750, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A security-disabled universal group was changed.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Changed Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was changed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	SID of changed group.
`SubjectUserSid` SID	SID of account that requested the "change group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`SamAccountName` UnicodeString	This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). For example: ServiceDesk.
`SidHistory` UnicodeString	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the sIDHistory property.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4760
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4760
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4760.yml

Event ID 4761: A member was added to a security-disabled universal group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

Event 4761 is the same as 4751, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A member was added to a security-disabled universal group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	Distinguished name of account that was added to the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-".
`MemberSid` SID	SID of account that was added to the group.
`TargetUserName` UnicodeString	The name of the group to which new member was added. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain name of the group to which new member was added.
`TargetSid` SID	SID of the group to which new member was added.
`SubjectUserSid` SID	SID of account that requested the "add member to the group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "add member to the group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference
`MembershipExpirationTime` FILETIME	Expiration time.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4761
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4761
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4761.yml

Event ID 4762: A member was removed from a security-disabled universal group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Event 4762 is the same as 4752, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A member was removed from a security-disabled universal group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	Distinguished name of account that was removed from the group. For example: "CN=Auditor,CN=Users,DC=contoso,DC=local". For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "-".
`MemberSid` SID	SID of account that was removed from the group.
`TargetUserName` UnicodeString	The name of the group from which the member was removed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain name of the group from which the member was removed.
`TargetSid` SID	SID of the group from which the member was removed.
`SubjectUserSid` SID	SID of account that requested the "remove member from the group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "remove member from the group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4762
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4762
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4762.yml

Event ID 4763: A security-disabled universal group was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Distribution Group Management
Collection Priority: Low (Splunk-UBA)
Opcode: Info

Description

Event 4763 is the same as 4753, except it is generated for a universal distribution group instead of a global distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

Message #

A security-disabled universal group was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the group that was deleted.
`TargetDomainName` UnicodeString	[Group] Group Domain.
`TargetSid` SID	SID of deleted group.
`SubjectUserSid` SID	SID of account that requested the "delete group" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete group" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4763
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4763
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4763.yml

Event ID 4764: A group’s type was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time group's type is changed. This event generates for both security and distribution groups. This event generates only on domain controllers.

Message #

A group?s type was changed.

Subject:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Change Type: %1

Group:
	Security ID: %4
	Group Name: %2
	Group Domain: %3

Additional Information:
	Privileges: %9

Fields #

Name	Description
`GroupTypeChange` UnicodeString	Contains three parts: " Changed To .". They cannot have the same value at the same time.
`TargetUserName` UnicodeString	The name of the group, which type was changed. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain or computer name of the changed group.
`TargetSid` SID	SID of changed group.
`SubjectUserSid` SID	SID of account that requested the "change group type" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "change group type" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4764,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:16:10.897820+00:00",
    "event_record_id": 16240135,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 6288
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "GroupTypeChange": "Security Disabled Global Group Changed to Security Enabled Global Group.",
    "TargetUserName": "evtgen_distro",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1121",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "PrivilegeList": "-"
  },
  "message": ""
}

Detection Patterns #

1 rule

Splunk

Dean Luxton

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4764
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4764.yml

Event ID 4765: SID History was added to an account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

SID History was added to an account.

Message #

SID History was added to an account.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Target Account:
	Security ID: %5
	Account Name: %3
	Account Domain: %4

Source Account:
	Security ID: %2
	Account Name: %1

Additional Information:
	Privileges: %10
	SID List: %11

Fields #

Name	Description
`SourceUserName`
`SourceSid`
`TargetUserName`
`TargetDomainName`
`TargetSid`
`SubjectUserSid`
`SubjectUserName`
`SubjectDomainName`
`SubjectLogonId`
`PrivilegeList`
`SidList`	[Additional Information] SID List.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4765,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2017-06-12T23:39:43.512986Z",
    "event_record_id": 8075,
    "correlation": {},
    "execution": {
      "process_id": 496,
      "thread_id": 1696
    },
    "channel": "Security",
    "computer": "2012r2srv.maincorp.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SourceUserName": "maincorp.local\\Domain Admins",
    "SourceSid": "S-1-5-21-2634088540-571122920-1382659128-512",
    "TargetUserName": "labuser",
    "TargetDomainName": "MAINCORP",
    "TargetSid": "S-1-5-21-2634088540-571122920-1382659128-1104",
    "SubjectUserSid": "S-1-5-21-2634088540-571122920-1382659128-500",
    "SubjectUserName": "Administrator",
    "SubjectDomainName": "MAINCORP",
    "SubjectLogonId": "0x432c8",
    "PrivilegeList": "-",
    "SidList": "-"
  }
}

Detection Patterns #

Stealth: SID-History Injection

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 4765: SID History was added to an account.OREvent ID 4766: An attempt to add SID History to an account failed.

1 rule

Sigma

Addition of SID History to Active Directory Object (source)

Thomas Patzke, @atc_project (improvements)

Community Notes #

May indicate DCShadow or similar lateral movement attacks.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4765
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 4766: An attempt to add SID History to an account failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An attempt to add SID History to an account failed.

Message #

An attempt to add SID History to an account failed.

Subject:
	Security ID:
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %4
	Account Name: %2
	Account Domain: %3

Source Account
	Account Name: %1

Additional Information:
	Privileges: %8

Fields #

Name	Description
`SourceUserName` UnicodeString	[Target Account] Account Name
`TargetUserName` UnicodeString	[Target Account] Account Name
`TargetDomainName` UnicodeString	[Target Account] Account Domain
`TargetSid` UnicodeString	[Target Account] Security ID
`SubjectUserName` UnicodeString	[Security ID] Account Name
`SubjectDomainName` UnicodeString	[Security ID] Account Domain
`SubjectLogonId` UnicodeString	[Security ID] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference

Detection Patterns #

Stealth: SID-History Injection

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 4765: SID History was added to an account.OREvent ID 4766: An attempt to add SID History to an account failed.

1 rule

Sigma

Addition of SID History to Active Directory Object (source)

Thomas Patzke, @atc_project (improvements)

Community Notes #

May indicate DCShadow or similar lateral movement attacks.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4766

Event ID 4767: A user account was unlocked.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time a user account is unlocked. For user accounts, this event generates on domain controllers, member servers, and workstations.

Message #

A user account was unlocked.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Fields #

Name	Description
`TargetUserName` UnicodeString	[Target Account] Account Name.
`TargetDomainName` UnicodeString	[Target Account] Account Domain.
`TargetSid` SID	[Target Account] Security ID.
`SubjectUserSid` SID	SID of account that performed the unlock operation.
`SubjectUserName` UnicodeString	The name of the account that performed the unlock operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4767,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:16:10.398421+00:00",
    "event_record_id": 16240087,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 1756
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "evtgen_user3",
    "TargetDomainName": "ludus",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1115",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4767.yml

Event ID 4768: A Kerberos authentication ticket (TGT) was requested.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Kerberos Authentication Service
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). This event generates only on domain controllers. If TGT issue fails then you will see Failure event with Result Code field not equal to "0x0". This event doesn't generate for Result Codes: 0x10, 0x17 and 0x18. Event "4771: Kerberos pre-authentication failed." generates instead.

Message #

A Kerberos authentication ticket (TGT) was requested.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Service Information:
	Service Name: %4
	Service ID: %5

Network Information:
	Client Address: %10
	Client Port: %11

Additional Information:
	Ticket Options: %6
	Result Code: %7
	Ticket Encryption Type: %8
	Pre-Authentication Type: %9

Certificate Information:
	Certificate Issuer Name: %12
	Certificate Serial Number: %13
	Certificate Thumbprint: %14

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Fields #

Name	Description	Rules
`TargetUserName`	Name of the account for which the TGT was requested. Computer accounts end with $.	20 detection rules
`TargetDomainName`	Kerberos realm of the requesting account. May appear in various formats.
`TargetSid`	SID of the account for which the TGT was requested.
`ServiceName`	Service in the Kerberos realm to which the TGT request was sent. Typically krbtgt for TGT requests. For failure events, typically in the form krbtgt/REALM_NAME.	4 detection rules
`ServiceSid`	SID of the service account to which the TGT request was sent.	3 detection rules
`TicketOptions`	Ticket flags as a hexadecimal bitmask. Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15; MS Learn event-4769 labels this as "Name canonicalize"; both 4769 and 4770 catalog samples set this bit, indicating the Windows client requested principal-name canonicalization and cross-realm referral support) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate	5 detection rules
`Status`	Hexadecimal result code for the TGT issue operation. Known values `0x0` Success `0x1` KDC_ERR_NAME_EXP (Client entry expired) `0x6` KDC_ERR_C_PRINCIPAL_UNKNOWN (Client not found in database) `0x7` KDC_ERR_S_PRINCIPAL_UNKNOWN (Server not found in database) `0x9` KDC_ERR_NULL_KEY (No key for server) `0xc` KDC_ERR_POLICY (KDC policy rejects request) `0xd` KDC_ERR_BADOPTION (Requested option not available) `0x12` KDC_ERR_CLIENT_REVOKED (Client credentials revoked) `0x17` KDC_ERR_KEY_EXPIRED (Password has expired — change to reset) `0x18` KDC_ERR_PREAUTH_FAILED (Pre-authentication information was invalid) `0x19` KDC_ERR_PREAUTH_REQUIRED (Additional pre-authentication required) `0x1f` KRB_AP_ERR_MODIFIED (Message stream modified) `0x20` KDC_ERR_WRONG_REALM (Wrong realm) `0x25` KRB_AP_ERR_SKEW (Clock skew too great)	17 detection rules
`TicketEncryptionType`	Encryption type used for the issued TGT. Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified	4 detection rules
`PreAuthType`	Pre-authentication type used in the TGT request. Known values `0` None (logon without pre-authentication) `2` PA-ENC-TIMESTAMP (encrypted timestamp) `11` PA-ETYPE-INFO `15` PA-PK-AS-REP_OLD `16` PA-PK-AS-REQ (PKINIT / smart card) `17` PA-PK-AS-REP (PKINIT response) `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `138` PA-ENCRYPTED-CHALLENGE	2 detection rules
`IpAddress`	IP address of the computer from which the TGT request was received.	10 detection rules
`IpPort`	Source port of the client connection for the TGT request.
`CertIssuerName`	Name of the CA that issued the smart card certificate.
`CertSerialNumber`	Serial number of the smart card certificate.
`CertThumbprint`	Thumbprint of the smart card certificate.	5 detection rules
`ResponseTicket`
`AccountSupportedEncryptionTypes`
`AccountAvailableKeys`
`ServiceSupportedEncryptionTypes`
`ServiceAvailableKeys`
`DCSupportedEncryptionTypes`
`DCAvailableKeys`
`ClientAdvertizedEncryptionTypes`
`SessionKeyEncryptionType`
`PreAuthEncryptionType`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4768,
    "version": 0,
    "level": 0,
    "task": 14339,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:54:35.6842605+00:00",
    "event_record_id": 1248113,
    "correlation": {},
    "execution": {
      "process_id": 760,
      "thread_id": 2572
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "domainuser",
    "TargetDomainName": "CELL-D.LUDUS.DOMAIN",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1104",
    "ServiceName": "krbtgt",
    "ServiceSid": "S-1-5-21-1006758700-2167138679-1475694448-502",
    "TicketOptions": "0x40810010",
    "Status": "0x0",
    "TicketEncryptionType": "0x12",
    "PreAuthType": "2",
    "IpAddress": "::ffff:10.1.50.21",
    "IpPort": "49929",
    "CertIssuerName": "",
    "CertSerialNumber": "",
    "CertThumbprint": ""
  },
  "message": "A Kerberos authentication ticket (TGT) was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tdomainuser\r\n\tSupplied Realm Name:\tCELL-D.LUDUS.DOMAIN\r\n\tUser ID:\t\t\tS-1-5-21-1006758700-2167138679-1475694448-1104\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt\r\n\tService ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-502\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.1.50.21\r\n\tClient Port:\t\t49929\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tResult Code:\t\t0x0\r\n\tTicket Encryption Type:\t0x12\r\n\tPre-Authentication Type:\t2\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number:\t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120."
}

Detection Patterns #

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.→Event ID 4769: A Kerberos service ticket was requested.

2 rules

Sigma

Kerberos ticket without a trailing $ (CVE-2021-42278/42287) (source)

mdecrevoisier

Elastic

Suspicious Kerberos Authentication Ticket Request (source)

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.OREvent ID 4769: A Kerberos service ticket was requested.

2 rules

Sigma

Kerberos ticket without a trailing $ (CVE-2021-42278/42287) (source)

mdecrevoisier

Elastic

Suspicious Kerberos Authentication Ticket Request (source)

Unexisting Users

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.OREvent ID 4771: Kerberos pre-authentication failed.

2 rules

Sigma

Brutforce enumeration with unexisting users (Kerberos) (source)

mdecrevoisier

Kerberos enumeration with existing/unexisting users (Kerbrute) (source)

mdecrevoisier

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.ANDEvent ID 4887: Certificate Services approved a certificate request and issued a certificate.

1 rule

Splunk

Windows Steal Authentication Certificates - ESC1 Authentication (source)

Steven Dick

Stealth: Domain Accounts

Security-Auditing Event ID 4781: The name of an account was changed.→Event ID 4768: A Kerberos authentication ticket (TGT) was requested.

1 rule

Splunk

Suspicious Ticket Granting Ticket Request (source)

Mauricio Velazco, Splunk

Show All Detection Patterns

Credential Access: Exploitation for Credential Access

1 rule

Sigma

Active Directory honeypot used for lateral movement (source)

Florian Roth (Nextron Systems)

Lateral Movement: Remote Services

1 rule

Sigma

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetUserName`	ends_with	`$`	2 rules	kusto, sigma
`TargetUserName`	eq	`*$`	2 rules	splunk
`TargetUserName`	ne	`*$`	6 rules	splunk
`Status`	eq	`0x6`	5 rules	sigma, splunk
`Status`	eq	`0`	4 rules	sigma
`Status`	eq	`0x12`	2 rules	splunk
`ServiceSid`	ends_with	`-502`	3 rules	sigma
`isOutlier`	eq	`1`	3 rules	splunk
`PreAuthType`	eq	`0`	2 rules	sigma
`TicketEncryptionType`	eq	`0x17`	2 rules	kusto, sigma, splunk
`unique_accounts`	gt	`30`	2 rules	splunk
`Attributes`	contains	`certificatetemplate:`	1 rule	splunk
`Attributes`	eq	`SAN:upn*`	1 rule	splunk
`DestinationPort`	eq	`88`	1 rule	elastic, sigma, splunk
`Image`	is_not_null		1 rule	elastic, kusto

Community Notes #

Kerberos TGT request (consider Pass-the-Ticket, Golden TGT attacks). Requests from a non-interactive source prior to 4769 may indicate ticket replay or Pass-the-Ticket staging.

Detection Rules #

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.→Event ID 4769: A Kerberos service ticket was requested.

Sigma # view in coverage

Potential AS-REP Roasting via Kerberos TGT Requests source medium: Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
PetitPotam Suspicious Kerberos TGT Request source high: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
Kerberos AS-REP Roasting ticket request detected source high: Detects scenarios where an attacker abuse an account with UAC settings set to "Accounts Does not Require Pre-Authentication" in order to perform offline TGT brutforce. May also be triggered by an attacker performing some Kerberos user enumration with tools like "Kerbrute".

Show 2 more (5 total)

Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287) source high: Detects scenarios where an attacker attempts to request a proxiable ticket. This action may trigger while attempting to identify a vulnerable target or using some offsensive Kerberos tools like Kerbrute, Impacket...
Kerberos TGS ticket request related to a potential Golden ticket source high: Detects scenarios where an attacker request a potential Golden ticket. Findings returned by this rule may not confirm at 100% that a Golden ticket was generated and further investigations would be required to confirm it. Another indicator (in case of a lazy Golden ticket) to check would be to check if the TargetUserName refers to an existing user in the domain.

Splunk # view in coverage

Kerberos TGT Request Using RC4 Encryption source: The following analytic detects a Kerberos Ticket Granting Ticket (TGT) request using RC4-HMAC encryption (type 0x17) by leveraging Event 4768. This encryption type is outdated and its presence may indicate an OverPass The Hash attack.…
Kerberos User Enumeration source: The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical…
PetitPotam Suspicious Kerberos TGT Request source: The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate…

Show 6 more (9 total)

Windows Computer Account Requesting Kerberos Ticket source: The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to…
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos source: The following analytic detects a single source endpoint failing to authenticate with 30 unique disabled domain users using the Kerberos protocol within 5 minutes. It leverages Windows Security Event 4768, focusing on failure code 0x12,…
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with 30 unique invalid domain users using the Kerberos protocol. This detection leverages EventCode 4768, specifically looking for failure code 0x6, indicating the…
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. It leverages EventCode 4768, which is generated when the Key Distribution Center issues a Kerberos…
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. It leverages Event ID 4768, which is generated when the Key Distribution Center issues a Kerberos…
Suspicious Certificate Authentication (Windows Event Log) source: Adversaries may steal an AD CA’s root certificate, and forge a certificate for any active user or computer. This use case looks for Kerberos ticket requests with certificate thumbprints.

Kusto # view in coverage

Certified Pre-Owned - TGTs requested with certificate authentication source medium: This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
Suspicious TGT Request with a DC Account source: Below query detects TGT requests from a DC account with an IP that doesn't belong to a DC. It detect PetitPotam and any other attacks that uses a stolen DC certificate/account to perform operations.
If you make it a detection rule, take ingestion delay into account.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4768.yml
RFC 4120 §5.4.1 KDC-REQ KDCOptions bitmask https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
RFC 4120 §7.5.9 Kerberos error codes https://datatracker.ietf.org/doc/html/rfc4120#section-7.5.9
RFC 4556 §6 PKINIT error codes https://datatracker.ietf.org/doc/html/rfc4556#section-6

Event ID 4769: A Kerberos service ticket was requested.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Kerberos Service Ticket Operations
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request. This event generates only on domain controllers. If TGS issue fails then you will see Failure event with Failure Code field not equal to "0x0". You will typically see many Failure events with Failure Code "0x20", which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.

Message #

A Kerberos service ticket was requested.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %10

Service Information:
	Service Name: %3
	Service ID: %4

Network Information:
	Client Address: %7
	Client Port: %8

Additional Information:
	Ticket Options: %5
	Ticket Encryption Type: %6
	Failure Code: %9
	Transited Services: %11

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Fields #

Name	Description	Rules
`TargetUserName`	UPN of the account that requested the ticket. Computer accounts end with $ in the UPN. Typically user_account_name@FULL_DOMAIN_NAME.	9 detection rules
`TargetDomainName`	Kerberos realm of the requesting account.
`ServiceName`	Service to which access was requested.	13 detection rules
`ServiceSid`	SID of the account or computer for which the TGS ticket was requested.	4 detection rules
`TicketOptions`	Ticket flags as a hexadecimal bitmask. Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15; MS Learn event-4769 labels this as "Name canonicalize"; both 4769 and 4770 catalog samples set this bit, indicating the Windows client requested principal-name canonicalization and cross-realm referral support) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate	16 detection rules
`TicketEncryptionType`	Encryption type used for the issued TGS. Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified	11 detection rules
`IpAddress`	IP address of the computer from which the TGS request was received.	8 detection rules
`IpPort`	Source port of the client connection for the TGS request.
`Status`	Hexadecimal result code for the TGS issue operation. Known values `0x0` Success `0x1` KDC_ERR_NAME_EXP (Client entry expired) `0x6` KDC_ERR_C_PRINCIPAL_UNKNOWN (Client not found in database) `0x7` KDC_ERR_S_PRINCIPAL_UNKNOWN (Server not found in database) `0x9` KDC_ERR_NULL_KEY (No key for server) `0xc` KDC_ERR_POLICY (KDC policy rejects request) `0xd` KDC_ERR_BADOPTION (Requested option not available) `0x12` KDC_ERR_CLIENT_REVOKED (Client credentials revoked) `0x17` KDC_ERR_KEY_EXPIRED (Password has expired — change to reset) `0x18` KDC_ERR_PREAUTH_FAILED (Pre-authentication information was invalid) `0x19` KDC_ERR_PREAUTH_REQUIRED (Additional pre-authentication required) `0x1f` KRB_AP_ERR_MODIFIED (Message stream modified) `0x20` KDC_ERR_WRONG_REALM (Wrong realm) `0x25` KRB_AP_ERR_SKEW (Clock skew too great)	6 detection rules
`LogonGuid`	GUID linking this event to Event ID 4624, 4648, and 4964 on the machine the TGS was issued for.
`TransmittedServices`	List of SPNs requested when Kerberos delegation was used.	2 detection rules
`RequestTicketHash`
`ResponseTicketHash`
`AccountSupportedEncryptionTypes`
`AccountAvailableKeys`
`ServiceSupportedEncryptionTypes`
`ServiceAvailableKeys`
`DCSupportedEncryptionTypes`
`DCAvailableKeys`
`ClientAdvertizedEncryptionTypes`
`SessionKeyEncryptionType`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4769,
    "version": 0,
    "level": 0,
    "task": 14337,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:59:05.1606179+00:00",
    "event_record_id": 1250635,
    "correlation": {},
    "execution": {
      "process_id": 760,
      "thread_id": 2572
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "TELEMETRY-W11-D$@CELL-D.LUDUS.DOMAIN",
    "TargetDomainName": "CELL-D.LUDUS.DOMAIN",
    "ServiceName": "TELEMETRY-DC-D$",
    "ServiceSid": "S-1-5-21-1006758700-2167138679-1475694448-1001",
    "TicketOptions": "0x40810000",
    "TicketEncryptionType": "0x12",
    "IpAddress": "::ffff:10.1.50.21",
    "IpPort": "62954",
    "Status": "0x0",
    "LogonGuid": "{09286334-9759-4259-0b88-eaea3f1dda62}",
    "TransmittedServices": "-"
  },
  "message": "A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\tTELEMETRY-W11-D$@CELL-D.LUDUS.DOMAIN\r\n\tAccount Domain:\t\tCELL-D.LUDUS.DOMAIN\r\n\tLogon GUID:\t\t{09286334-9759-4259-0b88-eaea3f1dda62}\r\n\r\nService Information:\r\n\tService Name:\t\tTELEMETRY-DC-D$\r\n\tService ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1001\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.1.50.21\r\n\tClient Port:\t\t62954\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120."
}

Detection Patterns #

2 rules

Sigma

Kerberos ticket without a trailing $ (CVE-2021-42278/42287) (source)

mdecrevoisier

Elastic

Suspicious Kerberos Authentication Ticket Request (source)

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.OREvent ID 4769: A Kerberos service ticket was requested.

2 rules

Sigma

Kerberos ticket without a trailing $ (CVE-2021-42278/42287) (source)

mdecrevoisier

Elastic

Suspicious Kerberos Authentication Ticket Request (source)

Credential Access: Exploitation for Credential Access

1 rule

Sigma

Active Directory honeypot used for lateral movement (source)

Florian Roth (Nextron Systems)

Lateral Movement: Remote Services

1 rule

Sigma

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TicketEncryptionType`	eq	`0x17`	6 rules	kusto, sigma, splunk
`Status`	eq	`0`	4 rules	sigma
`Status`	eq	`0x0`	3 rules	kusto, sigma
`TicketOptions`	eq	`0x40810000`	4 rules	kusto, sigma, splunk
`TicketOptions`	eq	`0x40800000`	2 rules	splunk
`TicketOptions`	eq	`0x40810010`	2 rules	splunk
`ServiceName`	ends_with	`$`	2 rules	sigma
`ServiceName`	eq	`*$`	2 rules	splunk
`ServiceName`	ne	`*$`	2 rules	splunk
`ServiceSid`	ends_with	`-502`	2 rules	sigma
`TransmittedServices`	contains	`@`	2 rules	sigma
`DestinationPort`	eq	`88`	1 rule	elastic, sigma, splunk
`Image`	is_not_null		1 rule	elastic, kusto
`TargetUserName`	ne	`*$`	1 rule	splunk
`dest_ip`	ne	`127.0.0.1`	1 rule	elastic

Community Notes #

Tickets for hosts that a user previously hasn't accessed may indicate Pass-the-Ticket or RDP/WMI pivoting. Confirm that the target server is also the host that is contacted, and unusual/vulnerable encryption types (may indicate S4U2Proxy) like RC4. Check for movement between services or SPNs, and unusual service names.

Detection Rules #

Active Directory honeypot used for lateral movement (source)

Sigma # view in coverage

Kerberoasting Activity - Initial Query source medium: This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
Suspicious Kerberos RC4 Ticket Encryption source medium: Detects service ticket requests using RC4 encryption type
Rubeus Kerberos constrained delegation abuse (S4U2Proxy) source high: Detects scenarios where an attacker abuse Kerberos constrained delegation in order to escalate privileges.

Show 4 more (7 total)

Kerberos key list attack for credential dumping source high: Detects scenarios where an attacker attempts to forge a special Kerberos service ticket in order to extract credentials from Read Only Domain Controllers (RODC).
Rubeus Kerberos unconstrained delegation abuse source high: Detects scenarios where an attacker abuse Kerberos unconstrained delegation for domain persistence.
SharpHound host enumeration over Kerberos source medium: Detect if a source host is requesting multiple Kerberos Service tickets (TGS) for different assets in a short period of time.
Kerberoast ticket request detected source high: Detects scenarios where an attacker requests a Kerberoast ticket with low encryption to perform offline brutforce and forge a new ticket to get access to the targeted resource.

Splunk # view in coverage

Kerberoasting spn request with RC4 encryption source: The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools.…
Kerberos Service Ticket Request Using RC4 Encryption source: The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the…
Suspicious Kerberos Service Ticket Request source: The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This…

Show 3 more (6 total)

Unusual Number of Computer Service Tickets Requested source: The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service ticket was requested." It uses statistical analysis, including standard deviation…
Unusual Number of Kerberos Service Tickets Requested source: The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma…
Windows Large Number of Computer Service Tickets Requested source: The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested,…

Kusto # view in coverage

Potential Kerberoasting source medium: A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.
UnPAC the hash source: This query looks for an attack that allows an attacker with a valid TGT token for a certain account, to obtain the NTLM hash for that account. Such an account may either be a user account or a machine account. The TGT can, for example, be obtained by authenticating with a certificate instead of with username and password.
Potentially Relayed NTLM Authentication - Microsoft Sentinel source: The below query detects Kerberos logons of computer accounts where there isn't any ticket request in the last 12h (10h is the default ticket expiration) coming from the same IpAddress with the same TargetUserName. The query can be enriched further if needed.↳ also matches Event ID 4624: An account was successfully logged on.

Show 1 more (4 total)

T1558.003 - Kerberoasting source: Detects kerberoasting by using time-series analysis functions. Highly accurate in big environments. Step by step explanation is in the query to make it easy to understand.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4769.yml
RFC 4120 §5.4.1 KDC-REQ KDCOptions bitmask https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
RFC 6806 §3 Kerberos canonicalize bit https://datatracker.ietf.org/doc/html/rfc6806#section-3

Event ID 4770: A Kerberos service ticket was renewed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Kerberos Service Ticket Operations
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates for every Ticket Granting Service (TGS) ticket renewal. This event generates only on domain controllers.

Message #

A Kerberos service ticket was renewed.

Account Information:
	Account Name: %1
	Account Domain: %2

Service Information:
	Service Name: %3
	Service ID: %4

Network Information:
	Client Address: %7
	Client Port: %8

Additional Information:
	Ticket Options: %5
	Ticket Encryption Type: %6

Ticket options and encryption types are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	UPN of the account that requested ticket renewal. Computer accounts end with $ in the UPN. Typically user_account_name@FULL_DOMAIN_NAME.
`TargetDomainName` UnicodeString	Kerberos realm of the requesting account.
`ServiceName` UnicodeString	Name of the account or computer for which the TGS ticket was renewed.
`ServiceSid` SID	SID of the account or computer for which the TGS ticket was renewed.
`TicketOptions` HexInt32	Ticket flags as a hexadecimal bitmask. Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` HexInt32	Encryption type used for the renewed TGS. Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddress` UnicodeString	IP address of the computer from which the TGS renewal request was received.
`IpPort` UnicodeString	Source port of the client connection for the TGS renewal request.
`RequestTicketHash` UnicodeString
`ResponseTicketHash` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4770,
    "version": 0,
    "level": 0,
    "task": 14337,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-07T02:29:17.564406+00:00",
    "event_record_id": 13430760,
    "correlation": {},
    "execution": {
      "process_id": 916,
      "thread_id": 2888
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "LAB-DC01$@LUDUS.DOMAIN",
    "TargetDomainName": "LUDUS.DOMAIN",
    "ServiceName": "krbtgt",
    "ServiceSid": "S-1-5-21-1006758700-2167138679-1475694448-502",
    "TicketOptions": "0x10002",
    "TicketEncryptionType": "0x12",
    "IpAddress": "::1",
    "IpPort": "0"
  },
  "message": ""
}

Detection Patterns #

Lateral Movement: Remote Services

1 rule

Sigma

mdecrevoisier

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4770
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4770
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4770.yml
RFC 4120 §5.4.1 KDC-REQ KDCOptions bitmask https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
RFC 6806 §3 Kerberos canonicalize bit https://datatracker.ietf.org/doc/html/rfc6806#section-3

Event ID 4771: Kerberos pre-authentication failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Kerberos Authentication Service
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided. This event generates only on domain controllers. This event is not generated if "Do not require Kerberos preauthentication" option is set for the account.

Message #

Kerberos pre-authentication failed.

Account Information:
	Security ID: %2
	Account Name: %1

Service Information:
	Service Name: %3

Network Information:
	Client Address: %7
	Client Port: %8

Additional Information:
	Ticket Options: %4
	Failure Code: %5
	Pre-Authentication Type: %6

Certificate Information:
	Certificate Issuer Name: %9
	Certificate Serial Number: %10
	Certificate Thumbprint: %11

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Fields #

Name	Description	Rules
`TargetUserName`	Name of the account for which the TGT was requested. Computer accounts end with $.	4 detection rules
`TargetSid`	SID of the account for which the TGT was requested.
`ServiceName`	Service in the Kerberos realm to which the TGT request was sent. Typically krbtgt/DOMAIN_NETBIOS_NAME or krbtgt/DOMAIN_FULL_NAME.
`TicketOptions`	Ticket flags as a hexadecimal bitmask. If the ticket was malformed or damaged in transit, many fields may be absent. Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15; MS Learn event-4769 labels this as "Name canonicalize"; both 4769 and 4770 catalog samples set this bit, indicating the Windows client requested principal-name canonicalization and cross-realm referral support) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status`	Hexadecimal failure code for the TGT issue operation. Known values `0x0` Success `0x1` KDC_ERR_NAME_EXP (Client entry expired) `0x6` KDC_ERR_C_PRINCIPAL_UNKNOWN (Client not found in database) `0x7` KDC_ERR_S_PRINCIPAL_UNKNOWN (Server not found in database) `0x9` KDC_ERR_NULL_KEY (No key for server) `0xc` KDC_ERR_POLICY (KDC policy rejects request) `0xd` KDC_ERR_BADOPTION (Requested option not available) `0x12` KDC_ERR_CLIENT_REVOKED (Client credentials revoked) `0x17` KDC_ERR_KEY_EXPIRED (Password has expired — change to reset) `0x18` KDC_ERR_PREAUTH_FAILED (Pre-authentication information was invalid) `0x19` KDC_ERR_PREAUTH_REQUIRED (Additional pre-authentication required) `0x1f` KRB_AP_ERR_MODIFIED (Message stream modified) `0x20` KDC_ERR_WRONG_REALM (Wrong realm) `0x25` KRB_AP_ERR_SKEW (Clock skew too great)	4 detection rules
`PreAuthType`	Pre-authentication type used in the TGT request. Known values `0` None (logon without pre-authentication) `2` PA-ENC-TIMESTAMP (encrypted timestamp) `11` PA-ETYPE-INFO `15` PA-PK-AS-REP_OLD `16` PA-PK-AS-REQ (PKINIT / smart card) `17` PA-PK-AS-REP (PKINIT response) `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `138` PA-ENCRYPTED-CHALLENGE
`IpAddress`	IP address of the computer from which the TGT request was received.
`IpPort`	Source port of the client connection for the TGT request.
`CertIssuerName`	Name of the CA that issued the smart card certificate.
`CertSerialNumber`	Serial number of the smart card certificate.
`CertThumbprint`	Thumbprint of the smart card certificate.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4771,
    "version": 0,
    "level": 0,
    "task": 14339,
    "opcode": 0,
    "keywords": -9218868437227405312,
    "time_created": "2026-06-13T13:53:55.6060729+00:00",
    "event_record_id": 1247582,
    "correlation": {},
    "execution": {
      "process_id": 760,
      "thread_id": 1028
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "TELEMETRY-W11-D$",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-1106",
    "ServiceName": "krbtgt/CELL-D.LUDUS.DOMAIN",
    "TicketOptions": "0x40810010",
    "Status": "0x10",
    "PreAuthType": "16",
    "IpAddress": "::ffff:10.1.50.21",
    "IpPort": "49683",
    "CertIssuerName": "",
    "CertSerialNumber": "",
    "CertThumbprint": ""
  },
  "message": "Kerberos pre-authentication failed.\r\n\r\nAccount Information:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1106\r\n\tAccount Name:\t\tTELEMETRY-W11-D$\r\n\r\nService Information:\r\n\tService Name:\t\tkrbtgt/CELL-D.LUDUS.DOMAIN\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::ffff:10.1.50.21\r\n\tClient Port:\t\t49683\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810010\r\n\tFailure Code:\t\t0x10\r\n\tPre-Authentication Type:\t16\r\n\r\nCertificate Information:\r\n\tCertificate Issuer Name:\t\t\r\n\tCertificate Serial Number: \t\r\n\tCertificate Thumbprint:\t\t\r\n\r\nCertificate information is only provided if a certificate was used for pre-authentication.\r\n\r\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\r\n\r\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present."
}

Detection Patterns #

Unexisting Users

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.OREvent ID 4771: Kerberos pre-authentication failed.

2 rules

Sigma

Brutforce enumeration with unexisting users (Kerberos) (source)

mdecrevoisier

Kerberos enumeration with existing/unexisting users (Kerbrute) (source)

mdecrevoisier

Credential Access: Exploitation for Credential Access

1 rule

Sigma

Active Directory honeypot used for lateral movement (source)

Florian Roth (Nextron Systems)

Lateral Movement: Remote Services

1 rule

Sigma

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Status`	eq	`0x18`	2 rules	splunk
`Status`	eq	`0x6`	2 rules	sigma, splunk
`TargetUserName`	ne	`*$`	2 rules	splunk
`unique_accounts`	gt	`30`	1 rule	splunk

Community Notes #

May indicate password spraying. Pivot on ClientAddress.

Detection Rules #

Splunk # view in coverage

Windows Multiple Users Failed To Authenticate Using Kerberos source: The following analytic identifies a single source endpoint failing to authenticate with 30 unique users using the Kerberos protocol. It leverages EventCode 4771 with Status 0x18, indicating wrong password attempts, and aggregates these…
Windows Unusual Count Of Users Failed To Auth Using Kerberos source: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the Kerberos protocol, potentially indicating a Password Spraying attack. It leverages Event 4771, which is generated when the Key…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4771.yml
RFC 4120 §5.4.1 KDC-REQ KDCOptions bitmask https://datatracker.ietf.org/doc/html/rfc4120#section-5.4.1
RFC 4120 §7.5.9 Kerberos error codes https://datatracker.ietf.org/doc/html/rfc4120#section-7.5.9
RFC 4556 §6 PKINIT error codes https://datatracker.ietf.org/doc/html/rfc4556#section-6

Event ID 4772: A Kerberos authentication ticket request failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Kerberos Authentication Service
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

A Kerberos authentication ticket request failed.

Message #

A Kerberos authentication ticket request failed.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2

Service Information:
	Service Name: %3

Network Information:
	Client Address: %6
	Client Port: %7

Additional Information:
	Ticket Options: %4
	Failure Code: %5

Ticket options and failure codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	[Account Information] Account Name
`TargetDomainName` UnicodeString	[Account Information] Supplied Realm Name
`ServiceName` UnicodeString	[Service Information] Service Name
`TicketOptions` UnicodeString	[Additional Information] Ticket Options Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`FailureCode` UnicodeString	[Additional Information] Failure Code NTSTATUS reference
`IpAddress` UnicodeString	[Network Information] Client Address
`IpPort` UnicodeString	[Network Information] Client Port

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4772
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4772

Event ID 4773: A Kerberos service ticket request failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Kerberos Service Ticket Operations
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

A Kerberos service ticket request failed.

Message #

A Kerberos service ticket request failed.

Account Information:
	Account Name: %1
	Account Domain: %2

Service Information:
	Service Name: %3

Network Information:
	Client Address: %6
	Client Port: %7

Additional Information:
	Ticket Options: %4
	Failure Code: %5

Ticket options and failure codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	[Account Information] Account Name
`TargetDomainName` UnicodeString	[Account Information] Account Domain
`ServiceName` UnicodeString	[Service Information] Service Name
`TicketOptions` UnicodeString	[Additional Information] Ticket Options Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`FailureCode` UnicodeString	[Additional Information] Failure Code NTSTATUS reference
`IpAddress` UnicodeString	[Network Information] Client Address
`IpPort` UnicodeString	[Network Information] Client Port

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4773
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4773

Event ID 4774: An account was mapped for logon.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Credential Validation
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

An account was mapped for logon.

Message #

An account was mapped for logon.

Authentication Package: %1
Account UPN: %2
Mapped Name: %3

Fields #

Name	Description
`MappingBy` UnicodeString	The name of Authentication Package which was used for credential validation.
`ClientUserName` UnicodeString	The name of the account that had its credentials validated by the Authentication Package. Can be user name, computer account name or well-known security principal account name.
`MappedName` UnicodeString	The name of the account logged on / mapped.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4774
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4774
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4774.yml

Event ID 4775: An account could not be mapped for logon.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Credential Validation
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

An account could not be mapped for logon.

Message #

An account could not be mapped for logon.

Authentication Package: %1
Account Name: %2

Fields #

Name	Description
`ClientUserName` UnicodeString	Authentication Package.
`MappingBy` UnicodeString	Account Name.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4775
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4775
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4775.yml

Event ID 4776: The domain controller attempted to validate the credentials for an account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Credential Validation
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time that a credential validation occurs using NTLM authentication.This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.

Message #

The computer attempted to validate the credentials for an account.

Authentication Package: %1
Logon Account: %2
Source Workstation: %3
Error Code: %4

Fields #

Name	Description	Rules
`PackageName` UnicodeString	Authentication package used. Always MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 for this event.
`TargetUserName` UnicodeString	Account whose credentials were validated. May be a user name, computer account, or well-known security principal.	8 detection rules
`Workstation` UnicodeString	The name of the computer from which the logon attempt originated.
`Status` HexInt32	Error code for failed validations. 0x0 indicates success. NTSTATUS reference Known values `0x0` Success `0xC0000064` User name does not exist `0xC000006A` User name correct but password wrong `0xC000006D` Bad user name or authentication information (generic logon failure) `0xC000006E` Account restriction prevents logon (e.g. blank password not allowed) `0xC000006F` User logged on outside authorized hours `0xC0000070` User logged on from an unauthorized workstation `0xC0000071` User logged on with an expired password `0xC0000072` Account currently disabled `0xC0000193` Account expired `0xC0000224` User must change password at next logon `0xC0000234` Account locked out	8 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4776,
    "version": 0,
    "level": 0,
    "task": 14336,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:49.4207598+00:00",
    "event_record_id": 3213621,
    "correlation": {},
    "execution": {
      "process_id": 896,
      "thread_id": 580
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
    "TargetUserName": "domainadmin",
    "Workstation": "LUDUS",
    "Status": "0x0"
  },
  "message": "The computer attempted to validate the credentials for an account.\r\n\r\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\nLogon Account:\tdomainadmin\r\nSource Workstation:\tLUDUS\r\nError Code:\t0x0"
}

Detection Patterns #

4 rules

Sigma

Detection of default a Windows host name in login attempts (source)

Florian Roth (Nextron Systems)

mdecrevoisier

Potential EternalBlue via Metasploit (Windows Event Log) (source)

Chakib Gzenayi (@Chak092), Hosni Mribah

Splunk

Stealth: Valid Accounts

Security-Auditing Event ID 4625: An account failed to log on.OREvent ID 4776: The domain controller attempted to validate the credentials for an account.

1 rule

Sigma

Account Tampering - Suspicious Failed Logon Reasons (source)

Florian Roth (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetUserName`	ne	`*$`	4 rules	splunk
`AuthenticationPackageName`	eq	`NTLM`	2 rules	elastic, kusto, sigma, splunk
`LogonType`	eq	`Network`	2 rules	elastic, kusto, sigma, splunk
`Status`	eq	`0xC000006A`	2 rules	splunk
`Status`	eq	`0xc0000064`	2 rules	splunk
`Status`	eq	`0xC000006F`	1 rule	sigma
`Status`	eq	`0xC0000070`	1 rule	sigma
`Status`	eq	`0xC000015B`	1 rule	sigma
`Status`	eq	`0xC0000413`	1 rule	sigma
`isOutlier`	eq	`1`	2 rules	splunk
`unique_accounts`	gt	`30`	2 rules	splunk

Community Notes #

This may capture fall-back NTLM use. Note Workstation (does it list the client? If not, this may be NTLM coercion).

The Status field is an NTSTATUS code indicating the credential validation result:

Code	Name	Description
0x00000000	STATUS_SUCCESS	Credentials validated successfully
0xC000006D	STATUS_LOGON_FAILURE	Generic failure (bad username or password)
0xC0000064	STATUS_NO_SUCH_USER	Non-existent account
0xC000006A	STATUS_WRONG_PASSWORD	Incorrect password
0xC0000234	STATUS_ACCOUNT_LOCKED_OUT	Account locked out
0xC0000072	STATUS_ACCOUNT_DISABLED	Account disabled
0xC0000193	STATUS_ACCOUNT_EXPIRED	Account expired
0xC0000071	STATUS_PASSWORD_EXPIRED	Password expired
0xC000006F	STATUS_INVALID_LOGON_HOURS	Outside allowed logon hours
0xC0000070	STATUS_INVALID_WORKSTATION	Not allowed from this workstation
0xC0000224	STATUS_PASSWORD_MUST_CHANGE	Password must change at next logon
0xC000005E	STATUS_NO_LOGON_SERVERS	No logon servers available
0xC00002DB	STATUS_NTLM_BLOCKED	NTLM blocked by policy

Detection Rules #

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4778: A session was reconnected to a Window Station.OREvent ID 4779: A session was disconnected from a Window Station.

Splunk # view in coverage

Windows Multiple Invalid Users Failed To Authenticate Using NTLM source: The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which…
Windows Multiple Users Failed To Authenticate From Host Using NTLM source: The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which…
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM source: The following analytic identifies a source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. It leverages EventCode 4776 and calculates the standard deviation for each host, using the 3-sigma rule to…

Show 1 more (4 total)

Windows Unusual Count Of Users Failed To Authenticate Using NTLM source: The following analytic identifies a source endpoint failing to authenticate multiple valid users using the NTLM protocol, potentially indicating a Password Spraying attack. It leverages Event 4776 from Domain Controllers, calculating the…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4776.yml

Event ID 4777: The domain controller failed to validate the credentials for an account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Credential Validation
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

Currently this event doesn't generate. It is a defined event, but it is never invoked by the operating system. 4776 failure event is generated instead.

Message #

The domain controller failed to validate the credentials for an account.

Authentication Package: %1
Logon Account: %2
Source Workstation: %3
Error Code: %4

Fields #

Name	Description
`ClientUserName` UnicodeString	Authentication Package.
`TargetUserName` UnicodeString	Logon Account.
`Workstation` UnicodeString	Source Workstation.
`Status` UnicodeString	Error Code. NTSTATUS reference Known values `0x0` Success `0xC0000064` User name does not exist `0xC000006A` User name correct but password wrong `0xC000006D` Bad user name or authentication information (generic logon failure) `0xC000006E` Account restriction prevents logon (e.g. blank password not allowed) `0xC000006F` User logged on outside authorized hours `0xC0000070` User logged on from an unauthorized workstation `0xC0000071` User logged on with an expired password `0xC0000072` Account currently disabled `0xC0000193` Account expired `0xC0000224` User must change password at next logon `0xC0000234` Account locked out

Community Notes #

Logged when NTLM credential validation fails. Pair with 4776 (which logs both successes and failures).

The Status field is an NTSTATUS code — see Event 4776 for the full code table.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4777
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4777.yml

Event ID 4778: A session was reconnected to a Window Station.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.

Message #

A session was reconnected to a Window Station.

Subject:
	Account Name: %1
	Account Domain: %2
	Logon ID: %3

Session:
	Session Name: %4

Additional Information:
	Client Name: %5
	Client Address: %6

This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.

Fields #

Name	Description
`AccountName`	The name of the account for which the session was reconnected.
`AccountDomain`	Subject's domain or computer name.
`LogonID`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`SessionName`	The name of the session to which the user was reconnected.
`ClientName`	Computer name from which the user was reconnected. Has "Unknown" value for console session.
`ClientAddress`	IP address of the computer from which the user was reconnected.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4778,
    "version": 0,
    "level": 0,
    "task": 12551,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2021-05-14T21:01:05.831748Z",
    "event_record_id": 1829819,
    "correlation": {
      "#attributes": {
        "ActivityID": "A67BE420-4636-0001-36E4-7BA63646D701"
      }
    },
    "execution": {
      "process_id": 576,
      "thread_id": 4904
    },
    "channel": "Security",
    "computer": "fs01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AccountName": "admmarsid",
    "AccountDomain": "OFFSEC",
    "LogonID": "0x6a423",
    "SessionName": "RDP-Tcp#8",
    "ClientName": "JUMP01",
    "ClientAddress": "10.23.23.9"
  }
}

Detection Patterns #

Event Log

2 rules

Splunk

RDP Logon_Logoff Event (Windows Event Log) (source)

Event Log

Security-Auditing Event ID 4778: A session was reconnected to a Window Station.OREvent ID 4779: A session was disconnected from a Window Station.

2 rules

Splunk

RDP Logon_Logoff Event (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`prefix`	eq	`src_`	1 rule	splunk

Community Notes #

Useful for tracing session re-use.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4778
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-4778-session-reconnected.md
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4778.yml

Event ID 4779: A session was disconnected from a Window Station.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.

Message #

A session was disconnected from a Window Station.

Subject:
	Account Name: %1
	Account Domain: %2
	Logon ID: %3

Session:
	Session Name: %4

Additional Information:
	Client Name: %5
	Client Address: %6


This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.

Fields #

Name	Description
`AccountName`	The name of the account for which the session was disconnected.
`AccountDomain`	Subject's domain or computer name.
`LogonID`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`SessionName`	The name of disconnected session.
`ClientName`	Machine name from which the session was disconnected. Has "Unknown"value for console session.
`ClientAddress`	IP address of the computer from which the session was disconnected.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4779,
    "version": 0,
    "level": 0,
    "task": 12551,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2021-05-14T21:01:05.370030Z",
    "event_record_id": 1829816,
    "correlation": {
      "#attributes": {
        "ActivityID": "A67BE420-4636-0001-36E4-7BA63646D701"
      }
    },
    "execution": {
      "process_id": 576,
      "thread_id": 628
    },
    "channel": "Security",
    "computer": "fs01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AccountName": "admmig",
    "AccountDomain": "OFFSEC",
    "LogonID": "0x13b5e1e",
    "SessionName": "RDP-Tcp#8",
    "ClientName": "JUMP01",
    "ClientAddress": "10.23.23.9"
  }
}

Detection Patterns #

Event Log

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4778: A session was reconnected to a Window Station.OREvent ID 4779: A session was disconnected from a Window Station.

2 rules

Splunk

RDP Logon_Logoff Event (Windows Event Log) (source)

Event Log

Security-Auditing Event ID 4778: A session was reconnected to a Window Station.OREvent ID 4779: A session was disconnected from a Window Station.

2 rules

Splunk

RDP Logon_Logoff Event (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`prefix`	eq	`src_`	1 rule	splunk

Detection Rules #

Windows Increase in User Modification Activity (source)

Splunk # view in coverage

Potential ngrok Tunnel - Windows (Windows Event Log) source: ngrok is a reverse proxy utility with the ability to establish tunnels on targets using reverse SSH, even if the target does not have ngrok installed. Attackers have been observed abusing ngrok to establish persistence and perform lateral…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4779
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4779.yml

Event ID 4780: The ACL was set on accounts which are members of administrators groups.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The ACL was set on accounts which are members of administrators groups.

Message #

The ACL was set on accounts which are members of administrators groups.


Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Target Account:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Additional Information:
	Privileges: %8

Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object.  If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.

Fields #

Name	Description
`TargetUserName` UnicodeString	[Target Account] Account Name
`TargetDomainName` UnicodeString	[Target Account] Account Domain
`TargetSid` SID	[Target Account] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4780,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-14T00:17:46.607238+00:00",
    "event_record_id": 16777470,
    "correlation": {},
    "execution": {
      "process_id": 940,
      "thread_id": 1056
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "Domain Admins",
    "TargetDomainName": "DC=ludus,DC=domain",
    "TargetSid": "S-1-5-21-1006758700-2167138679-1475694448-512",
    "SubjectUserSid": "S-1-5-7",
    "SubjectUserName": "ANONYMOUS LOGON",
    "SubjectDomainName": "NT AUTHORITY",
    "SubjectLogonId": "0x3e6",
    "PrivilegeList": "-"
  },
  "message": ""
}

Detection Patterns #

1 rule

Splunk

Dean Luxton

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4780
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4780

Event ID 4781: The name of an account was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time a user or computer account name (sAMAccountName attribute) is changed. For user accounts, this event generates on domain controllers, member servers, and workstations. For computer accounts, this event generates only on domain controllers.

Message #

The name of an account was changed:

Subject:
	Security ID: %5
	Account Name: %6
	Account Domain: %7
	Logon ID: %8

Target Account:
	Security ID: %4
	Account Domain: %3
	Old Account Name: %1
	New Account Name: %2

Additional Information:
	Privileges: %9

Fields #

Name	Description	Rules
`OldTargetUserName` UnicodeString	Old name of target account.	11 detection rules
`NewTargetUserName` UnicodeString	New name of target account.	11 detection rules
`TargetDomainName` UnicodeString	Target account's domain or computer name.
`TargetSid` SID	SID of account on which the name was changed.	1 detection rule
`SubjectUserSid` SID	SID of account that performed the "change account name" operation.
`SubjectUserName` UnicodeString	The name of the account that performed the "change account name" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`PrivilegeList` UnicodeString	Privileges used during the operation (e.g., SeBackupPrivilege). Usually "-". Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4781,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:37.340432+00:00",
    "event_record_id": 2857,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OldTargetUserName": "None",
    "NewTargetUserName": "None",
    "TargetDomainName": "WINDEV2310EVAL",
    "TargetSid": "S-1-5-21-1992711665-1655669231-58201500-513",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "-"
  },
  "message": ""
}

Detection Patterns #

User Account

Security-Auditing Event ID 4720: A user account was created.OREvent ID 4781: The name of an account was changed.

2 rules

Sigma

User account creation disguised in a computer account (source)

mdecrevoisier

New or Renamed User Account with '$' Character (source)

Ilyas Ochkov, oscd.community

Stealth: Domain Accounts

Security-Auditing Event ID 4781: The name of an account was changed.→Event ID 4768: A Kerberos authentication ticket (TGT) was requested.

1 rule

Splunk

Suspicious Ticket Granting Ticket Request (source)

Mauricio Velazco, Splunk

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`NewTargetUserName`	ends_with	`$`	2 rules	sigma
`NewTargetUserName`	ne	`*$`	2 rules	splunk
`OldTargetUserName`	ends_with	`$`	2 rules	elastic, sigma
`OldTargetUserName`	eq	`*$`	2 rules	splunk
`TargetUserName`	ends_with	`$`	1 rule	kusto, sigma
`TargetUserName`	ne	`*$`	1 rule	splunk
`short_lived`	eq	`TRUE`	1 rule	splunk

Community Notes #

Attackers may rename an existing, highly privileged account to blend in.

Detection Rules #

Sigma # view in coverage

Computer account renamed without a trailing $ (CVE-2021-42278/42287) source high: Detects scenarios where an attacker attempts to spoof the SAM account name of a a domain controller in order to impersonate it. Vulnerability comes from that computer accounts should have a trailing $ in their name (i.e. sAMAccountName attribute) but no validation process existed until the patch was released. During the offensive phase, attacker will create and rename the sAMAccountName of a computer account to look like the one of a domain controller. Once the attack is done, attacker will rollback the sAMAccountName to its original name.
Account renamed to admin (or likely) account to evade defense source high: Detects scenarios where an attacker rename a non admin account in order to evade SOC & operations vigilance
Suspicious Computer Account Name Change CVE-2021-42287 source high: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Elastic # view in coverage

Potential Privileged Escalation via SamAccountName Spoofing source high: Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.

Splunk # view in coverage

Suspicious Computer Account Name Change source: The following analytic detects a suspicious computer account name change in Active Directory. It leverages Event ID 4781, which logs account name changes, to identify instances where a computer account name is changed to one that does not…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4781.yml

Event ID 4782: The password hash an account was accessed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Other Account Management Events
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates on domain controllers during password migration of an account using Active Directory Migration Toolkit. Typically "Subject\Security ID" is the SYSTEM account.

Message #

The password hash an account was accessed.

Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6

Target Account:
	Account Name: %1
	Account Domain: %2

Fields #

Name	Description
`TargetUserName` UnicodeString	The name of the account for which the password hash was migrated. For example: ServiceDesk.
`TargetDomainName` UnicodeString	Domain name of the account for which the password hash was migrated.
`SubjectUserSid` SID	SID of account that requested hash migration operation. If the SID cannot be resolved, you will see the source data in the even.
`SubjectUserName` UnicodeString	The name of the account that requested hash migration operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."

Community Notes #

May indicate Pass-the-Hash. Legitimate use occurs during AD password migration operations under SYSTEM or a dedicated migration account.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4782.yml

Event ID 4783: A basic application group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A basic application group was created.

Message #

A basic application group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	[Group] Account Name
`TargetDomainName` UnicodeString	[Group] Account Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference
`SamAccountName` UnicodeString	[Attributes] SAM Account Name
`SidHistory` UnicodeString	[Attributes] SID History

Detection Patterns #

Persistence: Domain Account

1 rule

Splunk

Brandon Sternfield, Optiv + ClearShark

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4783
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4783

Event ID 4784: A basic application group was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A basic application group was changed.

Message #

A basic application group was changed.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	[Group] Account Name
`TargetDomainName` UnicodeString	[Group] Account Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference
`SamAccountName` UnicodeString	[Attributes] SAM Account Name
`SidHistory` UnicodeString	[Attributes] SID History

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4784
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4784

Event ID 4785: A member was added to a basic application group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A member was added to a basic application group.

Message #

A member was added to a basic application group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	[Member] Account Name
`MemberSid` SID	[Member] Security ID
`TargetUserName` UnicodeString	[Group] Group Name
`TargetDomainName` UnicodeString	[Group] Group Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference
`MembershipExpirationTime` FILETIME	Expiration time

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4785
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4785

Event ID 4786: A member was removed from a basic application group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A member was removed from a basic application group.

Message #

A member was removed from a basic application group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Group Name: %3
	Group Domain: %4

Additional Information:
	Privileges: %10

Fields #

Name	Description
`MemberName` UnicodeString	[Member] Account Name
`MemberSid` SID	[Member] Security ID
`TargetUserName` UnicodeString	[Group] Group Name
`TargetDomainName` UnicodeString	[Group] Group Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4786
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4786

Event ID 4787: A non-member was added to a basic application group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A non-member was added to a basic application group.

Message #

A non-member was added to a basic application group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Account Name: %3
	Account Domain: %4

Additional Information:
	Privileges: %10

A non-member is an account that is explicitly excluded from membership in a basic application group.  Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member.

Fields #

Name	Description
`MemberName` UnicodeString	[Member] Account Name
`MemberSid` SID	[Member] Security ID
`TargetUserName` UnicodeString	[Group] Account Name
`TargetDomainName` UnicodeString	[Group] Account Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4787
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4787

Event ID 4788: A non-member was removed from a basic application group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A non-member was removed from a basic application group.

Message #

A non-member was removed from a basic application group.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Member:
	Security ID: %2
	Account Name: %1

Group:
	Security ID: %5
	Account Name: %3
	Account Domain: %4

Additional Information:
	Privileges: %10

A non-member is an account that is explicitly excluded from membership in a basic application group.  Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member.

Fields #

Name	Description
`MemberName` UnicodeString	[Member] Account Name
`MemberSid` SID	[Member] Security ID
`TargetUserName` UnicodeString	[Group] Account Name
`TargetDomainName` UnicodeString	[Group] Account Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4788
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4788

Event ID 4789: A basic application group was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A basic application group was deleted.

Message #

A basic application group was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	[Group] Account Name
`TargetDomainName` UnicodeString	[Group] Account Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4789
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4789

Event ID 4790: An LDAP query group was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An LDAP query group was created.

Message #

An LDAP query group was created.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	[Group] Account Name
`TargetDomainName` UnicodeString	[Group] Account Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference
`SamAccountName` UnicodeString	[Attributes] SAM Account Name
`SidHistory` UnicodeString	[Attributes] SID History

Detection Patterns #

Persistence: Domain Account

1 rule

Splunk

Brandon Sternfield, Optiv + ClearShark

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4790
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4790

Event ID 4791: A basic application group was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Opcode: Info

Description

A basic application group was changed.

Message #

A basic application group was changed.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Attributes:
	SAM Account Name: %9
	SID History: %10

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	[Group] Account Name
`TargetDomainName` UnicodeString	[Group] Account Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference
`SamAccountName` UnicodeString	[Attributes] SAM Account Name
`SidHistory` UnicodeString	[Attributes] SID History

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4791
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4791

Event ID 4792: An LDAP query group was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Application Group Management
Opcode: Info

Description

An LDAP query group was deleted.

Message #

An LDAP query group was deleted.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Additional Information:
	Privileges: %8

Fields #

Name	Description
`TargetUserName` UnicodeString	[Group] Account Name
`TargetDomainName` UnicodeString	[Group] Account Domain
`TargetSid` SID	[Group] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4792
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4792

Event ID 4793: The Password Policy Checking API was called.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Other Account Management Events
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates each time the Password Policy Checking API is called.

Message #

The Password Policy Checking API was called.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Additional Information:
	Caller Workstation: %5
	Provided Account Name (unauthenticated): %6
	Status Code: %7

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested Password Policy Checking API operation.
`SubjectUserName` UnicodeString	The name of the account that requested Password Policy Checking API operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`Workstation` UnicodeString	Name of the computer from which the Password Policy Checking API was called. Typically, this is the same computer where this event was generated, for example, DC01. Computer name here does not contain $ symbol at the end. It also can be an IP address or the DNS name of the computer.
`TargetUserName` UnicodeString	The name of account, which password was provided/requested for validation. This parameter might not be captured in the event, and in that case appears as "-".
`Status` HexInt32	Typically has "0x0" value. Status code is "0x0", no matter meets password domain Password Policy or not. NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4793.yml

Event ID 4794: An attempt was made to set the Directory Services Restore Mode administrator password.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed. This event generates only on domain controllers.

Message #

An attempt was made to set the Directory Services Restore Mode
administrator password.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Additional Information:
	Caller Workstation: %5
	Status Code: %6

Fields #

Name	Description
`SubjectUserSid`	SID of account that made an attempt to set Directory Services Restore Mode administrator password.
`SubjectUserName`	The name of the account that made an attempt to set Directory Services Restore Mode administrator password.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`Workstation`	The name of computer account from which Directory Services Restore Mode (DSRM) administrator password change request was received. For example: "DC01". If the change request was sent locally (from the same server) this field will have the same name as the computer account.
`Status`	For Success events it has "0x0" value.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4794,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2017-06-09T19:21:26.968669Z",
    "event_record_id": 3139859,
    "correlation": {
      "#attributes": {
        "ActivityID": "3B48C871-DFE6-0000-A5C8-483BE6DFD201"
      }
    },
    "execution": {
      "process_id": 792,
      "thread_id": 1648
    },
    "channel": "Security",
    "computer": "2016dc.hqcorp.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1913345275-1711810662-261465553-500",
    "SubjectUserName": "administrator",
    "SubjectDomainName": "HQCORP",
    "SubjectLogonId": "0x2f336f",
    "Workstation": "2016DC",
    "Status": "0x0"
  }
}

Detection Rules #

Sigma # view in coverage

Password Change on Directory Service Restore Mode (DSRM) Account source high: Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
DSRM password changed (native) source high: Detects scenarios where an attacker reset or synchronize with another domain account the DSRM (Directory Services Restore Mode) password in order to escalate privileges.

Splunk # view in coverage

Windows AD DSRM Password Reset source: The following analytic detects attempts to reset the Directory Services Restore Mode (DSRM) administrator password on a Domain Controller. It leverages event code 4794 from the Windows Security Event Log, specifically looking for events…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4794
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4794.yml

Event ID 4797: An attempt was made to query the existence of a blank password for an account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An attempt was made to query the existence of a blank password for an account.

Message #

An attempt was made to query the existence of a blank password for an account.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Additional Information:
	Caller Workstation: %5
	Target Account Name: %6
	Target Account Domain: %7

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "enumerate usblank passwords" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "enumerate blank password" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`Workstation` UnicodeString	The name of computer account from which the password was queried from For example "DC01". If the change request was sent locally (from the same server) this field will have the same name as the computer account.
`TargetUserName` UnicodeString	The name of the account whose groups were enumerated.
`TargetDomainName` UnicodeString	Group's domain or computer name.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4797,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T00:43:39.992357+00:00",
    "event_record_id": 184918,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 1928
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "SubjectUserName": "User",
    "SubjectDomainName": "WINDEV2310EVAL",
    "SubjectLogonId": "0x27844",
    "Workstation": "WINDEV2310EVAL",
    "TargetUserName": "WDAGUtilityAccount",
    "TargetDomainName": "WINDEV2310EVAL"
  },
  "message": ""
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4797
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4797.yml

Event ID 4798: A user's local group membership was enumerated.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when a process enumerates a user's security-enabled local groups on a computer or device.

Message #

A user's local group membership was enumerated.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

User:
	Security ID: %3
	Account Name: %1
	Account Domain: %2

Process Information:
	Process ID: %8
	Process Name: %9

Fields #

Name	Description	Rules
`TargetUserName` UnicodeString	The name of the account whose groups were enumerated.
`TargetDomainName` UnicodeString	Group's domain or computer name.
`TargetSid` SID	SID of the account whose groups were enumerated.
`SubjectUserSid` SID	SID of account that requested the "enumerate user's security-enabled local groups" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "enumerate user's security-enabled local groups" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`CallerProcessId` Pointer	Hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
`CallerProcessName` UnicodeString	Full path and the name of the executable for the process.	2 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4798,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:35.014146+00:00",
    "event_record_id": 2785,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "User",
    "TargetDomainName": "WINDEV2310EVAL",
    "TargetSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "CallerProcessId": "0x57c",
    "CallerProcessName": "C:\\Windows\\System32\\rundll32.exe"
  },
  "message": ""
}

Detection Rules #

Splunk # view in coverage

Enumerate Users Local Group Using Telegram source: The following analytic detects a Telegram process enumerating all network users in a local group. It leverages EventCode 4798, which is generated when a process enumerates a user's security-enabled local groups on a computer or device.…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4798
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4798.yml

Event ID 4799: A security-enabled local group membership was enumerated.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → Security Group Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when a process enumerates the members of a security-enabled local group on the computer or device. This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in.

Message #

A security-enabled local group membership was enumerated.

Subject:
	Security ID: %4
	Account Name: %5
	Account Domain: %6
	Logon ID: %7

Group:
	Security ID: %3
	Group Name: %1
	Group Domain: %2

Process Information:
	Process ID: %8
	Process Name: %9

Fields #

Name	Description	Rules
`TargetUserName` UnicodeString	The name of the group which members were enumerated.	1 detection rule
`TargetDomainName` UnicodeString	Group's domain or computer name.
`TargetSid` SID	SID of the group which members were enumerated.	3 detection rules
`SubjectUserSid` SID	SID of account that requested the "enumerate security-enabled local group members" operation.	1 detection rule
`SubjectUserName` UnicodeString	The name of the account that requested the "enumerate security-enabled local group members" operation.	1 detection rule
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`CallerProcessId` Pointer	Hexadecimal Process ID of the process that enumerated the members of the group. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, "4688: A new process has been created" Process Information\New Process ID.
`CallerProcessName` UnicodeString	Full path and the name of the executable for the process.	3 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4799,
    "version": 0,
    "level": 0,
    "task": 13826,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:45:34.3695998+00:00",
    "event_record_id": 1898088,
    "correlation": {},
    "execution": {
      "process_id": 812,
      "thread_id": 2704
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserName": "Server Operators",
    "TargetDomainName": "Builtin",
    "TargetSid": "S-1-5-32-549",
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "CallerProcessId": "0x6b8",
    "CallerProcessName": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{A0BAEC76-A04A-4AF1-BF12-3AC51BC4A16B}\\EDGEMITMP_E2E83.tmp\\setup.exe"
  },
  "message": "A security-enabled local group membership was enumerated.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGroup:\r\n\tSecurity ID:\t\tS-1-5-32-549\r\n\tGroup Name:\t\tServer Operators\r\n\tGroup Domain:\t\tBuiltin\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x6b8\r\n\tProcess Name:\t\tC:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{A0BAEC76-A04A-4AF1-BF12-3AC51BC4A16B}\\EDGEMITMP_E2E83.tmp\\setup.exe"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`SubjectUserSid`	starts_with	`S-1-5-21-`	1 rule	sigma
`TargetSid`	eq	`S-1-5-32-544`	1 rule	kusto, sigma
`TargetUserName`	starts_with	`Administr`	1 rule	sigma

Detection Rules #

Sigma # view in coverage

Remote local admin group enumeration via SharpHound source medium: Detects scenarios where an attacker enumerates local administratos group on multiple hosts via SharpHound.
Local group enumeration triggered by Azure Virtual machine recovery tool source high: Detects scenarios where an attacker having compromised a virtual machine via serial cable attempts to enumerate local groups.
Operation Wocao Activity - Security source high: Detects activity mentioned in Operation Wocao report

Splunk # view in coverage

SharpHound Enumeration (Windows Event Log) source: Sharphound can be used to collect Active Directory information in order to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Once collected information can be utilized by BloodHound to…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4799
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4799.yml

Event ID 4800: The workstation was locked.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event is generated when a workstation was locked.

Message #

The workstation was locked.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Session ID: %5

Fields #

Name	Description
`TargetUserSid` SID	SID of account that requested the "lock workstation" operation.
`TargetUserName` UnicodeString	The name of the account that requested the "lock workstation" operation.
`TargetDomainName` UnicodeString	Subject's domain or computer name.
`TargetLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID,.
`SessionId` UInt32	[Subject] Session ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4800,
    "version": 0,
    "level": 0,
    "task": 12551,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T23:16:10.990860+00:00",
    "event_record_id": 2684980,
    "correlation": {
      "ActivityID": "FA744C8F-80A0-4DBD-B165-8D96568C15CC"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 3756
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserSid": "S-1-5-21-3407486967-1585450050-1838039599-1000",
    "TargetUserName": "localuser",
    "TargetDomainName": "LAB-WIN11",
    "TargetLogonId": "0x1b1557",
    "SessionId": 2
  },
  "message": ""
}

Detection Rules #

Sigma # view in coverage

Locked Workstation source informational: Detects locked workstation session events that occur automatically after a standard period of inactivity.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4800
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4800
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4800.yml

Event ID 4801: The workstation was unlocked.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event is generated when workstation was unlocked.

Message #

The workstation was unlocked.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Session ID: %5

Fields #

Name	Description
`TargetUserSid` SID	SID of account that requested the "unlock workstation" operation.
`TargetUserName` UnicodeString	The name of the account that requested the "unlock workstation" operation.
`TargetDomainName` UnicodeString	Subject's domain or computer name.
`TargetLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID,.
`SessionId` UInt32	[Subject] Session ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4801,
    "version": 0,
    "level": 0,
    "task": 12551,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-12T02:56:05.225999+00:00",
    "event_record_id": 2752626,
    "correlation": {
      "ActivityID": "A84A27DD-91F0-42B5-B4DA-0B267CDC42CF"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 4416
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TargetUserSid": "S-1-5-21-3407486967-1585450050-1838039599-1000",
    "TargetUserName": "localuser",
    "TargetDomainName": "LAB-WIN11",
    "TargetLogonId": "0x1b1557",
    "SessionId": 2
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4801
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4801
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4801.yml

Event ID 4802: The screen saver was invoked.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event is generated when screen saver was invoked.

Message #

The screen saver was invoked.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Session ID: %5

Fields #

Name	Description
`TargetUserSid` SID	SID of account that requested the "invoke screensaver" operation.
`TargetUserName` UnicodeString	The name of the account that requested the "invoke screensaver" operation.
`TargetDomainName` UnicodeString	Subject's domain or computer name.
`TargetLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID,.
`SessionId` UInt32	Unique ID of a session for which screen saver was invoked.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4802
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4802
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4802.yml

Event ID 4803: The screen saver was dismissed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event is generated when screen saver was dismissed.

Message #

The screen saver was dismissed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Session ID: %5

Fields #

Name	Description
`TargetUserSid` SID	SID of account that requested the "dismiss screensaver" operation.
`TargetUserName` UnicodeString	The name of the account that requested the "dismiss screensaver" operation.
`TargetDomainName` UnicodeString	Subject's domain or computer name.
`TargetLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`SessionId` UInt32	Unique ID of a session for which screen saver was dismissed. You can see the list of current session IDs using "query session" command in command prompt.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4803
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4803
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4803.yml

Event ID 4816: RPC detected an integrity violation while decrypting an incoming message.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

RPC detected an integrity violation while decrypting an incoming message.

Message #

RPC detected an integrity violation while decrypting an incoming message.

Peer Name: %1
Protocol Sequence: %2
Security Error: %3

Fields #

Name	Description
`PeerName` UnicodeString	Peer Name
`ProtocolSequence` UnicodeString	Protocol Sequence
`SecurityError` UInt32	Security Error

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4816

Event ID 4817: Auditing settings on object were changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Auditing settings on object were changed.

Message #

Auditing settings on object were changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7

Auditing Settings:
	Original Security Descriptor: %8
	New Security Descriptor: %9

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made a change to Global Object Access Auditing policy.
`SubjectUserName` UnicodeString	The name of the account that made a change to Global Object Access Auditing policy.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectServer` UnicodeString	[Object] Object Server.
`ObjectType` UnicodeString	The type of an object to which this event applies. Always "Global SACL" for this event.
`ObjectName` UnicodeString	Key - if "Registry" Global Object Access Auditing policy was changed. File - if "File system" Global Object Access Auditing policy was changed.
`OldSd` UnicodeString	The old Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
`NewSd` UnicodeString	The new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.

Community Notes #

Attackers that wish to suppress object-access logging can clear/replace the global SACL.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4817
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4817
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4817.yml

Event ID 4818: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Central Policy Staging
Opcode: Info

Description

Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.

Message #

Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %9
	Process Name: %10

Current Central Access Policy results:

	Access Reasons: %11
Proposed Central Access Policy results that differ from the current Central Access Policy results:

	Access Reasons: %12

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made an access request.
`SubjectUserName` UnicodeString	The name of the account that made an access request.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectServer` UnicodeString	Has "Security" value for this event.
`ObjectType` UnicodeString	The type of an object that was accessed during the operation. Always "File" for this event.
`ObjectName` UnicodeString	Full path and name of the file or folder for which access was requested.
`HandleId` Pointer	Hexadecimal value of a handle to Object Name.
`ProcessId` Pointer	Hexadecimal Process ID of the process through which the access was requested.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.
`AccessReason` UnicodeString	[Current Central Access Policy results] Access Reasons. Known values `%%1801` Granted by `%%1802` Denied by `%%1803` Denied by Integrity Policy check `%%1804` Granted by Ownership `%%1805` Not granted `%%1806` Granted by NULL DACL `%%1807` Denied by Empty DACL `%%1808` Granted by NULL Security Descriptor `%%1809` Unknown or unchecked `%%1810` Not granted due to missing `%%1811` Granted by ACE on parent folder `%%1812` Denied by ACE on parent folder `%%1813` Granted by Central Access Rule `%%1814` NOT Granted by Central Access Rule `%%1815` Granted by parent folder's Central Access Rule `%%1816` NOT Granted by parent folder's Central Access Rule `%%1830` Not granted to AppContainers `%%1841` Denied by Process Trust Label ACE `%%1856` Denied by Access Filter Ace
`StagingReason` UnicodeString	[Proposed Central Access Policy results that differ from the current Central Access Policy results] Access Reasons.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4818
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-central-access-policy-staging
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4818
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4818.yml

Event ID 4819: Central Access Policies on the machine have been changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Opcode: Info

Description

Central Access Policies on the machine have been changed.

Message #

Central Access Policies on the machine have been changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6

CAPs Added:%7

CAPs Deleted:%8

CAPs Modified:%9

CAPs As-Is:%10

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that changed the Central Access Policies on the machine.
`SubjectUserName` UnicodeString	The name of the account that changed the Central Access Policies on the machine.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectServer` UnicodeString	[Object] Object Server.
`ObjectType` UnicodeString	The type of an object to which this event applies. Always "Central Access Policies" for this event.
`AddedCAPs` UnicodeString	The list of added Central Access Policies. Empty if no Central Access Policies were added.
`DeletedCAPs` UnicodeString	The list of deleted Central Access Policies. Empty if no Central Access Policies were deleted.
`ModifiedCAPs` UnicodeString	The list of modified Central Access Policies. Empty if no Central Access Policies were modified.
`AsIsCAPs` UnicodeString	The list of non-modified Central Access Policies.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4819
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4819
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4819.yml

Event ID 4820: A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Recommended (ASD, others)
Opcode: Info

Description

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Message #

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Authentication Policy Information:
	Silo Name: %16
	Policy Name: %17
	TGT Lifetime: %18

Device Information:
	Device Name: %4

Service Information:
	Service Name: %5
	Service ID: %6

Network Information:
	Client Address: %11
	Client Port: %12

Additional Information:
	Ticket Options: %7
	Result Code: %8
	Ticket Encryption Type: %9
	Pre-Authentication Type: %10

Certificate Information:
	Certificate Issuer Name: %13
	Certificate Serial Number: %14
	Certificate Thumbprint: %15

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	[Account Information] Account Name
`TargetDomainName` UnicodeString	[Account Information] Supplied Realm Name
`TargetSid` SID	[Account Information] User ID
`DeviceName` UnicodeString	[Device Information] Device Name
`ServiceName` UnicodeString	[Service Information] Service Name
`ServiceSid` SID	[Service Information] Service ID
`TicketOptions` HexInt32	[Additional Information] Ticket Options Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	[Additional Information] Result Code NTSTATUS reference
`TicketEncryptionType` HexInt32	[Additional Information] Ticket Encryption Type Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`PreAuthType` UnicodeString	[Additional Information] Pre-Authentication Type Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	[Network Information] Client Address
`IpPort` UnicodeString	[Network Information] Client Port
`CertIssuerName` UnicodeString	[Certificate Information] Certificate Issuer Name
`CertSerialNumber` UnicodeString	[Certificate Information] Certificate Serial Number
`CertThumbprint` UnicodeString	[Certificate Information] Certificate Thumbprint
`SiloName` UnicodeString	[Authentication Policy Information] Silo Name
`PolicyName` UnicodeString	[Authentication Policy Information] Policy Name
`TGTLifetime` UInt32	[Authentication Policy Information] TGT Lifetime

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4820

Event ID 4821: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Recommended (ASD)
Opcode: Info

Description

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Message #

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %11

Authentication Policy Information:
	Silo Name: %13
	Policy Name: %14

Device Information:
	Device Name: %3

Service Information:
	Service Name: %4
	Service ID: %5

Network Information:
	Client Address: %8
	Client Port: %9

Additional Information:
	Ticket Options: %6
	Ticket Encryption Type: %7
	Failure Code: %10
	Transited Services: %12

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	[Account Information] Account Name
`TargetDomainName` UnicodeString	[Account Information] Account Domain
`DeviceName` UnicodeString	[Device Information] Device Name
`ServiceName` UnicodeString	[Service Information] Service Name
`ServiceSid` SID	[Service Information] Service ID
`TicketOptions` HexInt32	[Additional Information] Ticket Options Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` HexInt32	[Additional Information] Ticket Encryption Type Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddress` UnicodeString	[Network Information] Client Address
`IpPort` UnicodeString	[Network Information] Client Port
`Status` HexInt32	[Additional Information] Failure Code NTSTATUS reference
`LogonGuid` GUID	[Account Information] Logon GUID
`TransitedServices` UnicodeString	[Additional Information] Transited Services
`SiloName` UnicodeString	[Authentication Policy Information] Silo Name
`PolicyName` UnicodeString	[Authentication Policy Information] Policy Name

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4821

Event ID 4822: NTLM authentication failed because the account was a member of the Protected User group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Recommended (ASD)
Opcode: Info

Description

NTLM authentication failed because the account was a member of the Protected User group.

Message #

NTLM authentication failed because the account was a member of the Protected User group.

Account Name: %1
Device Name: %2
Error Code: %3

Fields #

Name	Description
`AccountName` UnicodeString	Account Name
`DeviceName` UnicodeString	Device Name
`Status` HexInt32	Error Code NTSTATUS reference

Community Notes #

NTLM authentication was blocked because the account is a member of the Protected Users group. Protected Users cannot authenticate via NTLM.

The Status field is an NTSTATUS code:

Code	Name	Description
0xC000006D	STATUS_LOGON_FAILURE	Generic failure
0xC000006E	STATUS_ACCOUNT_RESTRICTION	Protected User restriction prevented NTLM

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4822

Event ID 4823: NTLM authentication failed because access control restrictions are required.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

NTLM authentication failed because access control restrictions are required.

Message #

NTLM authentication failed because access control restrictions are required.

Account Name: %1
Device Name: %2
Error Code: %3

Authentication Policy Information:
	Silo Name: %4
	PolicyName: %5

Fields #

Name	Description
`AccountName` UnicodeString	Account Name
`DeviceName` UnicodeString	Device Name
`Status` HexInt32	Error Code NTSTATUS reference
`SiloName` UnicodeString	[Authentication Policy Information] Silo Name
`PolicyName` UnicodeString	[Authentication Policy Information] PolicyName.

Community Notes #

NTLM authentication was blocked by access control restrictions (authentication policy or silo).

The Status field is an NTSTATUS code:

Code	Name	Description
0xC000006D	STATUS_LOGON_FAILURE	Generic failure
0xC0000413	STATUS_AUTHENTICATION_FIREWALL_FAILED	Blocked by authentication policy/silo

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4823

Event ID 4824: Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Recommended (ASD)
Opcode: Info

Description

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Message #

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Account Information:
	Security ID: %2
	Account Name: %1

Service Information:
	Service Name: %3

Network Information:
	Client Address: %7
	Client Port: %8

Additional Information:
	Ticket Options: %4
	Failure Code: %5
	Pre-Authentication Type: %6

Certificate Information:
	Certificate Issuer Name: %9
	Certificate Serial Number: %10
	Certificate Thumbprint: %11

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Fields #

Name	Description
`TargetUserName` UnicodeString	[Account Information] Account Name
`TargetSid` SID	[Account Information] Security ID
`ServiceName` UnicodeString	[Service Information] Service Name
`TicketOptions` HexInt32	[Additional Information] Ticket Options Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired) `0x00800000` Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time) `0x00400000` Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange) `0x00200000` Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket) `0x00100000` Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested) `0x00010000` Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15) `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	[Additional Information] Failure Code NTSTATUS reference
`PreAuthType` UnicodeString	[Additional Information] Pre-Authentication Type Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	[Network Information] Client Address
`IpPort` UnicodeString	[Network Information] Client Port
`CertIssuerName` UnicodeString	[Certificate Information] Certificate Issuer Name
`CertSerialNumber` UnicodeString	[Certificate Information] Certificate Serial Number
`CertThumbprint` UnicodeString	[Certificate Information] Certificate Thumbprint

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4824

Event ID 4825: A user was denied the access to Remote Desktop.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.

Message #

A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.

Subject:
	User Name: %1
	Domain: %2
	Logon ID: %3

Additional Information:
	Client Address: %4


This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.

Fields #

Name	Description
`AccountName`	The name of the account that requested the "invoke screensaver" operation.
`AccountDomain`	SID of account that requested the "invoke screensaver" operation.
`LogonID`	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ClientAddress`	IP address of the computer from which the session was disconnected.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4825,
    "version": 0,
    "level": 0,
    "task": 12551,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2020-07-12T05:27:05.579704Z",
    "event_record_id": 1231498,
    "correlation": {},
    "execution": {
      "process_id": 464,
      "thread_id": 992
    },
    "channel": "Security",
    "computer": "fs02.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AccountName": "svc6test1",
    "AccountDomain": "OFFSEC",
    "LogonID": "0x3457272",
    "ClientAddress": "10.23.23.9"
  }
}

Detection Rules #

Sigma # view in coverage

Denied Access To Remote Desktop source medium: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Denied RDP login with valid credentials source medium: Detects scenarios where an attacker tries to move laterally using RDP and access attempt is blocked due to restricted logon policies.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4825.yml

Event ID 4826: Boot Configuration Data loaded.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Recommended (JSCU-NL)
Opcode: Info

Description

This event generates every time system starts and load current Boot Configuration Data.

Message #

Boot Configuration Data loaded.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

General Settings:
	Load Options: %5
	Advanced Options: %6
	Configuration Access Policy: %7
	System Event Logging: %8
	Kernel Debugging: %9
	VSM Launch Type: %10

Signature Settings:
	Test Signing: %11
	Flight Signing: %12
	Disable Integrity Checks: %13

HyperVisor Settings:
	HyperVisor Load Options: %14
	HyperVisor Launch Type: %15
	HyperVisor Debugging: %16

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that reported this event.
`SubjectUserName` UnicodeString	The name of the account that reported this event. Always "-" for this event.
`SubjectDomainName` UnicodeString	Subject's domain or computer name. Always "-" for this event.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`LoadOptions` UnicodeString	There is no information about this field in this document.
`AdvancedOptions` UnicodeString	Shows whether Windows is configured for system boot to the legacy menu (F8 menu) on the next boot (Yes or No). You can enable advanced boot using "bcdedit /set onetimeadvancedoptions yes" command.
`ConfigAccessPolicy` UnicodeString	There is no information about this field in this document.
`RemoteEventLogging` UnicodeString	There is no information about this field in this document.
`KernelDebug` UnicodeString	Shows whether Windows kernel debugging is enabled or not (Yes or No). You can enable kernel debugging using "bcdedit /debug on" command.
`VsmLaunchType` UnicodeString	There is no information about this field in this document.
`TestSigning` UnicodeString	Shows whether Windows test signing is enabled or not (Yes or No). You can disable test signing using "bcdedit /set testsigning off" command.
`FlightSigning` UnicodeString	Shows whether Windows flight signing (which allows flight-signed code signing certificates) is enabled or not (Yes or No). You can disable flight signing using "bcdedit /set flightsigning off" command.
`DisableIntegrityChecks` UnicodeString	Shows whether Windows integrity check is disabled or not (Yes or No). You can disable integrity checks using "bcdedit /set nointegritychecks on" command.
`HypervisorLoadOptions` UnicodeString	Shows hypervisor loadoptions.
`HypervisorLaunchType` UnicodeString	Shows the hypervisor launch options (Off or Auto). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to Auto on the target computer. Known values `%%1848` Off - hypervisor is not launched at boot `%%1849` Auto - hypervisor launches automatically at boot (required for Hyper-V and VBS)
`HypervisorDebug` UnicodeString	Shows the hypervisor launch options (Off or Auto). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to Auto on the target computer.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4826,
    "version": 0,
    "level": 0,
    "task": 13573,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:46.0531272+00:00",
    "event_record_id": 1715899,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 176
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "-",
    "SubjectDomainName": "-",
    "SubjectLogonId": "0x3e7",
    "LoadOptions": "-",
    "AdvancedOptions": "%%1843",
    "ConfigAccessPolicy": "%%1846",
    "RemoteEventLogging": "%%1843",
    "KernelDebug": "%%1843",
    "VsmLaunchType": "%%1848",
    "TestSigning": "%%1843",
    "FlightSigning": "%%1843",
    "DisableIntegrityChecks": "%%1843",
    "HypervisorLoadOptions": "-",
    "HypervisorLaunchType": "%%1848",
    "HypervisorDebug": "%%1843"
  },
  "message": "Boot Configuration Data loaded.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x3E7\r\n\r\nGeneral Settings:\r\n\tLoad Options:\t\t-\r\n\tAdvanced Options:\t\tNo\r\n\tConfiguration Access Policy:\tDefault\r\n\tSystem Event Logging:\tNo\r\n\tKernel Debugging:\tNo\r\n\tVSM Launch Type:\tOff\r\n\r\nSignature Settings:\r\n\tTest Signing:\t\tNo\r\n\tFlight Signing:\t\tNo\r\n\tDisable Integrity Checks:\tNo\r\n\r\nHyperVisor Settings:\r\n\tHyperVisor Load Options:\t-\r\n\tHyperVisor Launch Type:\tOff\r\n\tHyperVisor Debugging:\tNo"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4826
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4826
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4826.yml

Event ID 4830: SID History was removed from an account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

SID History was removed from an account.

Message #

SID History was removed from an account.

Subject:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9

Target Account:
	Security ID: %5
	Account Name: %3
	Account Domain: %4

Additional Information:
	Privileges: %10
	SID List: %11

Fields #

Name	Description
`SourceUserName` UnicodeString
`SourceSid` SID
`TargetUserName` UnicodeString	[Target Account] Account Name
`TargetDomainName` UnicodeString	[Target Account] Account Domain
`TargetSid` SID	[Target Account] Security ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`PrivilegeList` UnicodeString	[Additional Information] Privileges Privilege constants reference
`SidList` UnicodeString	[Additional Information] SID List

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4830

Event ID 4864: A namespace collision was detected.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A namespace collision was detected.

Message #

A namespace collision was detected.

Target Type: %1
Target Name: %2
Forest Root: %3
Top Level Name: %4
DNS Name: %5
NetBIOS Name: %6
Security ID: %7
New Flags: %8

Fields #

Name	Description
`CollisionTargetType` UInt32	Target Type
`CollisionTargetName` UnicodeString	Target Name
`ForestRoot` UnicodeString	Forest Root
`TopLevelName` UnicodeString	Top Level Name
`DnsName` UnicodeString	DNS Name
`NetbiosName` UnicodeString	NetBIOS Name
`DomainSid` SID	Security ID
`Flags` UInt32	New Flags

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4864
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4864

Event ID 4865: A trusted forest information entry was added.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when new trusted forest information entry was added.

Message #

A trusted forest information entry was added.

Subject:
	Security ID: %10
	Account Name: %11
	Account Domain: %12
	Logon ID: %13

Trust Information:
	Forest Root: %1
	Forest Root SID: %2
	Operation ID: %3
	Entry Type: %4
	Flags: %5
	Top Level Name: %6
	DNS Name: %7
	NetBIOS Name: %8
	Domain SID: %9

Fields #

Name	Description
`ForestRoot`	The name of the Active Directory forest for which trusted forest information entry was added.
`ForestRootSid`	The SID of the Active Directory forest for which trusted forest information entry was added.
`OperationId`	Unique hexadecimal identifier of the operation. You can correlate this event with other events (4866(S): A trusted forest information entry was removed, 4867(S): A trusted forest information entry was modified.) using this field.
`EntryType`	The type of added entry. Known values `0` ForestTrustTopLevelName - DNS name of the trusted forest (LSA_UNICODE_STRING record) `1` ForestTrustTopLevelNameEx - name suffix exception for the trusted forest (LSA_UNICODE_STRING record) `2` ForestTrustDomainInfo - record containing identification and name information for a domain in the trusted forest
`Flags` UInt32	[Trust Information] Flags.
`TopLevelName`	The name of the new trusted forest information entry.
`DnsName`	DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-".
`NetbiosName`	NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-".
`DomainSid`	ID of the trust partner. This parameter might not be captured in the event, and in that case appears as "NULL SID".
`SubjectUserSid`	]: SID of account that requested the "add a trusted forest information entry" operation.
`SubjectUserName`	The name of the account that requested the "add a trusted forest information entry" operation.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4865,
    "version": 0,
    "level": 0,
    "task": 13569,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2024-06-22T14:02:41.749935Z",
    "event_record_id": 3175613,
    "correlation": {},
    "execution": {
      "process_id": 596,
      "thread_id": 3360
    },
    "channel": "Security",
    "computer": "CDCWTRDC01.mypartner.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ForestRoot": "rootblue.lan",
    "ForestRootSid": "S-1-5-21-392370121-190461309-2151315433",
    "OperationId": "0xffadf358",
    "EntryType": 0,
    "Flags": 0,
    "TopLevelName": "rootblue.lan",
    "DnsName": "-",
    "NetbiosName": "-",
    "DomainSid": "S-1-0-0",
    "SubjectUserSid": "S-1-5-21-1407145384-2259788832-4099636412-500",
    "SubjectUserName": "Administrator",
    "SubjectDomainName": "MYPARTNER",
    "SubjectLogonId": "0xffad8559"
  }
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4865
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4865
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4865.yml

Event ID 4866: A trusted forest information entry was removed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when the trusted forest information entry was removed.

Message #

A trusted forest information entry was removed.

Subject:
	Security ID: %10
	Account Name: %11
	Account Domain: %12
	Logon ID: %13

Trust Information:
	Forest Root: %1
	Forest Root SID: %2
	Operation ID: %3
	Entry Type: %4
	Flags: %5
	Top Level Name: %6
	DNS Name: %7
	NetBIOS Name: %8
	Domain SID: %9

Fields #

Name	Description
`ForestRoot` UnicodeString	The name of the Active Directory forest for which trusted forest information entry was removed.
`ForestRootSid` SID	The SID of the Active Directory forest for which trusted forest information entry was removed.
`OperationId` HexInt64	Unique hexadecimal identifier of the operation. You can correlate this event with other events (4865(S): A trusted forest information entry was added, 4867(S): A trusted forest information entry was modified.) using this field.
`EntryType` UInt32	[Trust Information] Entry Type. Known values `0` ForestTrustTopLevelName - DNS name of the trusted forest (LSA_UNICODE_STRING record) `1` ForestTrustTopLevelNameEx - name suffix exception for the trusted forest (LSA_UNICODE_STRING record) `2` ForestTrustDomainInfo - record containing identification and name information for a domain in the trusted forest
`Flags` UInt32	[Trust Information] Flags.
`TopLevelName` UnicodeString	The name of the removed trusted forest information entry.
`DnsName` UnicodeString	DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-".
`NetbiosName` UnicodeString	NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-".
`DomainSid` SID	SID of the trust partner. This parameter might not be captured in the event, and in that case appears as "NULL SID".
`SubjectUserSid` SID	SID of account that requested the "remove a trusted forest information entry" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "remove a trusted forest information entry" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4866
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4866
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4866.yml

Event ID 4867: A trusted forest information entry was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authentication Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A trusted forest information entry was modified.

Message #

A trusted forest information entry was modified.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Trust Information:
	Forest Root: %5
	Forest Root SID: %6
	Operation ID: %7
	Entry Type: %8
	Flags: %9
	Top Level Name: %10
	DNS Name: %11
	NetBIOS Name: %12
	Domain SID: %13

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "modify/change a trusted forest information entry" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "modify/change a trusted forest information entry" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ForestRoot` UnicodeString	The name of the Active Directory forest for which trusted forest information entry was modified.
`ForestRootSid` SID	The SID of the Active Directory forest for which trusted forest information entry was modified.
`OperationId` HexInt64	Unique hexadecimal identifier of the operation. You can correlate this event with other events (4865(S): A trusted forest information entry was added, 4866(S): A trusted forest information entry was removed) using this field.
`EntryType` UInt32	[Trust Information] Entry Type. Known values `0` ForestTrustTopLevelName - DNS name of the trusted forest (LSA_UNICODE_STRING record) `1` ForestTrustTopLevelNameEx - name suffix exception for the trusted forest (LSA_UNICODE_STRING record) `2` ForestTrustDomainInfo - record containing identification and name information for a domain in the trusted forest
`Flags` UInt32	[Trust Information] Flags.
`TopLevelName` UnicodeString	The name of the modified trusted forest information entry.
`DnsName` UnicodeString	DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-".
`NetbiosName` UnicodeString	NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as "-".
`DomainSid` SID	SID of the trust partner. This parameter might not be captured in the event, and in that case appears as "NULL SID".

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4867
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4867
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4867.yml

Event ID 4868: The certificate manager denied a pending certificate request.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The certificate manager denied a pending certificate request.

Message #

The certificate manager denied a pending certificate request.
	
Request ID: %1

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4868,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.594746+00:00",
    "event_record_id": 16623084,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 7996
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "25",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4868
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4868

Event ID 4869: Certificate Services received a resubmitted certificate request.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services received a resubmitted certificate request.

Message #

Certificate Services received a resubmitted certificate request.
	
Request ID: %1

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4869,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.180321+00:00",
    "event_record_id": 16623046,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 7996
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "24",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4869
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4869

Event ID 4870: Certificate Services revoked a certificate.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

Certificate Services revoked a certificate.

Message #

Certificate Services revoked a certificate.
	
Serial Number: %1
Reason: %2

Fields #

Name	Description
`CertificateSerialNumber` UnicodeString	Serial Number
`RevocationReason` UnicodeString	Reason
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4870,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:33:19.492410+00:00",
    "event_record_id": 16716905,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 10484
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CertificateSerialNumber": "610000002bdea5d59e7a0734f300000000002b",
    "RevocationReason": "1",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4870
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4870

Event ID 4871: Certificate Services received a request to publish the certificate revocation list (CRL).

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services received a request to publish the certificate revocation list (CRL).

Message #

Certificate Services received a request to publish the certificate revocation list (CRL).
	
Next Update: %1
Publish Base: %2
Publish Delta: %3

Fields #

Name	Description
`NextUpdate` UnicodeString	Next Update
`NextPublishForBaseCRL` UnicodeString	Publish Base
`NextPublishForDeltaCRL` UnicodeString	Publish Delta
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4871,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:06:22.125599+00:00",
    "event_record_id": 16618007,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 10928
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "NextUpdate": "0",
    "NextPublishForBaseCRL": "Yes",
    "NextPublishForDeltaCRL": "No",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4871
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4871

Event ID 4872: Certificate Services published the certificate revocation list (CRL).

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services published the certificate revocation list (CRL).

Message #

Certificate Services published the certificate revocation list (CRL).
	
Base CRL: %1
CRL Number: %2
Key Container: %3
Next Publish: %4
Publish URLs: %5

Fields #

Name	Description
`IsBaseCRL` UnicodeString	Base CRL
`CRLNumber` UnicodeString	CRL Number
`KeyContainer` UnicodeString	Key Container
`NextPublish` UnicodeString	Next Publish
`PublishURLs` UnicodeString	Publish URLs

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4872,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:06:22.155871+00:00",
    "event_record_id": 16618025,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 11144
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IsBaseCRL": "Yes",
    "CRLNumber": "12",
    "KeyContainer": "EvtGen-Root-CA",
    "NextPublish": "3/20/2026 11:06 PM 22.125s",
    "PublishURLs": "C:\\Windows\\system32\\CertSrv\\CertEnroll\\EvtGen-Root-CA.crl; ldap:///CN=EvtGen-Root-CA,CN=LAB-DC01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain; http://crl.ludus.domain/crldist/EvtGen-Root-CA.crl; "
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4872
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4872

Event ID 4873: A certificate request extension changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

A certificate request extension changed.

Message #

A certificate request extension changed.
	
Request ID: %1
Name: %2
Type: %3
Flags: %4
Data: %5

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`ExtensionName` UnicodeString	Name
`ExtensionDataType` UnicodeString	Type
`ExtensionPolicyFlags` UnicodeString	Flags
`ExtensionData` UnicodeString	Data
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4873,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:33:40.140844+00:00",
    "event_record_id": 16717578,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 13880
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "44",
    "ExtensionName": "2.5.29.17",
    "ExtensionDataType": "4",
    "ExtensionPolicyFlags": "0",
    "ExtensionData": "MwAwADIAMAA4ADIAMQAyADYAZAA2AGYANgA0ADYAOQA2ADYANgA5ADYANQA2ADQA\r\nMgBlADYAYwA3ADUANgA0ADcANQA3ADMAMgBlADYANAA2AGYANgBkADYAMQA2ADkA\r\nNgBlAAAA\r\n",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4873
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4873

Event ID 4874: One or more certificate request attributes changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

One or more certificate request attributes changed.

Message #

One or more certificate request attributes changed.
	
Request ID: %1
Attributes: %2

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`Attributes` UnicodeString	Attributes
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4874,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:33:40.086555+00:00",
    "event_record_id": 16717575,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 13880
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "44",
    "Attributes": "CertificateTemplate:WebServer\nSAN:dns=modified.ludus.domain",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4874
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4874

Event ID 4875: Certificate Services received a request to shut down.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services received a request to shut down.

Message #

Certificate Services received a request to shut down.

Fields #

Name	Description
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4875
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4875

Event ID 4876: Certificate Services backup started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services backup started.

Message #

Certificate Services backup started.

Backup Type: %1

Fields #

Name	Description
`BackupType`
`SubjectUserSid`
`SubjectUserName`
`SubjectDomainName`
`SubjectLogonId`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4876,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2024-09-03T10:41:30.959534Z",
    "event_record_id": 376329,
    "correlation": {
      "#attributes": {
        "ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
      }
    },
    "execution": {
      "process_id": 640,
      "thread_id": 4156
    },
    "channel": "Security",
    "computer": "CDCWPKI01.rootblue.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BackupType": "1",
    "SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
    "SubjectUserName": "domadm",
    "SubjectDomainName": "ROOTBLUE",
    "SubjectLogonId": "0x91861a6"
  }
}

Detection Rules #

Security-Auditing Event ID 4882: The security permissions for Certificate Services changed.OREvent ID 4890: The certificate manager settings for Certificate Services changed.OREvent ID 4891: A configuration entry changed in Certificate Services.OREvent ID 4892: A property of Certificate Services changed.

Splunk # view in coverage

Windows Steal Authentication Certificates CS Backup source: The following analytic identifies the backup of the Active Directory Certificate Services (AD CS) store, detected via Event ID 4876. This event is logged when a backup is performed using the CertSrv.msc UI or the CertUtil.exe -BackupDB…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4876
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4876
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 4877: Certificate Services backup completed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services backup completed.

Message #

Certificate Services backup completed.

Fields #

Name	Description
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4877,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2024-09-03T10:41:31.145540Z",
    "event_record_id": 376330,
    "correlation": {
      "#attributes": {
        "ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
      }
    },
    "execution": {
      "process_id": 640,
      "thread_id": 4156
    },
    "channel": "Security",
    "computer": "CDCWPKI01.rootblue.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
    "SubjectUserName": "domadm",
    "SubjectDomainName": "ROOTBLUE",
    "SubjectLogonId": "0x91861a6"
  }
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4877
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4877
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 4878: Certificate Services restore started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services restore started.

Message #

Certificate Services restore started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4878,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:07:16.319460+00:00",
    "event_record_id": 16620403,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 7996
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4878
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4878

Event ID 4879: Certificate Services restore completed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services restore completed.

Message #

Certificate Services restore completed.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4879,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:07:16.488901+00:00",
    "event_record_id": 16620407,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 10556
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4879
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4879

Event ID 4880: Certificate Services started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Certificate Services started.

Message #

Certificate Services started.
	
Certificate Database Hash: %1
Private Key Usage Count: %2
CA Certificate Hash: %3
CA Public Key Hash: %4

Fields #

Name	Description
`CertificateDatabaseHash` UnicodeString	Certificate Database Hash
`PrivateKeyUsageCount` UnicodeString	Private Key Usage Count
`CACertificateHash` UnicodeString	CA Certificate Hash
`CAPublicKeyHash` UnicodeString	CA Public Key Hash

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4880,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:06:16.234546+00:00",
    "event_record_id": 16617450,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 11176
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CertificateDatabaseHash": "39 e5 71 24 c8 5b 7c 70 eb b5 fe f2 ad a7 5a 6e 86 f3 07 b7 31 99 8a b1 58 99 bd e2 05 c3 cf d8",
    "PrivateKeyUsageCount": "0",
    "CACertificateHash": "8e ae 36 d1 31 a0 5b f0 26 c6 a5 88 f9 49 6a 8a 61 7a f2 47",
    "CAPublicKeyHash": "10 fd 42 f3 9a b3 ca e2 96 a8 46 58 af 42 91 9d 14 c5 0f 27"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4880
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4880

Event ID 4881: Certificate Services stopped.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Certificate Services stopped.

Message #

Certificate Services stopped.
	
Certificate Database Hash: %1
Private Key Usage Count: %2
CA Certificate Hash: %3
CA Public Key Hash: %4

Fields #

Name	Description
`CertificateDatabaseHash` UnicodeString	Certificate Database Hash
`PrivateKeyUsageCount` UnicodeString	Private Key Usage Count
`CACertificateHash` UnicodeString	CA Certificate Hash
`CAPublicKeyHash` UnicodeString	CA Public Key Hash

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4881,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:06:22.990852+00:00",
    "event_record_id": 16618219,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 7996
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CertificateDatabaseHash": "a0 ab 10 37 23 dd ba cf 3c 7d 38 4e dd 3a 27 c3 10 39 c7 cb 54 17 10 36 45 3a 7c 3d 63 42 83 55",
    "PrivateKeyUsageCount": "0",
    "CACertificateHash": "8e ae 36 d1 31 a0 5b f0 26 c6 a5 88 f9 49 6a 8a 61 7a f2 47",
    "CAPublicKeyHash": "10 fd 42 f3 9a b3 ca e2 96 a8 46 58 af 42 91 9d 14 c5 0f 27"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4881
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4881

Event ID 4882: The security permissions for Certificate Services changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

The security permissions for Certificate Services changed.

Message #

The security permissions for Certificate Services changed.
	
%1

Fields #

Name	Description
`SecuritySettings` UnicodeString
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4882,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T16:00:42.1770142+00:00",
    "event_record_id": 23699782,
    "correlation": {
      "ActivityID": "{00BC2CE4-52BD-4592-A8D2-A2D43DF20CC6}"
    },
    "execution": {
      "process_id": 1124,
      "thread_id": 1880
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SecuritySettings": "\nAllow(0x00000200)\tNT AUTHORITY\\Authenticated Users\n\tEnroll\nAllow(0x00000003)\tludus\\Domain Admins\n\tCA Administrator\n\tCertificate Manager\nAllow(0x00000200)\tludus\\domainuser\n\tEnroll\nAllow(0x00000003)\tludus\\Enterprise Admins\n\tCA Administrator\n\tCertificate Manager\nAllow(0x00000003)\tBUILTIN\\Administrators\n\tCA Administrator\n\tCertificate Manager\n",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0x1637da"
  },
  "message": "The security permissions for Certificate Services changed.\r\n\t\r\n\nAllow(0x00000200)\tNT AUTHORITY\\Authenticated Users\n\tEnroll\nAllow(0x00000003)\tludus\\Domain Admins\n\tCA Administrator\n\tCertificate Manager\nAllow(0x00000200)\tludus\\domainuser\n\tEnroll\nAllow(0x00000003)\tludus\\Enterprise Admins\n\tCA Administrator\n\tCertificate Manager\nAllow(0x00000003)\tBUILTIN\\Administrators\n\tCA Administrator\n\tCertificate Manager\n"
}

Detection Patterns #

Defense Impairment: Modify Authentication Process

1 rule

Splunk

Suspicious Certificate Modification (Windows Event Log) (source)

Community Notes #

Records changes to a CA ACL, may indicate privilege escalation via addition of rogue accounts. Critical for detecting AD CS abuse.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4882
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4882

Event ID 4883: Certificate Services retrieved an archived key.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services retrieved an archived key.

Message #

Certificate Services retrieved an archived key.
	
Request ID: %1

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4883
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4883

Event ID 4884: Certificate Services imported a certificate into its database.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services imported a certificate into its database.

Message #

Certificate Services imported a certificate into its database.
	
Certificate: %1
Request ID: %2

Fields #

Name	Description
`Certificate` UnicodeString	Certificate
`RequestId` UnicodeString	Request ID
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4884
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4884

Event ID 4885: The audit filter for Certificate Services changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

The audit filter for Certificate Services changed.

Message #

The audit filter for Certificate Services changed.
	
Filter: %1

Fields #

Name	Description
`AuditFilter`
`SubjectUserSid`
`SubjectUserName`
`SubjectDomainName`
`SubjectLogonId`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4885,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2024-09-03T10:42:09.373562Z",
    "event_record_id": 376331,
    "correlation": {
      "#attributes": {
        "ActivityID": "D702B00C-FB0E-0000-8CB1-02D70EFBDA01"
      }
    },
    "execution": {
      "process_id": 640,
      "thread_id": 4156
    },
    "channel": "Security",
    "computer": "CDCWPKI01.rootblue.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AuditFilter": "111",
    "SubjectUserSid": "S-1-5-21-392370121-190461309-2151315433-1108",
    "SubjectUserName": "domadm",
    "SubjectDomainName": "ROOTBLUE",
    "SubjectLogonId": "0x91861a6"
  }
}

Community Notes #

May be a prelude to AD CS abuse, ie, ESC1/ESC5.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4885
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4885
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 4886: Certificate Services received a certificate request.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Certificate Services received a certificate request.

Message #

Certificate Services received a certificate request.
	
Request ID: %1
Requester: %2
Attributes: %3

Fields #

Name	Description	Rules
`RequestId` UnicodeString	Request ID
`Requester` UnicodeString	Requester
`Attributes` UnicodeString	Attributes	4 detection rules
`Subject` UnicodeString
`SubjectAlternativeName` UnicodeString
`CertificateTemplate` UnicodeString
`RequestOSVersion` UnicodeString
`RequestCSPProvider` UnicodeString
`RequestClientInfo` UnicodeString
`AuthenticationService` UnicodeString
`AuthenticationLevel` UnicodeString
`DCOMorRPC` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4886,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.051496+00:00",
    "event_record_id": 16623040,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 10928
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "24",
    "Requester": "ludus\\domainadmin",
    "Attributes": "\nccm:LAB-DC01.ludus.domain"
  },
  "message": ""
}

Detection Patterns #

Credential Access: Steal or Forge Authentication Certificates

2 rules

Splunk

Certificate Abuse - Windows (Windows Event Log) (source)

Windows Steal Authentication Certificates - ESC1 Abuse (source)

Steven Dick

Credential Access: Steal or Forge Authentication Certificates

Security-Auditing Event ID 4886: Certificate Services received a certificate request.OREvent ID 4887: Certificate Services approved a certificate request and issued a certificate.

2 rules

Splunk

Windows Steal Authentication Certificates - ESC1 Abuse (source)

Steven Dick

Certificate Abuse - Windows (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Attributes`	contains	`certificatetemplate:`	1 rule	splunk
`Attributes`	eq	`SAN:upn*`	1 rule	splunk
`CommandLine`	match	`(?i)request\s.+/ca:.+/(template\|altname):`	1 rule	splunk
`signature_id`	contains	`4688`	1 rule	splunk

Detection Rules #

Certificate Abuse - Windows (Windows Event Log) (source)

Splunk # view in coverage

Windows Steal Authentication Certificates Certificate Request source: The following analytic detects when a new certificate is requested from Certificate Services - AD CS. It leverages Event ID 4886, which indicates that a certificate request has been received. This activity is significant because…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4886
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4886

Event ID 4887: Certificate Services approved a certificate request and issued a certificate.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Certificate Services approved a certificate request and issued a certificate.

Message #

Certificate Services approved a certificate request and issued a certificate.
	
Request ID: %1
Requester: %2
Attributes: %3
Disposition: %4
SKI: %5
Subject: %6

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`Requester` UnicodeString	Requester
`Attributes` UnicodeString	Attributes
`Disposition` UnicodeString	Disposition Known values `0` CR_DISP_INCOMPLETE - request did not complete `1` CR_DISP_ERROR - request failed `2` CR_DISP_DENIED - request denied `3` CR_DISP_ISSUED - certificate issued `4` CR_DISP_ISSUED_OUT_OF_BAND - certificate issued separately `5` CR_DISP_UNDER_SUBMISSION - request taken under submission (pending) `6` CR_DISP_REVOKED - issued certificate revoked
`SubjectKeyIdentifier` UnicodeString	SKI
`Subject` UnicodeString	Subject
`SubjectAlternativeName` UnicodeString
`CertificateTemplate` UnicodeString
`SerialNumber` UnicodeString
`AuthenticationService` UnicodeString
`AuthenticationLevel` UnicodeString
`DCOMorRPC` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4887,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.177448+00:00",
    "event_record_id": 16623045,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 7996
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "24",
    "Requester": "ludus\\domainadmin",
    "Attributes": "",
    "Disposition": "3",
    "SubjectKeyIdentifier": "9d 2a 4f df 25 5d c3 a7 d9 77 60 94 ce 67 60 01 e3 b3 d2 5a",
    "Subject": "CN=pending-test.ludus.domain"
  },
  "message": ""
}

Detection Patterns #

Credential Access: Steal or Forge Authentication Certificates

2 rules

Splunk

Windows Steal Authentication Certificates - ESC1 Abuse (source)

Steven Dick

Credential Access: Steal or Forge Authentication Certificates

Security-Auditing Event ID 4886: Certificate Services received a certificate request.OREvent ID 4887: Certificate Services approved a certificate request and issued a certificate.

2 rules

Splunk

Windows Steal Authentication Certificates - ESC1 Abuse (source)

Steven Dick

Certificate Abuse - Windows (Windows Event Log) (source)

Security-Auditing Event ID 4768: A Kerberos authentication ticket (TGT) was requested.ANDEvent ID 4887: Certificate Services approved a certificate request and issued a certificate.

1 rule

Splunk

Windows Steal Authentication Certificates - ESC1 Authentication (source)

Steven Dick

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Attributes`	contains	`certificatetemplate:`	2 rules	splunk
`Attributes`	eq	`SAN:upn*`	2 rules	splunk
`CommandLine`	match	`(?i)request\s.+/ca:.+/(template\|altname):`	1 rule	splunk
`signature_id`	contains	`4688`	1 rule	splunk

Detection Rules #

Suspicious Certificate Modification (Windows Event Log) (source)

Splunk # view in coverage

Windows Steal Authentication Certificates Certificate Issued source: The following analytic identifies the issuance of a new certificate by Certificate Services - AD CS, detected via Event ID 4887. This event logs the requester user context, DNS hostname of the requesting machine, and the request time.…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4887
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4887

Event ID 4888: Certificate Services denied a certificate request.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Certificate Services denied a certificate request.

Message #

Certificate Services denied a certificate request.
	
Request ID: %1
Requester: %2
Attributes: %3
Disposition: %4
SKI: %5
Subject: %6

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`Requester` UnicodeString	Requester
`Attributes` UnicodeString	Attributes
`Disposition` UnicodeString	Disposition Known values `0` CR_DISP_INCOMPLETE - request did not complete `1` CR_DISP_ERROR - request failed `2` CR_DISP_DENIED - request denied `3` CR_DISP_ISSUED - certificate issued `4` CR_DISP_ISSUED_OUT_OF_BAND - certificate issued separately `5` CR_DISP_UNDER_SUBMISSION - request taken under submission (pending) `6` CR_DISP_REVOKED - issued certificate revoked
`SubjectKeyIdentifier` UnicodeString	SKI
`Subject` UnicodeString	Subject
`AuthenticationService` UnicodeString
`AuthenticationLevel` UnicodeString
`DCOMorRPC` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4888,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-13T23:08:24.592652+00:00",
    "event_record_id": 16623083,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 7996
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "25",
    "Requester": "ludus\\domainadmin",
    "Attributes": "",
    "Disposition": "2",
    "SubjectKeyIdentifier": "4b ac 66 32 5d 08 03 7f ab f7 57 ef c3 3d 27 1f 3b e0 3b 01",
    "Subject": ""
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4888
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4888

Event ID 4889: Certificate Services set the status of a certificate request to pending.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services set the status of a certificate request to pending.

Message #

Certificate Services set the status of a certificate request to pending.
	
Request ID: %1
Requester: %2
Attributes: %3
Disposition: %4
SKI: %5
Subject: %6

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`Requester` UnicodeString	Requester
`Attributes` UnicodeString	Attributes
`Disposition` UnicodeString	Disposition Known values `0` CR_DISP_INCOMPLETE - request did not complete `1` CR_DISP_ERROR - request failed `2` CR_DISP_DENIED - request denied `3` CR_DISP_ISSUED - certificate issued `4` CR_DISP_ISSUED_OUT_OF_BAND - certificate issued separately `5` CR_DISP_UNDER_SUBMISSION - request taken under submission (pending) `6` CR_DISP_REVOKED - issued certificate revoked
`SubjectKeyIdentifier` UnicodeString	SKI
`Subject` UnicodeString	Subject
`AuthenticationService` UnicodeString
`AuthenticationLevel` UnicodeString
`DCOMorRPC` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4889,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.070591+00:00",
    "event_record_id": 16623042,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 7996
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": "24",
    "Requester": "ludus\\domainadmin",
    "Attributes": "\nccm:LAB-DC01.ludus.domain",
    "Disposition": "5",
    "SubjectKeyIdentifier": "9d 2a 4f df 25 5d c3 a7 d9 77 60 94 ce 67 60 01 e3 b3 d2 5a",
    "Subject": ""
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4889
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4889

Event ID 4890: The certificate manager settings for Certificate Services changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

The certificate manager settings for Certificate Services changed.

Message #

The certificate manager settings for Certificate Services changed.
	
Enable: %1

%2

Fields #

Name	Description
`EnableRestrictedPermissions` UnicodeString	Enable
`RestrictedPermissions` UnicodeString
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4890,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T16:04:20.9093550+00:00",
    "event_record_id": 23702099,
    "correlation": {
      "ActivityID": "{A4CD6459-8FBA-40FC-98BB-15444BA6A20A}"
    },
    "execution": {
      "process_id": 1124,
      "thread_id": 4540
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnableRestrictedPermissions": "No",
    "RestrictedPermissions": "",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0x1637da"
  },
  "message": "The certificate manager settings for Certificate Services changed.\r\n\t\r\nEnable:\tNo\r\n\r\n"
}

Detection Patterns #

Defense Impairment: Modify Authentication Process

1 rule

Splunk

Community Notes #

May indicate tampering with permissions to issue trusted certificates and impersonate any domain principal. Can detect AD CS abuse techniques, ie ESC1. Any Subject SID that is not NT AUTHORITY\SYSTEM or approved service identity indicates unauthorized privilege abuse.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4890
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4890

Event ID 4891: A configuration entry changed in Certificate Services.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

A configuration entry changed in Certificate Services.

Message #

A configuration entry changed in Certificate Services.
	
Node: %1
Entry: %2
Value: %3

Fields #

Name	Description
`Node` UnicodeString	Node
`Entry` UnicodeString	Entry
`Value` UnicodeString	Value
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4891,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T14:37:37.9214890+00:00",
    "event_record_id": 23602153,
    "correlation": {
      "ActivityID": "{B812EC37-88D7-4689-A630-9BB0D4B9C467}"
    },
    "execution": {
      "process_id": 868,
      "thread_id": 10552
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Node": "",
    "Entry": "OfficerRights",
    "Value": "0x01 0x00 0x04 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x14 0x00 0x00 0x00 0x02 0x00 0x08 0x00 0x00 0x00 0x00 0x00 ",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xb84b670"
  },
  "message": "A configuration entry changed in Certificate Services.\r\n\t\r\nNode:\t\r\nEntry:\tOfficerRights\r\nValue:\t0x01 0x00 0x04 0x80 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x14 0x00 0x00 0x00 0x02 0x00 0x08 0x00 0x00 0x00 0x00 0x00 "
}

Detection Patterns #

Defense Impairment: Modify Authentication Process

1 rule

Splunk

Suspicious Certificate Modification (Windows Event Log) (source)

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4891
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4891

Event ID 4892: A property of Certificate Services changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

A property of Certificate Services changed.

Message #

A property of Certificate Services changed.
	
Property: %1
Index: %2
Type: %3
Value: %4

Fields #

Name	Description
`PropertyName` UnicodeString	Property
`PropertyIndex` UnicodeString	Index
`PropertyType` UnicodeString	Type
`PropertyValue` UnicodeString	Value
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4892,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:17:14.657793+00:00",
    "event_record_id": 16671442,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 13940
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PropertyName": "29",
    "PropertyIndex": "0",
    "PropertyType": "4",
    "PropertyValue": "EvtGen-CustomWebServer\n1.3.6.1.4.1.311.21.8.1810730.5534\nEvtGen-CustomUser\n1.3.6.1.4.1.311.21.8.7512348.7121\nDirectoryEmailReplication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.29\nDomainControllerAuthentication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.28\nKerberosAuthentication\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.33\nEFSRecovery\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.8\nEFS\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.6\nDomainController\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.15\nWebServer\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.16\nMachine\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.14\nUser\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.1\nSubCA\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.18\nAdministrator\n1.3.6.1.4.1.311.21.8.775220.14014963.4605844.12530099.11347655.157.1.7\nCodeSigning\n\n",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec"
  },
  "message": ""
}

Detection Patterns #

Defense Impairment: Modify Authentication Process

1 rule

Splunk

Suspicious Certificate Modification (Windows Event Log) (source)

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4892
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4892

Event ID 4893: Certificate Services archived a key.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services archived a key.

Message #

Certificate Services archived a key.
	
Request ID: %1
Requester: %2
KRA Hashes: %3

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`Requester` UnicodeString	Requester
`KRAHashes` UnicodeString	KRA Hashes

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4893
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4893

Event ID 4894: Certificate Services imported and archived a key.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services imported and archived a key.

Message #

Certificate Services imported and archived a key.
	
Request ID: %1

Fields #

Name	Description
`RequestId` UnicodeString	Request ID
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4894
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4894

Event ID 4895: Certificate Services published the CA certificate to Active Directory Domain Services.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Certificate Services published the CA certificate to Active Directory Domain Services.

Message #

Certificate Services published the CA certificate to Active Directory Domain Services.
	
Certificate Hash: %1
Valid From: %2
Valid To: %3

Fields #

Name	Description
`CertificateHash` UnicodeString	Certificate Hash
`ValidFrom` UnicodeString	Valid From
`ValidTo` UnicodeString	Valid To

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4895
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4895

Event ID 4896: One or more rows have been deleted from the certificate database.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

One or more rows have been deleted from the certificate database.

Message #

One or more rows have been deleted from the certificate database.
	
Table ID: %1
Filter: %2
Rows Deleted: %3

Fields #

Name	Description
`TableId` UnicodeString	Table ID
`Filter` UnicodeString	Filter
`RowsDeleted` UnicodeString	Rows Deleted
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4896,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:33:29.866256+00:00",
    "event_record_id": 16717272,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 11540
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TableId": "0",
    "Filter": "2",
    "RowsDeleted": "1",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4896
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4896

Event ID 4897: Role separation enabled: RoleSeparationEnabled.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Role separation enabled: RoleSeparationEnabled.

Message #

Role separation enabled: %1

Fields #

Name	Description
`RoleSeparationEnabled` UnicodeString	Role separation enabled

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4897,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:06:16.234615+00:00",
    "event_record_id": 16617451,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 11176
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RoleSeparationEnabled": "No"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4897
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4897

Event ID 4898: Certificate Services loaded a template.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Certificate Services loaded a template.

Message #

Certificate Services loaded a template.

%1 v%2 (Schema V%3)
%4
%5

Template Information:
	Template Content: %7
	Security Descriptor: %8

Additional Information:
	Domain Controller: %6

Fields #

Name	Description	Rules
`TemplateInternalName` UnicodeString
`TemplateVersion` UnicodeString	v
`TemplateSchemaVersion` UnicodeString	(Schema V
`TemplateOID` UnicodeString
`TemplateDSObjectFQDN` UnicodeString
`DCDNSName` UnicodeString	[Additional Information] Domain Controller
`TemplateContent` UnicodeString	[Template Information] Template Content	6 detection rules
`SecurityDescriptor` UnicodeString	[Template Information] Security Descriptor

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4898,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:08:24.061177+00:00",
    "event_record_id": 16623041,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 10928
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TemplateInternalName": "WebServer",
    "TemplateVersion": "4.1",
    "TemplateSchemaVersion": "1",
    "TemplateOID": " ",
    "TemplateDSObjectFQDN": "CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain",
    "DCDNSName": "LAB-DC01.ludus.domain",
    "TemplateContent": "\nflags = 0x10241 (66113)\n  CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1\n  CT_FLAG_MACHINE_TYPE -- 0x40 (64)\n  CT_FLAG_ADD_TEMPLATE_NAME -- 0x200 (512)\n  CT_FLAG_IS_DEFAULT -- 0x10000 (65536)\n\nmsPKI-Private-Key-Flag = 0x0 (0)\n  CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0x0\n  TEMPLATE_SERVER_VER_NONE<<CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT -- 0x0\n  TEMPLATE_CLIENT_VER_NONE<<CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT -- 0x0\n\nmsPKI-Certificate-Name-Flag = 0x1 (1)\n  CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1\n\nmsPKI-Enrollment-Flag = 0x0 (0)\n\nmsPKI-Template-Schema-Version = 1\n\nrevision = 4\n\nmsPKI-Template-Minor-Revision = 1\n\npKIDefaultKeySpec = 1\n\npKIExpirationPeriod = 2 Years\n\npKIOverlapPeriod = 6 Weeks\n\ncn = WebServer\n\ndistinguishedName = WebServer\n\npKIKeyUsage = a0\n\ndisplayName = Web Server\n\ntemplateDescription = Computer\n\npKIExtendedKeyUsage =\n  1.3.6.1.5.5.7.3.1 Server Authentication\n\npKIDefaultCSPs =\n  Microsoft RSA SChannel Cryptographic Provider\n  Microsoft DH SChannel Cryptographic Provider\n\nmsPKI-Supersede-Templates =\n\nmsPKI-RA-Policies =\n\nmsPKI-RA-Application-Policies =\n\nmsPKI-Certificate-Policy =\n\nmsPKI-Certificate-Application-Policy =\n\npKICriticalExtensions =\n  2.5.29.15 Key Usage\n",
    "SecurityDescriptor": "O:S-1-5-21-1006758700-2167138679-1475694448-519G:S-1-5-21-1006758700-2167138679-1475694448-519D:PAI(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1006758700-2167138679-1475694448-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1006758700-2167138679-1475694448-519)(A;;LCRPLORC;;;AU)\n\nAllow\tludus\\Domain Admins\n\tEnroll\nAllow\tludus\\Enterprise Admins\n\tEnroll\nAllow(0x000f00ff)\tludus\\Domain Admins\n\tFull Control\nAllow(0x000f00ff)\tludus\\Enterprise Admins\n\tFull Control\nAllow(0x00020094)\tNT AUTHORITY\\Authenticated Users\n\tRead\n"
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`NewTemplateContent`	contains	`ct_flag_enrollee_supplies_subject`	2 rules	sigma
`TemplateContent`	contains	`ct_flag_enrollee_supplies_subject`	2 rules	sigma

Detection Rules #

Sigma # view in coverage

ADCS Certificate Template Configuration Vulnerability source low: Detects certificate creation with template allowing risk permission subject↳ also matches Event ID 4899: A Certificate Services template was updated.
ADCS Certificate Template Configuration Vulnerability with Risky EKU source high: Detects certificate creation with template allowing risk permission subject and risky EKU↳ also matches Event ID 4899: A Certificate Services template was updated.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4898
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4898

Event ID 4899: A Certificate Services template was updated.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

A Certificate Services template was updated.

Message #

A Certificate Services template was updated.

%1 v%2 (Schema V%3)
%4
%5

Template Change Information:
	Old Template Content: %8
	New Template Content: %7

Additional Information:
	Domain Controller: %6

Fields #

Name	Description
`TemplateInternalName` UnicodeString
`TemplateVersion` UnicodeString	v
`TemplateSchemaVersion` UnicodeString	(Schema V
`TemplateOID` UnicodeString
`TemplateDSObjectFQDN` UnicodeString
`DCDNSName` UnicodeString	[Additional Information] Domain Controller
`NewTemplateContent` UnicodeString	[Template Change Information] New Template Content
`OldTemplateContent` UnicodeString	[Template Change Information] Old Template Content

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4899,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T16:57:55.5356434+00:00",
    "event_record_id": 23774408,
    "correlation": {
      "ActivityID": "{A07E0872-018C-41A0-ABF7-11F21B9D21E5}"
    },
    "execution": {
      "process_id": 1132,
      "thread_id": 10236
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TemplateInternalName": "User",
    "TemplateVersion": "4.3",
    "TemplateSchemaVersion": "1",
    "TemplateOID": "",
    "TemplateDSObjectFQDN": "CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain",
    "DCDNSName": "JD-DC01-2022.ludus.domain",
    "NewTemplateContent": "\nmsPKI-Template-Minor-Revision = 3\n",
    "OldTemplateContent": "\nmsPKI-Template-Minor-Revision = 2\n"
  },
  "message": "A Certificate Services template was updated.\r\n\r\nUser v4.3 (Schema V1)\r\n \r\nCN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ludus,DC=domain\r\n\r\nTemplate Change Information:\r\n\tOld Template Content:\t\nmsPKI-Template-Minor-Revision = 2\n\r\n\tNew Template Content:\t\t\nmsPKI-Template-Minor-Revision = 3\n\r\n\r\nAdditional Information:\r\n\tDomain Controller:\tJD-DC01-2022.ludus.domain"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`NewTemplateContent`	contains	`ct_flag_enrollee_supplies_subject`	2 rules	sigma
`TemplateContent`	contains	`ct_flag_enrollee_supplies_subject`	2 rules	sigma

Detection Rules #

Security-Auditing Event ID 4904: An attempt was made to register a security event source.OREvent ID 4905: An attempt was made to unregister a security event source.

Sigma # view in coverage

ADCS Certificate Template Configuration Vulnerability source low: Detects certificate creation with template allowing risk permission subject↳ also matches Event ID 4898: Certificate Services loaded a template.
ADCS Certificate Template Configuration Vulnerability with Risky EKU source high: Detects certificate creation with template allowing risk permission subject and risky EKU↳ also matches Event ID 4898: Certificate Services loaded a template.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4899
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4899

Event ID 4900: Certificate Services template security was updated.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

Certificate Services template security was updated.

Message #

Certificate Services template security was updated.

%1 v%2 (Schema V%3)
%4
%5

Template Change Information:
	Old Template Content: %9
	New Template Content: %7
	Old Security Descriptor: %10
	New Security Descriptor: %8

Additional Information:
	Domain Controller: %6

Fields #

Name	Description
`TemplateInternalName` UnicodeString
`TemplateVersion` UnicodeString	v
`TemplateSchemaVersion` UnicodeString	(Schema V
`TemplateOID` UnicodeString
`TemplateDSObjectFQDN` UnicodeString
`DCDNSName` UnicodeString	[Additional Information] Domain Controller
`NewTemplateContent` UnicodeString	[Template Change Information] New Template Content
`NewSecurityDescriptor` UnicodeString	[Template Change Information] New Security Descriptor
`OldTemplateContent` UnicodeString	[Template Change Information] Old Template Content
`OldSecurityDescriptor` UnicodeString	[Template Change Information] Old Security Descriptor

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4900
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4900

Event ID 4902: The Per-user audit policy table was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates during system startup if Per-user audit policy is defined on the computer.

Message #

The Per-user audit policy table was created.

Number of Elements: %1
Policy ID: %2

Fields #

Name	Description
`PuaCount` UInt32	Number of users for which Per-user policies were defined (number of unique users).
`PuaPolicyId` HexInt64	Unique per-User Audit Policy hexadecimal identifier.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4902,
    "version": 0,
    "level": 0,
    "task": 13568,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:50.8061908+00:00",
    "event_record_id": 1715934,
    "correlation": {},
    "execution": {
      "process_id": 812,
      "thread_id": 876
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PuaCount": "0",
    "PuaPolicyId": "0xa7bd"
  },
  "message": "The Per-user audit policy table was created.\r\n\r\nNumber of Elements:\t0\r\nPolicy ID:\t0xA7BD"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4902
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4902
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4902.yml

Event ID 4904: An attempt was made to register a security event source.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An attempt was made to register a security event source.

Message #

An attempt was made to register a security event source.

Subject :
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Process:
	Process ID: %7
	Process Name: %8

Event Source:
	Source Name: %5
	Event Source ID: %6

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that made an attempt to register a security event source.
`SubjectUserName` UnicodeString	The name of the account that made an attempt to register a security event source.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`AuditSourceName` UnicodeString	The name of registered security event source. You can see all registered security event source names in this registry path: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security".	1 detection rule
`EventSourceId` HexInt64	The unique hexadecimal identifier of registered security event source.
`ProcessId` Pointer	Hexadecimal Process ID of the process that attempted to register the security event source.
`ProcessName` UnicodeString	[Process] Process Name.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4904,
    "version": 0,
    "level": 0,
    "task": 13568,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T13:41:33.3658893+00:00",
    "event_record_id": 1217147,
    "correlation": {
      "ActivityID": "{4CADC93F-FB3A-0001-A9C9-AD4C3AFBDC01}"
    },
    "execution": {
      "process_id": 760,
      "thread_id": 820
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x3e7",
    "AuditSourceName": "FSRM Audit",
    "EventSourceId": "0x38eb8",
    "ProcessId": "0xec8",
    "ProcessName": "C:\\Windows\\System32\\svchost.exe"
  },
  "message": "An attempt was made to register a security event source.\r\n\r\nSubject :\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess:\r\n\tProcess ID:\t0xec8\r\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\r\n\r\nEvent Source:\r\n\tSource Name:\tFSRM Audit\r\n\tEvent Source ID:\t0x38EB8"
}

Detection Patterns #

Credential Access: Security Account Manager

1 rule

Sigma

VSSAudit Security Event Source Registration (source)

Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4904
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4904
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4904.yml

Event ID 4905: An attempt was made to unregister a security event source.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An attempt was made to unregister a security event source.

Message #

An attempt was made to unregister a security event source.

Subject
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Process:
	Process ID: %7
	Process Name: %8

Event Source:
	Source Name: %5
	Event Source ID: %6

Fields #

Name	Description
`SubjectUserSid`	SID of account that made an attempt to unregister a security event source.
`SubjectUserName`	The name of the account that made an attempt to unregister a security event source.
`SubjectDomainName`	Subject's domain or computer name.
`SubjectLogonId`	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`AuditSourceName`	The name of unregistered security event source. You can see all registered security event source names in this registry path: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security".
`EventSourceId`	The unique hexadecimal identifier of unregistered security event source.
`ProcessId`	Hexadecimal Process ID of the process that attempted to unregister the security event source.
`ProcessName`	Full path and the name of the executable for the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4905,
    "version": 0,
    "level": 0,
    "task": 13568,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:17:53.2889637+00:00",
    "event_record_id": 803955,
    "correlation": {
      "ActivityID": "{F06DF7AC-EF89-0002-BCF7-6DF089EFDC01}"
    },
    "execution": {
      "process_id": 712,
      "thread_id": 5924
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x3e7",
    "AuditSourceName": "IIS-METABASE",
    "EventSourceId": "0xf45b7c",
    "ProcessId": "0x7ec",
    "ProcessName": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe"
  },
  "message": "An attempt was made to unregister a security event source.\r\n\r\nSubject\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess:\r\n\tProcess ID:\t0x7ec\r\n\tProcess Name:\tC:\\Windows\\System32\\inetsrv\\inetinfo.exe\r\n\r\nEvent Source:\r\n\tSource Name:\tIIS-METABASE\r\n\tEvent Source ID:\t0xF45B7C"
}

Detection Patterns #

Credential Access: Security Account Manager

Security-Auditing Event ID 4904: An attempt was made to register a security event source.OREvent ID 4905: An attempt was made to unregister a security event source.

1 rule

Sigma

VSSAudit Security Event Source Registration (source)

Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4905
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4905
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4905.yml

Event ID 4906: The CrashOnAuditFail value has changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time CrashOnAuditFail audit flag value was modified.

Message #

The CrashOnAuditFail value has changed.

New Value of CrashOnAuditFail: %1

Fields #

Name	Description
`CrashOnAuditFailValue` UInt32	Contains new value of CrashOnAuditFail flag.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4906
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4906.yml

Event ID 4907: Auditing settings on object were changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when a Security Descriptor (SD) on an object was changed.

Message #

Auditing settings on object were changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %11
	Process Name: %12

Auditing Settings:
	Original Security Descriptor: %9
	New Security Descriptor: %10

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made an attempt to create the hard link.
`SubjectUserName` UnicodeString	The name of the account that made a change to object's auditing settings.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectServer` UnicodeString	Has "Security" value for this event.
`ObjectType` UnicodeString	The type of an object that was accessed during the operation.
`ObjectName` UnicodeString	Full path and name of the object for which the SACL was modified. Depends on Object Type.
`HandleId` Pointer	Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID.
`OldSd` UnicodeString	The old Security Descriptor Definition Language (SDDL) value for the object.
`NewSd` UnicodeString	The new Security Descriptor Definition Language (SDDL) value for the object.
`ProcessId` Pointer	Hexadecimal Process ID of the process through which the object's SACL was changed.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4907,
    "version": 0,
    "level": 0,
    "task": 13568,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:22:20.6577420+00:00",
    "event_record_id": 2926190,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 7864
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "ObjectServer": "Security",
    "ObjectType": "File",
    "ObjectName": "C:\\Windows\\WinSxS\\Temp\\InFlight\\c8dec39bf4fadc01df0700009c05c402\\c8dec39bf4fadc01e00700009c05c402_catalog",
    "HandleId": "0x12b8",
    "OldSd": "S:AI(AU;SAFA;0x1f0116;;;WD)",
    "NewSd": "",
    "ProcessId": "0x59c",
    "ProcessName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe"
  },
  "message": "Auditing settings on object were changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tFile\r\n\tObject Name:\tC:\\Windows\\WinSxS\\Temp\\InFlight\\c8dec39bf4fadc01df0700009c05c402\\c8dec39bf4fadc01e00700009c05c402_catalog\r\n\tHandle ID:\t0x12b8\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x59c\r\n\tProcess Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe\r\n\r\nAuditing Settings:\r\n\tOriginal Security Descriptor:\tS:AI(AU;SAFA;0x1f0116;;;WD)\r\n\tNew Security Descriptor:\t\t"
}

Community Notes #

Captures SACL changes to files, registry keys, and services.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4907
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4907
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4907.yml

Event ID 4908: Special Groups Logon table modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time Special Groups logon table was modified.

Message #

Special Groups Logon table modified.

Special Groups: %1

This event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.

Fields #

Name	Description
`SidList`	Contains current list of SIDs (groups or accounts) which are members of Special Groups.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4908,
    "version": 0,
    "level": 0,
    "task": 13568,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-12T06:01:51.798027Z",
    "event_record_id": 16088364,
    "correlation": {},
    "execution": {
      "process_id": 528,
      "thread_id": 548
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SidList": "-"
  }
}

Community Notes #

Deleting privileged SIDs will prevent Event ID 4964 from firing. Also appears at every reboot, so IR can compare boot-time record against later changes.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4908
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4908
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4908.yml

Event ID 4909: The local policy settings for the TBS were changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The local policy settings for the TBS were changed.

Message #

The local policy settings for the TBS were changed.

Old Blocked Ordinals: %1
New Blocked Ordinals: %2

Fields #

Name	Description
`OldBlockedOrdinals` UnicodeString	Old Blocked Ordinals
`NewBlockedOrdinals` UnicodeString	New Blocked Ordinals

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4909
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4909

Event ID 4910: The group policy settings for the TBS were changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The group policy settings for the TBS were changed.

Message #

The group policy settings for the TBS were changed.

Group Policy Setting:		Ignore Default Settings
	Old Value: %1
	New Value: %2

Group Policy Setting:		Ignore Local Settings
	Old Value: %3
	New Value: %4

Old Blocked Ordinals: %5
New Blocked Ordinals: %6

Fields #

Name	Description
`OldIgnoreDefaultSettings` UInt32	Old Value
`NewIgnoreDefaultSettings` UInt32	New Value
`OldIgnoreLocalSettings` UInt32	Old Value
`NewIgnoreLocalSettings` UInt32	New Value
`OldBlockedOrdinals` UnicodeString	Old Blocked Ordinals
`NewBlockedOrdinals` UnicodeString	New Blocked Ordinals

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4910
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4910

Event ID 4911: Resource attributes of the object were changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authorization Policy Change
Collection Priority: Low (Splunk-UBA)
Opcode: Info

Description

This event generates when resource attributes of the file system object were changed.

Message #

Resource attributes of the object were changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %11
	Process Name: %12

Resource Attributes:
	Original Security Descriptor: %9
	New Security Descriptor: %10

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that changed the resource attributes of the file system object.
`SubjectUserName` UnicodeString	The name of the account that changed the resource attributes of the file system object.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectServer` UnicodeString	Has "Security" value for this event.
`ObjectType` UnicodeString	He type of an object that was accessed during the operation. Always "File" for this event.
`ObjectName` UnicodeString	Full path and/or name of the object for which resource attributes were changed.
`HandleId` Pointer	Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4663(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0".
`OldSd` UnicodeString	The Security Descriptor Definition Language (SDDL) value for the old resource attributes.
`NewSd` UnicodeString	The Security Descriptor Definition Language (SDDL) value for the new resource attributes.
`ProcessId` Pointer	Hexadecimal Process ID of the process through which the resource attributes of the file system object were changed.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4911,
    "version": 0,
    "level": 0,
    "task": 13570,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T11:13:10.4845956+00:00",
    "event_record_id": 148286,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 1300
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0xb66c2",
    "ObjectServer": "Security",
    "ObjectType": "File",
    "ObjectName": "C:\\Users\\domainadmin\\Downloads",
    "HandleId": "0xa18",
    "OldSd": "",
    "NewSd": "S:ARAI(RA;OICIIO;;;;WD;(\"IMAGELOAD\",TU,0x0,1))",
    "ProcessId": "0x1450",
    "ProcessName": "C:\\Windows\\explorer.exe"
  },
  "message": "Resource attributes of the object were changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tAccount Name:\t\tdomainadmin\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0xB66C2\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tObject Type:\tFile\r\n\tObject Name:\tC:\\Users\\domainadmin\\Downloads\r\n\tHandle ID:\t0xa18\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1450\r\n\tProcess Name:\tC:\\Windows\\explorer.exe\r\n\r\nResource Attributes:\r\n\tOriginal Security Descriptor:\t\r\n\tNew Security Descriptor:\t\tS:ARAI(RA;OICIIO;;;;WD;(\"IMAGELOAD\",TU,0x0,1))"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4911
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4911
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4911.yml

Event ID 4912: Per User Audit Policy was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time Per User Audit Policy was changed.

Message #

Per User Audit Policy was changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Policy For Account:
	Security ID: %5

Policy Change Details:
	Category: %6
	Subcategory: %7
	Subcategory GUID: %8
	Changes: %9

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made a change to per-user audit policy.
`SubjectUserName` UnicodeString	The name of the account that made a change to per-user audit policy.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`TargetUserSid` SID	SID of account for which the Per User Audit Policy was changed.
`CategoryId` UnicodeString	The name of auditing category which subcategory state was changed. Known values `%%8272` System `%%8273` Logon/Logoff `%%8274` Object Access `%%8275` Privilege Use `%%8276` Detailed Tracking `%%8277` Policy Change `%%8278` Account Management `%%8279` DS Access `%%8280` Account Logon
`SubcategoryId` UnicodeString	The name of auditing subcategory which state was changed. Known values `%%12288` Security State Change `%%12289` Security System Extension `%%12290` System Integrity `%%12291` IPsec Driver `%%12292` Other System Events `%%12544` Logon `%%12545` Logoff `%%12546` Account Lockout `%%12547` IPsec Main Mode `%%12548` Special Logon `%%12549` IPsec Quick Mode `%%12550` IPsec Extended Mode `%%12551` Other Logon/Logoff Events `%%12552` Network Policy Server `%%12553` User / Device Claims `%%12554` Group Membership `%%12800` File System `%%12801` Registry `%%12802` Kernel Object `%%12803` SAM `%%12804` Other Object Access Events `%%12805` Certification Services `%%12806` Application Generated `%%12807` Handle Manipulation `%%12808` File Share `%%12809` Filtering Platform Packet Drop `%%12810` Filtering Platform Connection `%%12811` Detailed File Share `%%12812` Removable Storage `%%12813` Central Policy Staging `%%13056` Sensitive Privilege Use `%%13057` Non Sensitive Privilege Use `%%13058` Other Privilege Use Events `%%13312` Process Creation `%%13313` Process Termination `%%13314` DPAPI Activity `%%13315` RPC Events `%%13316` Plug and Play Events `%%13317` Token Right Adjusted Events `%%13568` Audit Policy Change `%%13569` Authentication Policy Change `%%13570` Authorization Policy Change `%%13571` MPSSVC Rule-Level Policy Change `%%13572` Filtering Platform Policy Change `%%13573` Other Policy Change Events `%%13824` User Account Management `%%13825` Computer Account Management `%%13826` Security Group Management `%%13827` Distribution Group Management `%%13828` Application Group Management `%%13829` Other Account Management Events `%%14080` Directory Service Access `%%14081` Directory Service Changes `%%14082` Directory Service Replication `%%14083` Detailed Directory Service Replication `%%14336` Credential Validation `%%14337` Kerberos Service Ticket Operations `%%14338` Other Account Logon Events `%%14339` Kerberos Authentication Service
`SubcategoryGuid` GUID	[Policy Change Details] Subcategory GUID. Known values `%%12288` Security State Change `%%12289` Security System Extension `%%12290` System Integrity `%%12291` IPsec Driver `%%12292` Other System Events `%%12544` Logon `%%12545` Logoff `%%12546` Account Lockout `%%12547` IPsec Main Mode `%%12548` Special Logon `%%12549` IPsec Quick Mode `%%12550` IPsec Extended Mode `%%12551` Other Logon/Logoff Events `%%12552` Network Policy Server `%%12553` User / Device Claims `%%12554` Group Membership `%%12800` File System `%%12801` Registry `%%12802` Kernel Object `%%12803` SAM `%%12804` Other Object Access Events `%%12805` Certification Services `%%12806` Application Generated `%%12807` Handle Manipulation `%%12808` File Share `%%12809` Filtering Platform Packet Drop `%%12810` Filtering Platform Connection `%%12811` Detailed File Share `%%12812` Removable Storage `%%12813` Central Policy Staging `%%13056` Sensitive Privilege Use `%%13057` Non Sensitive Privilege Use `%%13058` Other Privilege Use Events `%%13312` Process Creation `%%13313` Process Termination `%%13314` DPAPI Activity `%%13315` RPC Events `%%13316` Plug and Play Events `%%13317` Token Right Adjusted Events `%%13568` Audit Policy Change `%%13569` Authentication Policy Change `%%13570` Authorization Policy Change `%%13571` MPSSVC Rule-Level Policy Change `%%13572` Filtering Platform Policy Change `%%13573` Other Policy Change Events `%%13824` User Account Management `%%13825` Computer Account Management `%%13826` Security Group Management `%%13827` Distribution Group Management `%%13828` Application Group Management `%%13829` Other Account Management Events `%%14080` Directory Service Access `%%14081` Directory Service Changes `%%14082` Directory Service Replication `%%14083` Detailed Directory Service Replication `%%14336` Credential Validation `%%14337` Kerberos Service Ticket Operations `%%14338` Other Account Logon Events `%%14339` Kerberos Authentication Service `0CCE923B-69AE-11D9-BED3-505054503030` Resolved-GUID alias for %%14080 (Directory Service Access subcategory; ntsecapi.h Audit_DSAccess_DSAccess = 0x0cce923b; matches the SubcategoryId %%14080 carried by the catalog sample for event 4719)
`AuditPolicyChanges` UnicodeString	[Policy Change Details] Changes. Known values `%%8448` Success removed `%%8449` Success Added `%%8450` Failure removed `%%8451` Failure added `%%8452` Success include removed `%%8453` Success include added `%%8454` Success exclude removed `%%8455` Success exclude added `%%8456` Failure include removed `%%8457` Failure include added `%%8458` Failure exclude removed `%%8459` Failure exclude added

Community Notes #

If Changes is set to None or Failure include removed, this may be an attempt to hide activity. Pair with 4719, 4902, and 4624 to reconstruct a timeline.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4912
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4912
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4912.yml

Event ID 4913: Central Access Policy on the object was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authorization Policy Change
Opcode: Info

Description

This event generates when a Central Access Policy on a file system object is changed.

Message #

Central Access Policy on the object was changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %11
	Process Name: %12

Central Policy ID:
	Original Security Descriptor: %9
	New Security Descriptor: %10

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that changed the Central Access Policy on the object.
`SubjectUserName` UnicodeString	The name of the account that changed the Central Access Policy on the object.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectServer` UnicodeString	Has "Security" value for this event.
`ObjectType` UnicodeString	The type of an object that was accessed during the operation. Always "File" for this event.
`ObjectName` UnicodeString	Full path and/or name of the object on which the Central Access Policy was changed.
`HandleId` Pointer	Hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "4663(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0".
`OldSd` UnicodeString	The Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).
`NewSd` UnicodeString	The Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object).
`ProcessId` Pointer	Hexadecimal Process ID of the process using which Central Access Policy was changed.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4913
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4913
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4913.yml

Event ID 4928: An Active Directory replica source naming context was established.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Detailed Directory Service Replication
Collection Priority: Recommended (mdecrevoisier, others)
Opcode: Info

Description

This event generates every time a new Active Directory replica source naming context is established.

Message #

An Active Directory replica source naming context was established.

Destination DRA: %1
Source DRA: %2
Source Address: %3
Naming Context: %4
Options: %5
Status Code: %6

Fields #

Name	Description
`DestinationDRA` UnicodeString	Destination directory replication agent distinguished name.
`SourceDRA` UnicodeString	Source directory replication agent distinguished name.
`SourceAddr` UnicodeString	DNS record of the server from which information or an update was received.
`NamingContext` UnicodeString	Naming Context.
`Options` UInt64	Options.
`StatusCode` UInt32	If there are no issues or errors, the status code will be 0. NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4928
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4928.yml

Event ID 4929: An Active Directory replica source naming context was removed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Detailed Directory Service Replication
Collection Priority: Recommended (ASD, others)
Opcode: Info

Description

An Active Directory replica source naming context was removed.

Message #

An Active Directory replica source naming context was removed.

Destination DRA: %1
Source DRA: %2
Source Address: %3
Naming Context: %4
Options: %5
Status Code: %6

Fields #

Name	Description
`DestinationDRA`	Destination directory replication agent distinguished name.
`SourceDRA`	Source directory replication agent distinguished name.
`SourceAddr`	DNS record of the server from which the "remove" request was received.
`NamingContext`	Naming context which was removed.
`Options` UInt64	Options.
`StatusCode`	If there are no issues or errors, the status code will be 0. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4929,
    "version": 1,
    "level": 0,
    "task": 14083,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2021-04-27T11:04:45.557748Z",
    "event_record_id": 138520244,
    "correlation": {
      "#attributes": {
        "ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
      }
    },
    "execution": {
      "process_id": 548,
      "thread_id": 5276
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DestinationDRA": "CN=NTDS Settings,CN=ROOTDC1,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan",
    "SourceDRA": "-",
    "SourceAddr": "jump01.offsec.lan",
    "NamingContext": "DC=offsec,DC=lan",
    "Options": 16,
    "StatusCode": 8452
  }
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4929
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4929
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4929.yml

Event ID 4930: An Active Directory replica source naming context was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Detailed Directory Service Replication
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An Active Directory replica source naming context was modified.

Message #

An Active Directory replica source naming context was modified.

Destination DRA: %1
Source DRA: %2
Source Address: %3
Naming Context: %4
Options: %5
Status Code: %6

Fields #

Name	Description
`DestinationDRA` UnicodeString	Destination directory replication agent distinguished name.
`SourceDRA` UnicodeString	Source directory replication agent distinguished name. Typically equals "-" for this event.
`SourceAddr` UnicodeString	DNS record of computer from which the modification request was received.
`NamingContext` UnicodeString	Naming context which was modified.
`Options` UInt64	Options.
`StatusCode` UInt32	If there are no issues or errors, the status code will be 0. NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4930
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4930
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4930_v1.yml

Event ID 4931: An Active Directory replica destination naming context was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Detailed Directory Service Replication
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An Active Directory replica destination naming context was modified.

Message #

An Active Directory replica destination naming context was modified.

Destination DRA: %1
Source DRA: %2
Destination Address: %3
Naming Context: %4
Options: %5
Status Code: %6

Fields #

Name	Description
`DestinationDRA` UnicodeString	Destination directory replication agent distinguished name.
`SourceDRA` UnicodeString	Source directory replication agent distinguished name.
`SourceAddr` UnicodeString	DNS record of computer to which the modification request was sent.
`NamingContext` UnicodeString	Naming context which was modified.
`Options` UInt64	Options.
`StatusCode` UInt32	If there are no issues or errors, the status code will be 0. NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4931
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4931
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4931_v1.yml

Event ID 4932: Synchronization of a replica of an Active Directory naming context has begun.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Directory Service Replication
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Synchronization of a replica of an Active Directory naming context has begun.

Message #

Synchronization of a replica of an Active Directory naming context has begun.

Destination DRA: %1
Source DRA: %2
Naming Context: %3
Options: %4
Session ID: %5
Start USN: %6

Fields #

Name	Description
`DestinationDRA` UnicodeString	Destination directory replication agent distinguished name.
`SourceDRA` UnicodeString	Source directory replication agent distinguished name.
`NamingContext` UnicodeString	Naming Context.
`Options` UInt64	Options.
`SessionID` UInt32	Unique identifier of replication session. Using this field you can find "4932: Synchronization of a replica of an Active Directory naming context has begun." and "4933: Synchronization of a replica of an Active Directory naming context has ended." events for the same session.
`StartUSN` UnicodeString	Naming Context's USN number before replication begins.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4932
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4932
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4932.yml

Event ID 4933: Synchronization of a replica of an Active Directory naming context has ended.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Directory Service Replication
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates every time synchronization of a replica of an Active Directory naming context has ended. Failure event occurs when synchronization of a replica of an Active Directory naming context failed.

Message #

Synchronization of a replica of an Active Directory naming context has ended.

Destination DRA: %1
Source DRA: %2
Naming Context: %3
Options: %4
Session ID: %5
End USN: %6
Status Code: %7

Fields #

Name	Description
`DestinationDRA` UnicodeString	Destination directory replication agent distinguished name.
`SourceDRA` UnicodeString	Source directory replication agent distinguished name.
`NamingContext` UnicodeString	Naming Context.
`Options` UInt64	Options.
`SessionID` UInt32	Unique identifier of replication session. Using this field you can find "4932: Synchronization of a replica of an Active Directory naming context has begun." and "4933: Synchronization of a replica of an Active Directory naming context has ended." events for the same session.
`EndUSN` UnicodeString	Naming Context's USN number after replication ends.
`StatusCode` UInt32	If there are no issues or errors, the status code will be "0". If an error happened, you will receive Failure event and Status Code will not be equal to "0". NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4933
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4933
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4933.yml

Event ID 4934: Attributes of an Active Directory object were replicated.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Detailed Directory Service Replication
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Attributes of an Active Directory object were replicated.

Message #

Attributes of an Active Directory object were replicated.

Session ID: %1
Object: %2
Attribute: %3
Type of change: %4
New Value: %5
USN: %6
Status Code: %7

Fields #

Name	Description
`SessionID` UInt32	Session ID
`Object` UnicodeString	Object
`Attribute` UnicodeString	Attribute
`TypeOfChange` UInt32	Type of change
`NewValue` UnicodeString	New Value
`USN` UnicodeString	USN
`StatusCode` UInt32	Status Code NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4934
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4934

Event ID 4935: Replication failure begins.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Detailed Directory Service Replication
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates when Active Directory replication failure begins.

Message #

Replication failure begins.

Replication Event: %1
Audit Status Code: %2

Fields #

Name	Description
`ReplicationEvent`	There is no detailed information about this field in this document.
`AuditStatusCode`	There is no detailed information about this field in this document.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4935,
    "version": 0,
    "level": 0,
    "task": 14083,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2021-04-27T11:04:03.510255Z",
    "event_record_id": 138520219,
    "correlation": {
      "#attributes": {
        "ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
      }
    },
    "execution": {
      "process_id": 548,
      "thread_id": 5276
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ReplicationEvent": 1,
    "AuditStatusCode": 8419
  }
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4935
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4935
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4935.yml

Event ID 4936: Replication failure ends.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Detailed Directory Service Replication
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Replication failure ends.

Message #

Replication failure ends.

Replication Event: %1
Audit Status Code: %2
Replication Status Code: %3

Fields #

Name	Description
`ReplicationEvent`
`AuditStatusCode`
`ReplicationStatusCode`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4936,
    "version": 0,
    "level": 0,
    "task": 14083,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2021-04-27T11:04:45.556800Z",
    "event_record_id": 138520242,
    "correlation": {
      "#attributes": {
        "ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
      }
    },
    "execution": {
      "process_id": 548,
      "thread_id": 5276
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ReplicationEvent": 1,
    "AuditStatusCode": 8419,
    "ReplicationStatusCode": 1722
  }
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4936
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4936
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 4937: A lingering object was removed from a replica.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Detailed Directory Service Replication
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A lingering object was removed from a replica.

Message #

A lingering object was removed from a replica.

Destination DRA: %1
Source DRA: %2
Object: %3
Options: %4
Status Code: %5

Fields #

Name	Description
`DestinationDRA` UnicodeString	Destination DRA
`SourceDRA` UnicodeString	Source DRA
`Object` UnicodeString	Object
`Options` UInt64	Options
`StatusCode` UInt32	Status Code NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4937
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4937

Event ID 4944: The following policy was active when the Windows Firewall started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Recommended (mdecrevoisier, others)
Opcode: Info

Description

The following policy was active when the Windows Firewall started.

Message #

The following policy was active when the Windows Firewall started.

Group Policy Applied: %1
Profile Used: %2
Operational mode: %3
Allow Remote Administration: %4
Allow Unicast Responses to Multicast/Broadcast Traffic: %5
Security Logging:
	Log Dropped Packets: %6
	Log Successful Connections: %7

Fields #

Name	Description
`GroupPolicyApplied` UnicodeString	It always has "No" value for this event. This field should show information about: was Group Policy applied for Windows Firewall when it starts or not.
`Profile` UnicodeString	Shows the active profile name for the moment Windows Firewall service starts.
`OperationMode` UnicodeString	On - if "Firewall state:" setting was set to "On" for "Public" profile. Off - if "Firewall state:" setting was set to "Off" for "Public" profile.
`RemoteAdminEnabled` UnicodeString	Looks like this setting is connected to "Windows Firewall: Allow remote administration exception" Group Policy setting, but it is always Disabled, no matter which option is set for "Windows Firewall: Allow remote administration exception" Group Policy.
`MulticastFlowsEnabled` UnicodeString	Enabled - if "Allow unicast response:" Settings configuration was set to "Yes" for "Public" profile. Disabled - if "Allow unicast response:" Settings configuration was set to "No" for "Public" profile.
`LogDroppedPacketsEnabled` UnicodeString	Enabled - if "Log dropped packets:" Logging configuration was set to "Yes" for "Public" profile. Disabled - if "Log dropped packets:" Logging configuration was set to "No" for "Public" profile.
`LogSuccessfulConnectionsEnabled` UnicodeString	Enabled - if "Log successful connections:" Logging configuration was set to "Yes" for "Public" profile. Disabled - if "Log dropped packets:" Logging configuration was set to "No" for "Public" profile.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4944,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:57.9251088+00:00",
    "event_record_id": 1717305,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 872
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "GroupPolicyApplied": "No",
    "Profile": "(null)",
    "OperationMode": "On",
    "RemoteAdminEnabled": "Disabled",
    "MulticastFlowsEnabled": "Enabled",
    "LogDroppedPacketsEnabled": "Disabled",
    "LogSuccessfulConnectionsEnabled": "Disabled"
  },
  "message": "The following policy was active when the Windows Firewall started.\r\n\r\nGroup Policy Applied:\tNo\r\nProfile Used:\t(null)\r\nOperational mode:\tOn\r\nAllow Remote Administration:\tDisabled\r\nAllow Unicast Responses to Multicast/Broadcast Traffic:\tEnabled\r\nSecurity Logging:\r\n\tLog Dropped Packets:\tDisabled\r\n\tLog Successful Connections:\tDisabled"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4944
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4944
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4944.yml

Event ID 4945: A rule was listed when the Windows Firewall started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A rule was listed when the Windows Firewall started.

Message #

A rule was listed when the Windows Firewall started.
	
Profile used: %1

Rule:
	Rule ID: %2
	Rule Name: %3

Fields #

Name	Description
`ProfileUsed` UnicodeString	The name of the profile that the rule belongs to. It always has value "Public", because this event shows rules only for "Public" profile.
`RuleId` UnicodeString	The unique firewall rule identifier.
`RuleName` UnicodeString	The name of the rule which was listed when the Windows Firewall started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4945,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:57.9315957+00:00",
    "event_record_id": 1717470,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 872
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileUsed": "(null)",
    "RuleId": "{FF8303C2-8C97-48FB-9B70-CEF9F3C8209C}",
    "RuleName": "Microsoft Edge (mDNS-In)"
  },
  "message": "A rule was listed when the Windows Firewall started.\r\n\t\r\nProfile used:\t(null)\r\n\r\nRule:\r\n\tRule ID:\t{FF8303C2-8C97-48FB-9B70-CEF9F3C8209C}\r\n\tRule Name:\tMicrosoft Edge (mDNS-In)"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4945
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4945
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4945.yml

Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

A change was made to the Windows Firewall exception list. A rule was added.

Message #

A change was made to the Windows Firewall exception list. A rule was added.
	
Profile Changed: %1

Added Rule:
	Rule ID: %2
	Rule Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	The list of profiles to which new rule was applied. Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`RuleId` UnicodeString	The unique new firewall rule identifier.
`RuleName` UnicodeString	The name of the rule which was added.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4946,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T19:32:55.589972+00:00",
    "event_record_id": 2601879,
    "correlation": {
      "ActivityID": "83C0A038-97BF-4A37-B9EE-DBA4C42967DF"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 1048
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "(null),(null)",
    "RuleId": "{DC92C56C-4138-4D46-B25D-97D3C349B695}",
    "RuleName": "@{Microsoft.DesktopAppInstaller_1.28.220.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}"
  },
  "message": ""
}

Community Notes #

Logs rules that open ports or disable filtering. Attackers may add rules to enable implants to communicate with external servers.

Detection Rules #

Splunk # view in coverage

Windows Firewall Rule Added source: This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal…

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4946
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4946.yml

Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

A change was made to the Windows Firewall exception list. A rule was modified.

Message #

A change was made to the Windows Firewall exception list. A rule was modified.
	
Profile Changed: %1

Modified Rule:
	Rule ID: %2
	Rule Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	The list of profiles to which changed rule is applied. Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`RuleId` UnicodeString	The unique identifier for modified firewall rule.
`RuleName` UnicodeString	The name of the rule which was modified.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4947,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T06:32:02.846637+00:00",
    "event_record_id": 2461332,
    "correlation": {
      "ActivityID": "25EC58BA-8E8B-49D4-8250-F380547FF3D0"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 1048
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "All",
    "RuleId": "WSLCore-SharedAccess-Allow-Rule",
    "RuleName": "WSLCore SharedAccess Allow Rule"
  },
  "message": ""
}

Detection Rules #

Splunk # view in coverage

Windows Firewall Rule Modification source: This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or…

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4947.yml

Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

A change was made to the Windows Firewall exception list. A rule was deleted.

Message #

A change was made to the Windows Firewall exception list. A rule was deleted.
	
Profile Changed: %1

Deleted Rule:
	Rule ID: %2
	Rule Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	The list of profiles to which deleted rule was applied. Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`RuleId` UnicodeString	The unique identifier for deleted firewall rule.
`RuleName` UnicodeString	The name of the rule which was deleted.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4948,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T19:32:55.554379+00:00",
    "event_record_id": 2601866,
    "correlation": {
      "ActivityID": "426D61B7-B34A-40F7-B81E-D2D13DCDAEDA"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 1048
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "(null),(null),(null)",
    "RuleId": "{760971F9-D380-483D-AEA7-31795C69819A}",
    "RuleName": "@{Microsoft.DesktopAppInstaller_1.27.470.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}"
  },
  "message": ""
}

Detection Rules #

Security-Auditing Event ID 4950: A Windows Firewall setting has changed.ORWindows-Firewall-With-Advanced-Security Event ID 2003: A Windows Defender Firewall setting in the Profiles profile has changed.

Splunk # view in coverage

Windows Firewall Rule Deletion source: This detection identifies instances where a Windows Firewall rule has been deleted, potentially exposing the system to security risks. Unauthorized removal of firewall rules can indicate an attacker attempting to bypass security controls…

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4948.yml

Event ID 4949: Windows Firewall settings were restored to the default values.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Windows Firewall settings were restored to the default values.

Message #

Windows Firewall settings were restored to the default values.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4949,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:28:37.812998+00:00",
    "event_record_id": 16710980,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 10484
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change

Event ID 4950: A Windows Firewall setting has changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

This event generates when Windows Firewall local setting was changed.

Message #

A Windows Firewall setting was changed.
	
Changed Profile: %1

New Setting:
	Type: %2
	Value: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	The name of profile in which setting was changed. Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`SettingType` UnicodeString	The name of the setting which was modified.
`SettingValue` UnicodeString	[New Setting] Value.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4950,
    "version": "0",
    "level": "0",
    "task": "13571",
    "opcode": "0",
    "keywords": 9232379236109516800,
    "time_created": "2021-06-03T19:39:52.893115500Z",
    "event_record_id": "1974770",
    "correlation": {
      "#attributes": {
        "ActivityID": "{38068009-512D-0000-1D80-06382D51D701}"
      }
    },
    "execution": {
      "process_id": "556",
      "thread_id": "2532"
    },
    "channel": "Security",
    "computer": "fs01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "Domain",
    "SettingType": "Enable Windows Firewall",
    "SettingValue": "Yes"
  }
}

Detection Patterns #

Stealth: Disable or Modify System Firewall

1 rule

Sigma

Firewall deactivation (firewall) (source)

mdecrevoisier

Community Notes #

Tracks changes to core settings such as disabling a profile (domain, private, public), or default block/allow behavior.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4950
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4950.yml

Event ID 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule.

Message #

Windows Firewall ignored a rule because its major version number is not recognized.
	
Profile: %1

Ignored Rule:
	ID: %2
	Name: %3

Fields #

Name	Description
`Profile` UnicodeString	The name of the profile of the ignored rule.
`RuleId` UnicodeString	The unique identifier for ignored firewall rule.
`RuleName` UnicodeString	The unique identifier for ignored firewall rule.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4951
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4951.yml

Event ID 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.

Message #

Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.
	
Profile: %1

Partially Ignored Rule:
	ID: %2
	Name: %3

Fields #

Name	Description
`Profile` UnicodeString	Profile
`RuleId` UnicodeString	[Partially Ignored Rule] ID
`RuleName` UnicodeString	[Partially Ignored Rule] Name

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change

Event ID 4953: A rule has been ignored by Windows Firewall because it could not parse the rule.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason.

Message #

Windows Firewall ignored a rule because it could not be parsed.
	
Profile: %1

Reason for Rejection: %2

Rule:
	ID: %3
	Name: %4

Fields #

Name	Description
`Profile` UnicodeString	The name of the profile of the ignored rule.
`ReasonForRejection` UnicodeString	The reason, why the rule was ignored.
`RuleId` UnicodeString	The unique identifier for ignored firewall rule.
`RuleName` UnicodeString	The name of the rule which was ignored.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4953,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": -9218868437227405312,
    "time_created": "2026-05-29T16:32:57.5827365+00:00",
    "event_record_id": 1716312,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 968
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Profile": "All",
    "ReasonForRejection": "An error occurred.",
    "RuleId": "MDEServer-1",
    "RuleName": "-"
  },
  "message": "Windows Firewall ignored a rule because it could not be parsed.\r\n\t\r\nProfile:\tAll\r\n\r\nReason for Rejection:\tAn error occurred.\r\n\r\nRule:\r\n\tID:\tMDEServer-1\r\n\tName:\t-"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4953
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4953
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4953.yml

Event ID 4954: Windows Firewall Group Policy settings has changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Group Policy settings for Windows Firewall were changed, and the new settings were applied.

Message #

Group Policy settings for Windows Firewall were changed, and the new settings were applied.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4954,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-09T00:56:52.595949+00:00",
    "event_record_id": 1628305,
    "correlation": {
      "ActivityID": "96A9D96E-AF5F-0001-F1D9-A9965FAFDC01"
    },
    "execution": {
      "process_id": 828,
      "thread_id": 844
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change

Event ID 4956: Windows Firewall has changed the active profile.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates when Windows Firewall has changed the active profile.

Message #

Windows Firewall changed the active profile.

New Active Profile: %1

Fields #

Name	Description
`ActiveProfile` UnicodeString	The name of the new active profile.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4956,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T06:27:32.278889+00:00",
    "event_record_id": 2454199,
    "correlation": {
      "ActivityID": "164E10E5-B120-0003-FC10-4E1620B1DC01"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 6464
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ActiveProfile": "(null)"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4956
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4956.yml

Event ID 4957: Windows Firewall did not apply the following rule.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason.

Message #

Windows Firewall did not apply the following rule:

Rule Information:
	ID: %1
	Name: %2

Error Information:
	Reason: %3 resolved to an empty set.

Fields #

Name	Description
`RuleId` UnicodeString	The unique identifier for not applied firewall rule.
`RuleName` UnicodeString	The name of the rule which was not applied.
`RuleAttr` UnicodeString	The reason why the rule was not applied.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4957,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": -9218868437227405312,
    "time_created": "2026-05-29T23:47:58.2985815+00:00",
    "event_record_id": 1780243,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 2452
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RuleId": "Microsoft.Win32WebViewHost_cw5n1h2txyewy_S-1-5-21-1006758700-2167138679-1475694448-1105_Out_notRemoteName_Wi-Fi",
    "RuleName": "Microsoft.Win32WebViewHost_cw5n1h2txyewy_S-1-5-21-1006758700-2167138679-1475694448-1105_Out_notRemoteName_Wi-Fi",
    "RuleAttr": "Interfaces"
  },
  "message": "Windows Firewall did not apply the following rule:\r\n\r\nRule Information:\r\n\tID:\tMicrosoft.Win32WebViewHost_cw5n1h2txyewy_S-1-5-21-1006758700-2167138679-1475694448-1105_Out_notRemoteName_Wi-Fi\r\n\tName:\tMicrosoft.Win32WebViewHost_cw5n1h2txyewy_S-1-5-21-1006758700-2167138679-1475694448-1105_Out_notRemoteName_Wi-Fi\r\n\r\nError Information:\r\n\tReason:\tInterfaces resolved to an empty set."
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4957
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4957
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4957.yml

Event ID 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.

Message #

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

Rule Information:
	ID: %1
	Name: %2

Error Information:
	Error: %3
	Reason: %4

Fields #

Name	Description
`RuleId` UnicodeString	[Rule Information] ID
`RuleName` UnicodeString	[Rule Information] Name
`Error` UnicodeString	[Error Information] Error
`Reason` UnicodeString	[Error Information] Reason

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4958
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change

Event ID 4960: IPsec dropped an inbound packet that failed an integrity check.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. Remote Network Address: RemoteAddress Inbound SA SPI: SPI

Message #

IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

Remote Network Address: %1
Inbound SA SPI: %2

Fields #

Name	Description
`RemoteAddress` UnicodeString	Remote Network Address
`SPI` UInt32	Inbound SA SPI

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4960
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 4961: IPsec dropped an inbound packet that failed a replay check.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

Message #

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

Remote Network Address: %1
Inbound SA SPI: %2

Fields #

Name	Description
`RemoteAddress` UnicodeString	Remote Network Address
`SPI` UInt32	Inbound SA SPI

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 4962: IPsec dropped an inbound packet that failed a replay check.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

Message #

IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

Remote Network Address: %1
Inbound SA SPI: %2

Fields #

Name	Description
`RemoteAddress` UnicodeString	Remote Network Address
`SPI` UInt32	Inbound SA SPI

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 4963: IPsec dropped an inbound clear text packet that should have been secured.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected. This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. Remote Network Address: RemoteAddress Inbound SA SPI: SPI

Message #

IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected.  This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

Remote Network Address: %1
Inbound SA SPI: %2

Fields #

Name	Description
`RemoteAddress` UnicodeString	Remote Network Address
`SPI` UInt32	Inbound SA SPI

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4963,
    "version": 0,
    "level": 0,
    "task": 12291,
    "opcode": 0,
    "keywords": -9218868437227405312,
    "time_created": "2026-05-30T02:02:50.4866299+00:00",
    "event_record_id": 22244714,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 10592
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RemoteAddress": "192.0.2.254",
    "SPI": "0"
  },
  "message": "IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected.  This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.\r\n\r\nRemote Network Address:\t192.0.2.254\r\nInbound SA SPI:\t\t0"
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 4964: Special groups have been assigned to a new logon.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Special Logon
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event occurs when an account that is a member of any defined Special Group logs in.

Message #

Special groups have been assigned to a new logon.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Logon GUID: %5

New Logon:
	Security ID: %6
	Account Name: %7
	Account Domain: %8
	Logon ID: %9
	Logon GUID: %10
	Special Groups Assigned: %11

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested logon for New Logon account.
`SubjectUserName` UnicodeString	The name of the account that requested logon for New Logon account.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID,.
`LogonGuid` GUID	A GUID that can help you correlate this event with another event that can contain the same Logon GUID, "4769(S, F): A Kerberos service ticket was requested event on a domain controller.
`TargetUserSid` SID	SID of account that performed the logon.
`TargetUserName` UnicodeString	The name of the account that performed the logon.
`TargetDomainName` UnicodeString	[New Logon] Account Domain.
`TargetLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`TargetLogonGuid` GUID	A GUID that can help you correlate this event with another event that can contain the same Logon GUID, "4769(S, F): A Kerberos service ticket was requested event on a domain controller.
`SidList` UnicodeString	The list of special group SIDs, which New Logon\Security ID is a member of.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4964,
    "version": 0,
    "level": 0,
    "task": 12548,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2021-04-22T08:51:04.686763Z",
    "event_record_id": 435111,
    "correlation": {},
    "execution": {
      "process_id": 480,
      "thread_id": 2416
    },
    "channel": "Security",
    "computer": "fs03vuln.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "FS03VULN$",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x3e7",
    "LogonGuid": "00000000-0000-0000-0000-000000000000",
    "TargetUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "TargetUserName": "admmig",
    "TargetDomainName": "OFFSEC",
    "TargetLogonId": "0x74872",
    "TargetLogonGuid": "00000000-0000-0000-0000-000000000000",
    "SidList": "\r\n\t\t%{S-1-5-21-4230534742-2542757381-3142984815-1613}"
  }
}

Community Notes #

Detects Domain Admins or other high-value SIDs logging onto non-DC hosts.

Detection Rules #

Security-Auditing Event ID 5038: Code integrity determined that the image hash of a file is not valid.OREvent ID 6281: Code Integrity determined that the page hashes of an image file are not valid.

Sigma # view in coverage

Lateral movement detection (based on "special groups" feature) source medium: Detects scenarios where a user of a predefined set of group(s) logs on a target machine.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4964
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4964.yml

Event ID 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. Remote Network Address: RemoteAddress Inbound SA SPI: SPI

Message #

IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

Remote Network Address: %1
Inbound SA SPI: %2

Fields #

Name	Description
`RemoteAddress` UnicodeString	Remote Network Address
`SPI` UInt32	Inbound SA SPI

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

Message #

During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

Local Network Address: %1
Remote Network Address: %2
Keying Module Name: %3

Fields #

Name	Description
`LocalAddress` UnicodeString	Local Network Address
`RemoteAddress` UnicodeString	Remote Network Address
`KeyModName` UnicodeString	Keying Module Name

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4976
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode

Event ID 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Quick Mode
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

During quick mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

Message #

During quick mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

Local Network Address: %1
Remote Network Address: %2
Keying Module Name: %3

Fields #

Name	Description
`LocalAddress` UnicodeString	Local Network Address
`RemoteAddress` UnicodeString	Remote Network Address
`KeyModName` UnicodeString	Keying Module Name

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode

Event ID 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Extended Mode
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

During extended mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

Message #

During extended mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

Local Network Address: %1
Remote Network Address: %2
Keying Module Name: %3

Fields #

Name	Description
`LocalAddress` UnicodeString	Local Network Address
`RemoteAddress` UnicodeString	Remote Network Address
`KeyModName` UnicodeString	Keying Module Name

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode

Event ID 4979: IPsec Main Mode and Extended Mode security associations were established.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Extended Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec main mode and extended mode security associations were established.

Message #

IPsec main mode and extended mode security associations were established.

Main Mode Local Endpoint:
	Principal Name: %1
	Network Address: %3
	Keying Module Port: %4

Main Mode Remote Endpoint:
	Principal Name: %2
	Network Address: %5
	Keying Module Port: %6

Main Mode Cryptographic Information:
	Cipher Algorithm: %8
	Integrity Algorithm: %9
	Diffie-Hellman Group: %10

Main Mode Security Association:
	Lifetime (minutes): %11
	Quick Mode Limit: %12
	Main Mode SA ID: %16
	
Main Mode Additional Information:
	Keying Module Name:	AuthIP
	Authentication Method: %7
	Role: %13
	Impersonation State: %14
	Main Mode Filter ID: %15

Extended Mode Information:
	Local Principal Name: %17
	Remote Principal Name: %18
	Authentication Method: %19
	Impersonation State: %20
	Quick Mode Filter ID: %21

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Main Mode Local Endpoint] Principal Name
`RemoteMMPrincipalName` UnicodeString	[Main Mode Remote Endpoint] Principal Name
`LocalAddress` UnicodeString	[Main Mode Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Main Mode Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Main Mode Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Main Mode Remote Endpoint] Keying Module Port
`MMAuthMethod` UnicodeString	[Main Mode Additional Information] Authentication Method
`MMCipherAlg` UnicodeString	[Main Mode Cryptographic Information] Cipher Algorithm
`MMIntegrityAlg` UnicodeString	[Main Mode Cryptographic Information] Integrity Algorithm
`DHGroup` UnicodeString	[Main Mode Cryptographic Information] Diffie-Hellman Group
`MMLifetime` UInt32	[Main Mode Security Association] Lifetime (minutes)
`QMLimit` UInt32	[Main Mode Security Association] Quick Mode Limit
`Role` UnicodeString	[Main Mode Additional Information] Role
`MMImpersonationState` UnicodeString	[Main Mode Additional Information] Impersonation State
`MMFilterID` UInt64	[Main Mode Additional Information] Main Mode Filter ID
`MMSAID` UInt64	[Main Mode Security Association] Main Mode SA ID
`LocalEMPrincipalName` UnicodeString	[Extended Mode Information] Local Principal Name
`RemoteEMPrincipalName` UnicodeString	[Extended Mode Information] Remote Principal Name
`EMAuthMethod` UnicodeString	[Extended Mode Information] Authentication Method
`EMImpersonationState` UnicodeString	[Extended Mode Information] Impersonation State
`QMFilterID` UInt64	[Extended Mode Information] Quick Mode Filter ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4979
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode

Event ID 4980: IPsec Main Mode and Extended Mode security associations were established.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Extended Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec main mode and extended mode security associations were established.

Message #

IPsec main mode and extended mode security associations were established.

Main Mode Local Endpoint:
	Principal Name: %1
	Network Address: %3
	Keying Module Port: %4

Main Mode Remote Endpoint:
	Principal Name: %2
	Network Address: %5
	Keying Module Port: %6

Main Mode Cryptographic Information:
	Cipher Algorithm: %8
	Integrity Algorithm: %9
	Diffie-Hellman Group: %10

Main Mode Security Association:
	Lifetime (minutes): %11
	Quick Mode Limit: %12
	Main Mode SA ID: %16
	
Main Mode Additional Information:
	Keying Module Name:	AuthIP
	Authentication Method: %7
	Role: %13
	Impersonation State: %14
	Main Mode Filter ID: %15

Extended Mode Local Endpoint:
	Principal Name: %17
	Certificate SHA Thumbprint: %18
	Certificate Issuing CA: %19
	Certificate Root CA: %20

Extended Mode Remote Endpoint:
	Principal Name: %21
	Certificate SHA Thumbprint: %22
	Certificate Issuing CA: %23
	Certificate Root CA: %24

Extended Mode Additional Information:
	Authentication Method:	SSL
	Impersonation State: %25
	Quick Mode Filter ID: %26

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Main Mode Local Endpoint] Principal Name
`RemoteMMPrincipalName` UnicodeString	[Main Mode Remote Endpoint] Principal Name
`LocalAddress` UnicodeString	[Main Mode Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Main Mode Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Main Mode Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Main Mode Remote Endpoint] Keying Module Port
`MMAuthMethod` UnicodeString	[Main Mode Additional Information] Authentication Method
`MMCipherAlg` UnicodeString	[Main Mode Cryptographic Information] Cipher Algorithm
`MMIntegrityAlg` UnicodeString	[Main Mode Cryptographic Information] Integrity Algorithm
`DHGroup` UnicodeString	[Main Mode Cryptographic Information] Diffie-Hellman Group
`MMLifetime` UInt32	[Main Mode Security Association] Lifetime (minutes)
`QMLimit` UInt32	[Main Mode Security Association] Quick Mode Limit
`Role` UnicodeString	[Main Mode Additional Information] Role
`MMImpersonationState` UnicodeString	[Main Mode Additional Information] Impersonation State
`MMFilterID` UInt64	[Main Mode Additional Information] Main Mode Filter ID
`MMSAID` UInt64	[Main Mode Security Association] Main Mode SA ID
`LocalEMPrincipalName` UnicodeString	[Extended Mode Local Endpoint] Principal Name
`LocalEMCertHash` UnicodeString	[Extended Mode Local Endpoint] Certificate SHA Thumbprint
`LocalEMIssuingCA` UnicodeString	[Extended Mode Local Endpoint] Certificate Issuing CA
`LocalEMRootCA` UnicodeString	[Extended Mode Local Endpoint] Certificate Root CA
`RemoteEMPrincipalName` UnicodeString	[Extended Mode Remote Endpoint] Principal Name
`RemoteEMCertHash` UnicodeString	[Extended Mode Remote Endpoint] Certificate SHA Thumbprint
`RemoteEMIssuingCA` UnicodeString	[Extended Mode Remote Endpoint] Certificate Issuing CA
`RemoteEMRootCA` UnicodeString	[Extended Mode Remote Endpoint] Certificate Root CA
`EMImpersonationState` UnicodeString	[Extended Mode Additional Information] Impersonation State
`QMFilterID` UInt64	[Extended Mode Additional Information] Quick Mode Filter ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4980
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode

Event ID 4981: IPsec Main Mode and Extended Mode security associations were established.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Extended Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec main mode and extended mode security associations were established.

Message #

IPsec main mode and extended mode security associations were established.

Local Endpoint:
	Principal Name: %1
	Network Address: %9
	Keying Module Port: %10

Local Certificate:
	SHA Thumbprint: %2
	Issuing CA: %3
	Root CA: %4

Remote Endpoint:
	Principal Name: %5
	Network Address: %11
	Keying Module Port: %12

Remote Certificate:
	SHA Thumbprint: %6
	Issuing CA: %7
	Root CA: %8

Cryptographic Information:
	Cipher Algorithm: %13
	Integrity Algorithm: %14
	Diffie-Hellman Group: %15

Security Association Information:
	Lifetime (minutes): %16
	Quick Mode Limit: %17
	Main Mode SA ID: %21

Additional Information:
	Keying Module Name:	AuthIP
	Authentication Method:	SSL
	Role: %18
	Impersonation State: %19
	Main Mode Filter ID: %20
	
Extended Mode Information:
	Local Principal Name: %22
	Remote Principal Name: %23
	Authentication Method: %24
	Impersonation State: %25
	Quick Mode Filter ID: %26

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Local Endpoint] Principal Name
`LocalMMCertHash` UnicodeString	[Local Certificate] SHA Thumbprint
`LocalMMIssuingCA` UnicodeString	[Local Certificate] Issuing CA
`LocalMMRootCA` UnicodeString	[Local Certificate] Root CA
`RemoteMMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`RemoteMMCertHash` UnicodeString	[Remote Certificate] SHA Thumbprint
`RemoteMMIssuingCA` UnicodeString	[Remote Certificate] Issuing CA
`RemoteMMRootCA` UnicodeString	[Remote Certificate] Root CA
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`MMCipherAlg` UnicodeString	[Cryptographic Information] Cipher Algorithm
`MMIntegrityAlg` UnicodeString	[Cryptographic Information] Integrity Algorithm
`DHGroup` UnicodeString	[Cryptographic Information] Diffie-Hellman Group
`MMLifetime` UInt32	[Security Association Information] Lifetime (minutes)
`QMLimit` UInt32	[Security Association Information] Quick Mode Limit
`Role` UnicodeString	[Additional Information] Role
`MMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`MMFilterID` UInt64	[Additional Information] Main Mode Filter ID
`MMSAID` UInt64	[Security Association Information] Main Mode SA ID
`LocalEMPrincipalName` UnicodeString	[Extended Mode Information] Local Principal Name
`RemoteEMPrincipalName` UnicodeString	[Extended Mode Information] Remote Principal Name
`EMAuthMethod` UnicodeString	[Extended Mode Information] Authentication Method
`EMImpersonationState` UnicodeString	[Extended Mode Information] Impersonation State
`QMFilterID` UInt64	[Extended Mode Information] Quick Mode Filter ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4981
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode

Event ID 4982: IPsec Main Mode and Extended Mode security associations were established.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Extended Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec main mode and extended mode security associations were established.

Message #

IPsec main mode and extended mode security associations were established.

Local Endpoint:
	Principal Name: %1
	Network Address:	
	Keying Module Port: %9

Local Certificate:
	SHA Thumbprint: %2
	Issuing CA: %3
	Root CA: %4

Remote Endpoint:
	Principal Name: %5
	Network Address: %10
	Keying Module Port: %11

Remote Certificate:
	SHA Thumbprint: %6
	Issuing CA: %7
	Root CA: %8

Cryptographic Information:
	Cipher Algorithm: %12
	Integrity Algorithm: %13
	Diffie-Hellman Group: %14

Security Association Information:
	Lifetime (minutes): %15
	Quick Mode Limit: %16
	Main Mode SA ID: %20

Additional Information:
	Keying Module Name:	AuthIP
	Authentication Method:	SSL
	Role: %17
	Impersonation State: %18
	Main Mode Filter ID: %19
	
Extended Mode Local Endpoint:
	Principal Name: %21
	Certificate SHA Thumbprint: %22
	Certificate Issuing CA: %23
	Certificate Root CA: %24

Extended Mode Remote Endpoint:
	Principal Name: %25
	Certificate SHA Thumbprint: %26
	Certificate Issuing CA: %27
	Certificate Root CA: %28
Extended Mode Additional Information:
	Authentication Method:	SSL
	Impersonation State: %29
	Quick Mode Filter ID: %30

Fields #

Name	Description
`LocalMMPrincipalName` UnicodeString	[Local Endpoint] Principal Name
`LocalMMCertHash` UnicodeString	[Local Certificate] SHA Thumbprint
`LocalMMIssuingCA` UnicodeString	[Local Certificate] Issuing CA
`LocalMMRootCA` UnicodeString	[Local Certificate] Root CA
`RemoteMMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`RemoteMMCertHash` UnicodeString	[Remote Certificate] SHA Thumbprint
`RemoteMMIssuingCA` UnicodeString	[Remote Certificate] Issuing CA
`RemoteMMRootCA` UnicodeString	[Remote Certificate] Root CA
`LocalKeyModPort` UInt32	[Network Address] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`MMCipherAlg` UnicodeString	[Cryptographic Information] Cipher Algorithm
`MMIntegrityAlg` UnicodeString	[Cryptographic Information] Integrity Algorithm
`DHGroup` UnicodeString	[Cryptographic Information] Diffie-Hellman Group
`MMLifetime` UInt32	[Security Association Information] Lifetime (minutes)
`QMLimit` UInt32	[Security Association Information] Quick Mode Limit
`Role` UnicodeString	[Additional Information] Role
`MMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`MMFilterID` UInt64	[Additional Information] Main Mode Filter ID
`MMSAID` UInt64	[Security Association Information] Main Mode SA ID
`LocalEMPrincipalName` UnicodeString	[Extended Mode Local Endpoint] Principal Name
`LocalEMCertHash` UnicodeString	[Extended Mode Local Endpoint] Certificate SHA Thumbprint
`LocalEMIssuingCA` UnicodeString	[Extended Mode Local Endpoint] Certificate Issuing CA
`LocalEMRootCA` UnicodeString	[Extended Mode Local Endpoint] Certificate Root CA
`RemoteEMPrincipalName` UnicodeString	[Extended Mode Remote Endpoint] Principal Name
`RemoteEMCertHash` UnicodeString	[Extended Mode Remote Endpoint] Certificate SHA Thumbprint
`RemoteEMIssuingCA` UnicodeString	[Extended Mode Remote Endpoint] Certificate Issuing CA
`RemoteEMRootCA` UnicodeString	[Extended Mode Remote Endpoint] Certificate Root CA
`EMImpersonationState` UnicodeString	[Extended Mode Additional Information] Impersonation State
`QMFilterID` UInt64	[Extended Mode Additional Information] Quick Mode Filter ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4982
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode

Event ID 4983: An IPsec Extended Mode negotiation failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Extended Mode
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.

Message #

An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.


Local Endpoint:
	Principal Name: %1
	Network Address: %9
	Keying Module Port: %10

Local Certificate:
	SHA Thumbprint: %2
	Issuing CA: %3
	Root CA: %4

Remote Endpoint:
	Principal Name: %5
	Network Address: %11
	Keying Module Port: %12

Remote Certificate:
	SHA Thumbprint: %6
	Issuing CA: %7
	Root CA: %8

Additional Information:
	Keying Module Name:	AuthIP
	Authentication Method:	SSL
	Role: %16
	Impersonation State: %17
	Quick Mode Filter ID: %18

Failure Information:
	Failure Point: %13
	Failure Reason: %14
	State: %15

Fields #

Name	Description
`LocalEMPrincipalName` UnicodeString	[Local Endpoint] Principal Name
`LocalEMCertHash` UnicodeString	[Local Certificate] SHA Thumbprint
`LocalEMIssuingCA` UnicodeString	[Local Certificate] Issuing CA
`LocalEMRootCA` UnicodeString	[Local Certificate] Root CA
`RemoteEMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`RemoteEMCertHash` UnicodeString	[Remote Certificate] SHA Thumbprint
`RemoteEMIssuingCA` UnicodeString	[Remote Certificate] Issuing CA
`RemoteEMRootCA` UnicodeString	[Remote Certificate] Root CA
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`FailurePoint` UnicodeString	[Failure Information] Failure Point
`FailureReason` UnicodeString	[Failure Information] Failure Reason Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used. `0x0` Success (no failure - emitted by DPAPI Activity events 4692/4694/4695 when the master-key backup or auditable-data protect/unprotect operation succeeded, and by IPsec Main Mode success paths on 4652/4653/4654) `New policy invalidated SAs formed with old policy` IPsec Main Mode SA was torn down because a new IPsec policy rendered the existing SA invalid (event 4653 specific reason string)
`State` UnicodeString	[Failure Information] State
`Role` UnicodeString	[Additional Information] Role
`EMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`QMFilterID` UInt64	[Additional Information] Quick Mode Filter ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4983
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode

Event ID 4984: An IPsec Extended Mode negotiation failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Extended Mode
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.

Message #

An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.

Local Endpoint:
	Principal Name: %1
	Network Address: %3
	Keying Module Port: %4

Remote Endpoint:
	Principal Name: %2
	Network Address: %5
	Keying Module Port: %6

Additional Information:
	Keying Module Name:	AuthIP
	Authentication Method: %9
	Role: %11
	Impersonation State: %12
	Quick Mode Filter ID: %13

Failure Information:
	Failure Point: %7
	Failure Reason: %8
	State: %10

Fields #

Name	Description
`LocalEMPrincipalName` UnicodeString	[Local Endpoint] Principal Name
`RemoteEMPrincipalName` UnicodeString	[Remote Endpoint] Principal Name
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalKeyModPort` UInt32	[Local Endpoint] Keying Module Port
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteKeyModPort` UInt32	[Remote Endpoint] Keying Module Port
`FailurePoint` UnicodeString	[Failure Information] Failure Point
`FailureReason` UnicodeString	[Failure Information] Failure Reason Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used. `0x0` Success (no failure - emitted by DPAPI Activity events 4692/4694/4695 when the master-key backup or auditable-data protect/unprotect operation succeeded, and by IPsec Main Mode success paths on 4652/4653/4654) `New policy invalidated SAs formed with old policy` IPsec Main Mode SA was torn down because a new IPsec policy rendered the existing SA invalid (event 4653 specific reason string)
`EMAuthMethod` UnicodeString	[Additional Information] Authentication Method
`State` UnicodeString	[Failure Information] State
`Role` UnicodeString	[Additional Information] Role
`EMImpersonationState` UnicodeString	[Additional Information] Impersonation State
`QMFilterID` UInt64	[Additional Information] Quick Mode Filter ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4984
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode

Event ID 4985: The state of a transaction has changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File System
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This is an informational event from file system Transaction Manager.

Message #

The state of a transaction has changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Transaction Information:
	RM Transaction ID: %5
	New State: %6
	Resource Manager: %7

Process Information:
	Process ID: %8
	Process Name: %9

Fields #

Name	Description
`SubjectUserSid` SID	SID of account through which the state of the transaction was changed.
`SubjectUserName` UnicodeString	The name of the account that changed the state of the transaction.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TransactionId` GUID	Unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same Transaction ID, such as "4656(S, F): A handle to an object was requested."
`NewState` UInt32	[Transaction Information] New State.
`ResourceManager` GUID	Unique GUID-Identifier of the Resource Manager which associated with this transaction.
`ProcessId` Pointer	Hexadecimal Process ID of the process through which the state of the transaction was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
`ProcessName` UnicodeString	Full path and the name of the executable for the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4985,
    "version": 0,
    "level": 0,
    "task": 12800,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:22:20.7831555+00:00",
    "event_record_id": 2926202,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 180
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x3e7",
    "TransactionId": "{93f34f5e-5b7d-11f1-965a-9db39466505c}",
    "NewState": "52",
    "ResourceManager": "{f140d9bc-e67e-11f0-809e-ad7f23ecb1e8}",
    "ProcessId": "0x59c",
    "ProcessName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe"
  },
  "message": "The state of a transaction has changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTransaction Information:\r\n\tRM Transaction ID:\t{93f34f5e-5b7d-11f1-965a-9db39466505c}\r\n\tNew State:\t\t52\r\n\tResource Manager:\t{f140d9bc-e67e-11f0-809e-ad7f23ecb1e8}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x59c\r\n\tProcess Name:\t\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4985
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4985.yml

Event ID 5024: The Windows Firewall Service has started successfully.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall service started successfully.

Message #

The Windows Firewall service started successfully.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5024,
    "version": 0,
    "level": 0,
    "task": 12292,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:57.9399842+00:00",
    "event_record_id": 1717500,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 968
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "The Windows Firewall service started successfully."
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5024
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5024

Event ID 5025: The Windows Firewall Service has been stopped.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall service was stopped.

Message #

The Windows Firewall service was stopped.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 5027: The Windows Firewall Service was unable to retrieve the security policy from the local storage.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy.

Message #

The Windows Firewall service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	Error Code.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5027
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5027.yml

Event ID 5028: The Windows Firewall Service was unable to parse the new security policy.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy.

Message #

Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	Error Code.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5028.yml

Event ID 5029: The Windows Firewall Service failed to initialize the driver.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.

Message #

The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 5030: The Windows Firewall Service failed to start.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall service failed to start.

Message #

The Windows Firewall service failed to start.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when an application was blocked from accepting incoming connections on the network by Windows Filtering Platform. If you don't have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from Windows Filtering Platform layer, because by default this layer is denying any incoming connections.

Message #

Windows Firewall blocked an application from accepting incoming connections on the network.

Profiles: %1
Application: %2

Fields #

Name	Description
`Profiles` UnicodeString	Network profile using which application was blocked. Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Application` UnicodeString	Full path and file name of executable file for blocked application.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5031,
    "version": 0,
    "level": 0,
    "task": 12810,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-13T22:02:00.253205+00:00",
    "event_record_id": 16477825,
    "correlation": {
      "ActivityID": "0D26E79C-B333-0001-07E8-260D33B3DC01"
    },
    "execution": {
      "process_id": 936,
      "thread_id": 5688
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Profiles": "(null)",
    "Application": "C:\\windows\\system32\\wbem\\wmiprvse.exe"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5031
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5031.yml

Event ID 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Message #

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 5033: The Windows Firewall Driver has started successfully.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall Driver started successfully.

Message #

The Windows Firewall Driver started successfully.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5033,
    "version": 0,
    "level": 0,
    "task": 12292,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:57.3173818+00:00",
    "event_record_id": 1716242,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 1048
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "The Windows Firewall Driver started successfully."
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5033
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5033

Event ID 5034: The Windows Firewall Driver has been stopped.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall Driver was stopped.

Message #

The Windows Firewall Driver was stopped.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 5035: The Windows Firewall Driver failed to start.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall Driver failed to start.

Message #

The Windows Firewall Driver failed to start.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 5037: The Windows Firewall Driver detected critical runtime error.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Firewall Driver detected a critical runtime error, terminating.

Message #

The Windows Firewall Driver detected a critical runtime error, terminating.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 5038: Code integrity determined that the image hash of a file is not valid.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Message #

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: %1

Fields #

Name	Description	Rules
`param1`		5 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5038,
    "version": 0,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-08T23:22:33.111223+00:00",
    "event_record_id": 1559738,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4964
    },
    "channel": "Security",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\145.0.3800.97\\prefs_enclave_x64.dll"
  },
  "message": ""
}

Detection Patterns #

Stealth: Binary Padding

1 rule

Sigma

Failed Code Integrity Checks (source)

Thomas Patzke

Community Notes #

May indicate that malware attempted to load an unsigned or tampered driver/system file.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity

Event ID 5039: A registry key was virtualized.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Registry
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A registry key was virtualized.

Message #

A registry key was virtualized.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Key Name: %5
	Virtual Key Name: %6

Process Information:
	Process ID: %7
	Process Name: %8

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`ObjectPath` UnicodeString	[Object] Key Name
`ObjectVirtualPath` UnicodeString	[Object] Virtual Key Name
`ProcessId` Pointer	[Process Information] Process ID
`ProcessName` UnicodeString	[Process Information] Process Name

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5039
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry

Event ID 5040: A change has been made to IPsec settings. An Authentication Set was added.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. An authentication set was added.

Message #

A change was made to IPsec settings. An authentication set was added.
	
Profile Changed: %1

Added Authentication Set:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`AuthenticationSetId` UnicodeString	[Added Authentication Set] ID
`AuthenticationSetName` UnicodeString	[Added Authentication Set] Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5040,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T02:02:49.7431736+00:00",
    "event_record_id": 22244663,
    "correlation": {
      "ActivityID": "{4EF7F6F1-F070-4190-A66F-D8BD2C190922}"
    },
    "execution": {
      "process_id": 1000,
      "thread_id": 12780
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "All",
    "AuthenticationSetId": "{013759fa-9005-463f-958c-4cb70474217f}",
    "AuthenticationSetName": "WFPCAT-P1Auth"
  },
  "message": "A change was made to IPsec settings. An authentication set was added.\r\n\t\r\nProfile Changed:\t\tAll\r\n\r\nAdded Authentication Set:\r\n\tID:\t\t\t{013759fa-9005-463f-958c-4cb70474217f}\r\n\tName:\t\t\tWFPCAT-P1Auth"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5040
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5041: A change has been made to IPsec settings. An Authentication Set was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. An authentication set was modified.

Message #

A change was made to IPsec settings. An authentication set was modified.
	
Profile Changed: %1

Modified Authentication Set:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`AuthenticationSetId` UnicodeString	[Modified Authentication Set] ID
`AuthenticationSetName` UnicodeString	[Modified Authentication Set] Name

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5042: A change has been made to IPsec settings. An Authentication Set was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. An authentication set was deleted.

Message #

A change was made to IPsec settings. An authentication set was deleted.
	
Profile Changed: %1

Deleted Authentication Set:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`AuthenticationSetId` UnicodeString	[Deleted Authentication Set] ID
`AuthenticationSetName` UnicodeString	[Deleted Authentication Set] Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5042,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T02:02:52.9127084+00:00",
    "event_record_id": 22245177,
    "correlation": {
      "ActivityID": "{E3860C49-4A17-4CCD-BFBE-7C55FD0600FA}"
    },
    "execution": {
      "process_id": 1000,
      "thread_id": 12548
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "All",
    "AuthenticationSetId": "{013759fa-9005-463f-958c-4cb70474217f}",
    "AuthenticationSetName": "WFPCAT-P1Auth"
  },
  "message": "A change was made to IPsec settings. An authentication set was deleted.\r\n\t\r\nProfile Changed:\t\tAll\r\n\r\nDeleted Authentication Set:\r\n\tID:\t\t\t{013759fa-9005-463f-958c-4cb70474217f}\r\n\tName:\t\t\tWFPCAT-P1Auth"
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5043: A change has been made to IPsec settings. A Connection Security Rule was added.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. A connection security rule was added.

Message #

A change was made to IPsec settings. A connection security rule was added.
	
Profile Changed: %1

Added Connection Security Rule:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`ConnectionSecurityRuleId` UnicodeString	[Added Connection Security Rule] ID
`ConnectionSecurityRuleName` UnicodeString	[Added Connection Security Rule] Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5043,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:18:50.849068+00:00",
    "event_record_id": 16258903,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 8880
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "All",
    "ConnectionSecurityRuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
    "ConnectionSecurityRuleName": "EvtGen-IPsec-Test"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5043
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5044: A change has been made to IPsec settings. A Connection Security Rule was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. A connection security rule was modified.

Message #

A change was made to IPsec settings. A connection security rule was modified.
	
Profile Changed: %1

Modified Connection Security Rule:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`ConnectionSecurityRuleId` UnicodeString	[Modified Connection Security Rule] ID
`ConnectionSecurityRuleName` UnicodeString	[Modified Connection Security Rule] Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5044,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-30T02:02:49.6831207+00:00",
    "event_record_id": 22244187,
    "correlation": {
      "ActivityID": "{093FEE7B-3CD4-4D42-AC5D-E3AB9B23E8EF}"
    },
    "execution": {
      "process_id": 1000,
      "thread_id": 12780
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "All",
    "ConnectionSecurityRuleId": "{e88185b9-b2ad-4073-83c9-6e4038b99ccc}",
    "ConnectionSecurityRuleName": "WFPCAT-ConnSec-Transport"
  },
  "message": "A change was made to IPsec settings. A connection security rule was modified.\r\n\t\r\nProfile Changed:\tAll\r\n\r\nModified Connection Security Rule:\r\n\tID:\t\t\t{e88185b9-b2ad-4073-83c9-6e4038b99ccc}\r\n\tName:\t\t\tWFPCAT-ConnSec-Transport"
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5045: A change has been made to IPsec settings. A Connection Security Rule was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. A connection security rule was deleted.

Message #

A change was made to IPsec settings. A connection security rule was deleted.
	
Profile Changed: %1

Deleted Connection Security Rule:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`ConnectionSecurityRuleId` UnicodeString	[Deleted Connection Security Rule] ID
`ConnectionSecurityRuleName` UnicodeString	[Deleted Connection Security Rule] Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5045,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:19:58.877712+00:00",
    "event_record_id": 16285930,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 1100
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "All",
    "ConnectionSecurityRuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
    "ConnectionSecurityRuleName": "EvtGen-IPsec-Test"
  },
  "message": ""
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5046: A change has been made to IPsec settings. A Crypto Set was added.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. A crypto set was added.

Message #

A change was made to IPsec settings. A crypto set was added.
	
Profile Changed: %1

Added Crypto Set:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`CryptographicSetId` UnicodeString	[Added Crypto Set] ID
`CryptographicSetName` UnicodeString	[Added Crypto Set] Name

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5046
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5047: A change has been made to IPsec settings. A Crypto Set was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. A crypto set was modified.

Message #

A change was made to IPsec settings. A crypto set was modified.
	
Profile Changed: %1

Modified Crypto Set:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`CryptographicSetId` UnicodeString	[Modified Crypto Set] ID
`CryptographicSetName` UnicodeString	[Modified Crypto Set] Name

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5048: A change has been made to IPsec settings. A Crypto Set was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A change was made to IPsec settings. A crypto set was deleted.

Message #

A change was made to IPsec settings. A crypto set was deleted.
	
Profile Changed: %1

Deleted Crypto Set:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`CryptographicSetId` UnicodeString	[Deleted Crypto Set] ID
`CryptographicSetName` UnicodeString	[Deleted Crypto Set] Name

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5049: An IPsec Security Association was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec security association was deleted.

Message #

An IPsec security association was deleted.
	
Profile Changed: %1

Deleted SA:
	ID: %2
	Name: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Profile Changed Known values `%%14644` Public `%%14645` Private `%%14646` Domain `Public` Resolved alias for %%14644 (Windows Defender Firewall Public profile) `Private` Resolved alias for %%14645 (Windows Defender Firewall Private profile) `Domain` Resolved alias for %%14646 (Windows Defender Firewall Domain profile) `All` Composite indicating all three profiles changed simultaneously (Domain + Private + Public)
`IpSecSecurityAssociationId` UnicodeString	[Deleted SA] ID
`IpSecSecurityAssociationName` UnicodeString	[Deleted SA] Name

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5049
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode

Event ID 5050: An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An attempt to programmatically disable Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected because this API is not supported on this version of Windows. This is most likely due to a program that is incompatible with this version of Windows. Please contact the program's manufacturer to make sure you have a compatible program version. Error Code: E_NOTIMPL Caller Process Name: CallerProcessName Process Id: ProcessId Publisher: Publisher

Message #

An attempt to programmatically disable Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected because this API is not supported on this version of Windows. This is most likely due to a program that is incompatible with this version of Windows. Please contact the program's manufacturer to make sure you have a compatible program version.

Error Code:		E_NOTIMPL
Caller Process Name: %1
Process Id: %2
Publisher: %3

Fields #

Name	Description
`CallerProcessName` UnicodeString	Caller Process Name
`ProcessId` UInt32	Process Id
`Publisher` UnicodeString	Publisher

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5050

Event ID 5051: A file was virtualized.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File System
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event should be generated when file was virtualized using LUAFV. This event occurs very rarely during standard LUAFV file virtualization. There is no example of this event in this document.

Message #

A file was virtualized.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	File Name: %5
	Virtual File Name: %6

Process Information:
	Process ID: %7
	Process Name: %8

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that performed the operation.
`SubjectUserName` UnicodeString	The name of the account that performed the operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, 4624 An account was successfully logged on.
`FileName` UnicodeString	The name of a file or folder that the virtualized file name refers to.
`VirtualFileName` UnicodeString	Full path name with virtualized file name.
`ProcessId` Pointer	[Process Information] Process ID.
`ProcessName` UnicodeString	[Process Information] Process Name.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5051
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5051.yml

Event ID 5056: A cryptographic self test was performed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A cryptographic self test was performed.

Message #

A cryptographic self test was performed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Module: %5

Return Code: %6

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`Module` UnicodeString	Module
`ReturnCode` HexInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5056
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity

Event ID 5057: A cryptographic primitive operation failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A cryptographic primitive operation failed.

Message #

A cryptographic primitive operation failed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Cryptographic Parameters:
	Provider Name: %5
	Algorithm Name: %6

Failure Information:
	Reason: %7
	Return Code: %8

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`ProviderName` UnicodeString	[Cryptographic Parameters] Provider Name
`AlgorithmName` UnicodeString	[Cryptographic Parameters] Algorithm Name
`Reason` UnicodeString	[Failure Information] Reason
`ReturnCode` HexInt32	[Failure Information] Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5057
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity

Event ID 5058: Key file operation.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a Key Storage Provider.

Message #

Key file operation.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Cryptographic Parameters:
	Provider Name: %5
	Algorithm Name: %6
	Key Name: %7
	Key Type: %8

Key File Operation Information:
	File Path: %9
	Operation: %10
	Return Code: %11

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested key file operation.
`SubjectUserName` UnicodeString	The name of the account that requested key file operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ClientProcessId` UInt32	[Process Information] Process ID.
`ClientCreationTime` FILETIME	[Process Information] Process Creation Time.
`ProviderName` UnicodeString	[Cryptographic Parameters] Provider Name.
`AlgorithmName` UnicodeString	The name of cryptographic algorithm through which the key was used or accessed.
`KeyName` UnicodeString	The name of the key (key container) with which operation was performed.	1 detection rule
`KeyType` UnicodeString	Can have one of the following values: "User key." - user's cryptographic key. "Machine key." - machine's cryptographic key. Known values `%%2499` Machine key `%%2500` User key
`KeyFilePath` UnicodeString	Full path and filename of the key file on which the operation was performed.
`Operation` UnicodeString	[Key File Operation Information] Operation. Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.	2 detection rules
`ReturnCode` HexInt32	[Key File Operation Information] Return Code.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5058,
    "version": 1,
    "level": 0,
    "task": 12292,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:33:58.4413971+00:00",
    "event_record_id": 1724258,
    "correlation": {},
    "execution": {
      "process_id": 812,
      "thread_id": 3340
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-19",
    "SubjectUserName": "LOCAL SERVICE",
    "SubjectDomainName": "NT AUTHORITY",
    "SubjectLogonId": "0x3e5",
    "ClientProcessId": "3608",
    "ClientCreationTime": "2026-05-29T16:33:58.2219741Z",
    "ProviderName": "Microsoft Software Key Storage Provider",
    "AlgorithmName": "UNKNOWN",
    "KeyName": "Microsoft Connected Devices Platform device certificate",
    "KeyType": "%%2500",
    "KeyFilePath": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_8a99384c-f40f-46dc-9dc2-13adf38045d6",
    "Operation": "%%2458",
    "ReturnCode": "0x0"
  },
  "message": "Key file operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t3608\r\n\tProcess Creation Time:\t‎2026‎-‎05‎-‎29T16:33:58.221974100Z\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tUNKNOWN\r\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\r\n\tKey Type:\tUser key.\r\n\r\nKey File Operation Information:\r\n\tFile Path:\tC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_8a99384c-f40f-46dc-9dc2-13adf38045d6\r\n\tOperation:\tRead persisted key from file.\r\n\tReturn Code:\t0x0"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`@Name`	eq	`KeyName`	1 rule	kusto
`@Name`	eq	`SubjectUserName`	1 rule	kusto
`Computer`	contains	`<your ca machine name>`	1 rule	kusto
`EventData`	contains	`%%2499`	1 rule	kusto

Detection Rules #

Kusto # view in coverage

Certified Pre-Owned - backup of CA private key - rule 1 source medium: This query identifies someone that performs a read operation of they CA key from the file.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5058
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5058
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5058.yml

Event ID 5059: Key migration operation.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates when a cryptographic key is exported or imported using a Key Storage Provider.

Message #

Key migration operation.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Cryptographic Parameters:
	Provider Name: %5
	Algorithm Name: %6
	Key Name: %7
	Key Type: %8

Additional Information:
	Operation: %9
	Return Code: %10

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested key migration operation.
`SubjectUserName` UnicodeString	The name of the account that requested key migration operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ClientProcessId` UInt32	[Process Information] Process ID.
`ClientCreationTime` FILETIME	[Process Information] Process Creation Time.
`ProviderName` UnicodeString	[Cryptographic Parameters] Provider Name.
`AlgorithmName` UnicodeString	The name of cryptographic algorithm through which the key was used or accessed.
`KeyName` UnicodeString	The name of the key (key container) with which operation was performed.
`KeyType` UnicodeString	Can have one of the following values: "User key." - user's cryptographic key. "Machine key." - machine's cryptographic key. Known values `%%2499` Machine key `%%2500` User key
`Operation` UnicodeString	[Additional Information] Operation. Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ReturnCode` HexInt32	[Additional Information] Return Code.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5059,
    "version": 1,
    "level": 0,
    "task": 12292,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:33:58.4424696+00:00",
    "event_record_id": 1724260,
    "correlation": {},
    "execution": {
      "process_id": 812,
      "thread_id": 3340
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-19",
    "SubjectUserName": "LOCAL SERVICE",
    "SubjectDomainName": "NT AUTHORITY",
    "SubjectLogonId": "0x3e5",
    "ClientProcessId": "3608",
    "ClientCreationTime": "2026-05-29T16:33:58.2219741Z",
    "ProviderName": "Microsoft Software Key Storage Provider",
    "AlgorithmName": "ECDSA_P256",
    "KeyName": "Microsoft Connected Devices Platform device certificate",
    "KeyType": "%%2500",
    "Operation": "%%2464",
    "ReturnCode": "0x0"
  },
  "message": "Key migration operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tLOCAL SERVICE\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3E5\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t3608\r\n\tProcess Creation Time:\t‎2026‎-‎05‎-‎29T16:33:58.221974100Z\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tECDSA_P256\r\n\tKey Name:\tMicrosoft Connected Devices Platform device certificate\r\n\tKey Type:\tUser key.\r\n\r\nAdditional Information:\r\n\tOperation:\tExport of persistent cryptographic key.\r\n\tReturn Code:\t0x0"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`@Name`	eq	`KeyName`	1 rule	kusto
`@Name`	eq	`SubjectUserName`	1 rule	kusto
`Computer`	contains	`<your ca machine name>`	1 rule	kusto
`EventData`	contains	`%%2499`	1 rule	kusto

Detection Rules #

Kusto # view in coverage

Certified Pre-Owned - backup of CA private key - rule 2 source medium: This query identifies someone that performs a backup of they CA key.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5059
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5059
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5059.yml

Event ID 5060: Verification operation failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Verification operation failed.

Message #

Verification operation failed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Cryptographic Parameters:
	Provider Name: %5
	Algorithm Name: %6
	Key Name: %7
	Key Type: %8

Failure Information:
	Reason: %9
	Return Code: %10

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`ProviderName` UnicodeString	[Cryptographic Parameters] Provider Name
`AlgorithmName` UnicodeString	[Cryptographic Parameters] Algorithm Name
`KeyName` UnicodeString	[Cryptographic Parameters] Key Name
`KeyType` UnicodeString	[Cryptographic Parameters] Key Type Known values `%%2499` Machine key `%%2500` User key
`Reason` UnicodeString	[Failure Information] Reason
`ReturnCode` HexInt32	[Failure Information] Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5060
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity

Event ID 5061: Cryptographic operation.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a Key Storage Provider.

Message #

Cryptographic operation.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Cryptographic Parameters:
	Provider Name: %5
	Algorithm Name: %6
	Key Name: %7
	Key Type: %8

Cryptographic Operation:
	Operation: %9
	Return Code: %10

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested specific cryptographic operation.
`SubjectUserName` UnicodeString	The name of the account that requested specific cryptographic operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ProviderName` UnicodeString	[Cryptographic Parameters] Provider Name.
`AlgorithmName` UnicodeString	The name of cryptographic algorithm through which the key was used or accessed.
`KeyName` UnicodeString	The name of the key (key container) with which operation was performed.
`KeyType` UnicodeString	Can have one of the following values: "User key." - user's cryptographic key. "Machine key." - machine's cryptographic key. Known values `%%2499` Machine key `%%2500` User key
`Operation` UnicodeString	[Cryptographic Operation] Operation. Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ReturnCode` HexInt32	[Cryptographic Operation] Return Code.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5061,
    "version": 0,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:49.1906527+00:00",
    "event_record_id": 2148882,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 6396
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "ProviderName": "Microsoft Software Key Storage Provider",
    "AlgorithmName": "RSA",
    "KeyName": "tp-22ce7e87-6a77-4441-ba6b-fd53228e1f4d",
    "KeyType": "%%2499",
    "Operation": "%%2480",
    "ReturnCode": "0x0"
  },
  "message": "Cryptographic operation.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nCryptographic Parameters:\r\n\tProvider Name:\tMicrosoft Software Key Storage Provider\r\n\tAlgorithm Name:\tRSA\r\n\tKey Name:\ttp-22ce7e87-6a77-4441-ba6b-fd53228e1f4d\r\n\tKey Type:\tMachine key.\r\n\r\nCryptographic Operation:\r\n\tOperation:\tOpen Key.\r\n\tReturn Code:\t0x0"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5061
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5061.yml

Event ID 5062: A kernel-mode cryptographic self test was performed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A kernel-mode cryptographic self test was performed.

Message #

A kernel-mode cryptographic self test was performed.

Module: %1

Return Code: %2

Fields #

Name	Description
`Module` UnicodeString	Module
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5062
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity

Event ID 5063: A cryptographic provider operation was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A cryptographic provider operation was attempted.

Message #

A cryptographic provider operation was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Cryptographic Provider:
	Name: %5
	Module: %6

Operation: %7

Return Code: %8

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] Logon ID
`ProviderName` UnicodeString	[Cryptographic Provider] Name
`ModuleName` UnicodeString	[Cryptographic Provider] Module
`Operation` UnicodeString	Operation Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5063
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events

Event ID 5064: A cryptographic context operation was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A cryptographic context operation was attempted.

Message #

A cryptographic context operation was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Configuration Parameters:
	Scope: %5
	Context: %6

Operation: %7

Return Code: %8

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] Logon ID
`Scope` UnicodeString	[Configuration Parameters] Scope
`ContextName` UnicodeString	[Configuration Parameters] Context
`Operation` UnicodeString	Operation Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5064
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events

Event ID 5065: A cryptographic context modification was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A cryptographic context modification was attempted.

Message #

A cryptographic context modification was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Configuration Parameters:
	Scope: %5
	Context: %6

Change Information:
	Old Value: %7
	New Value: %8

Return Code: %9

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] Logon ID
`Scope` UnicodeString	[Configuration Parameters] Scope
`ContextName` UnicodeString	[Configuration Parameters] Context
`OldValue` UInt32	[Change Information] Old Value
`NewValue` UInt32	[Change Information] New Value
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5065
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events

Event ID 5066: A cryptographic function operation was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A cryptographic function operation was attempted.

Message #

A cryptographic function operation was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Configuration Parameters:
	Scope: %5
	Context: %6
	Interface: %7
	Function: %8
	Position: %9

Operation: %10

Return Code: %11

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] Logon ID
`Scope` UnicodeString	[Configuration Parameters] Scope
`ContextName` UnicodeString	[Configuration Parameters] Context
`InterfaceId` UnicodeString	[Configuration Parameters] Interface
`FunctionName` UnicodeString	[Configuration Parameters] Function
`Position` UInt32	[Configuration Parameters] Position
`Operation` UnicodeString	Operation Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5066
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events

Event ID 5067: A cryptographic function modification was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A cryptographic function modification was attempted.

Message #

A cryptographic function modification was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Configuration Parameters:
	Scope: %5
	Context: %6
	Interface: %7
	Function: %8

Change Information:
	Old Value: %9
	New Value: %10

Return Code: %11

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] Logon ID
`Scope` UnicodeString	[Configuration Parameters] Scope
`ContextName` UnicodeString	[Configuration Parameters] Context
`InterfaceId` UnicodeString	[Configuration Parameters] Interface
`FunctionName` UnicodeString	[Configuration Parameters] Function
`OldValue` UInt32	[Change Information] Old Value
`NewValue` UInt32	[Change Information] New Value
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5067
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events

Event ID 5068: A cryptographic function provider operation was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A cryptographic function provider operation was attempted.

Message #

A cryptographic function provider operation was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Configuration Parameters:
	Scope: %5
	Context: %6
	Interface: %7
	Function: %8
	Provider: %9
	Position: %10

Operation: %11

Return Code: %12

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] Logon ID
`Scope` UnicodeString	[Configuration Parameters] Scope
`ContextName` UnicodeString	[Configuration Parameters] Context
`InterfaceId` UnicodeString	[Configuration Parameters] Interface
`FunctionName` UnicodeString	[Configuration Parameters] Function
`ProviderName` UnicodeString	[Configuration Parameters] Provider
`Position` UInt32	[Configuration Parameters] Position
`Operation` UnicodeString	Operation Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5068
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events

Event ID 5069: A cryptographic function property operation was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A cryptographic function property operation was attempted.

Message #

A cryptographic function property operation was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Configuration Parameters:
	Scope: %5
	Context: %6
	Interface: %7
	Function: %8
	Property: %9

Operation: %10

Value: %11

Return Code: %12

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] Logon ID
`Scope` UnicodeString	[Configuration Parameters] Scope
`ContextName` UnicodeString	[Configuration Parameters] Context
`InterfaceId` UnicodeString	[Configuration Parameters] Interface
`FunctionName` UnicodeString	[Configuration Parameters] Function
`PropertyName` UnicodeString	[Configuration Parameters] Property
`Operation` UnicodeString	Operation Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`Value` UnicodeString	Value
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5069
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events

Event ID 5070: A cryptographic function property modification was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A cryptographic function property modification was attempted.

Message #

A cryptographic function property modification was attempted.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Configuration Parameters:
	Scope: %5
	Context: %6
	Interface: %7
	Function: %8
	Property: %9

Change Information:
	Old Value: %10
	New Value: %11

Return Code: %12

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] Logon ID
`Scope` UnicodeString	[Configuration Parameters] Scope
`ContextName` UnicodeString	[Configuration Parameters] Context
`InterfaceId` UnicodeString	[Configuration Parameters] Interface
`FunctionName` UnicodeString	[Configuration Parameters] Function
`PropertyName` UnicodeString	[Configuration Parameters] Property
`OldValue` UnicodeString	[Change Information] Old Value
`NewValue` UnicodeString	[Change Information] New Value
`ReturnCode` UInt32	Return Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5070
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events

Event ID 5071: Key access denied by Microsoft key distribution service.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

Key access denied by Microsoft key distribution service.

Message #

Key access denied by Microsoft key distribution service.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Security Descriptor: %5

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`SecurityDescriptor` UnicodeString	Security Descriptor

Event ID 5120: OCSP Responder Service Started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

OCSP Responder Service Started.

Message #

OCSP Responder Service Started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5120,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-11T09:20:46.158376Z",
    "event_record_id": 1207920,
    "correlation": {
      "#attributes": {
        "ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
      }
    },
    "execution": {
      "process_id": 576,
      "thread_id": 3212
    },
    "channel": "Security",
    "computer": "pki01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {}
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 5121: OCSP Responder Service Stopped.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

OCSP Responder Service Stopped.

Message #

OCSP Responder Service Stopped.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5121,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-11T09:20:43.401378Z",
    "event_record_id": 1207901,
    "correlation": {
      "#attributes": {
        "ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
      }
    },
    "execution": {
      "process_id": 576,
      "thread_id": 3212
    },
    "channel": "Security",
    "computer": "pki01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {}
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 5122: A Configuration entry changed in the OCSP Responder Service.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

A Configuration entry changed in the OCSP Responder Service.

Message #

A Configuration entry changed in the OCSP Responder Service.

CA Configuration ID: %1
New Value: %2

Fields #

Name	Description
`CAConfigurationId` UnicodeString	CA Configuration ID
`NewValue` UnicodeString	New Value
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5122

Event ID 5123: A configuration entry changed in the OCSP Responder Service.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

A configuration entry changed in the OCSP Responder Service.

Message #

A configuration entry changed in the OCSP Responder Service.

Property Name: %1
New Value: %2

Fields #

Name	Description	Rules
`PropertyName` UnicodeString	Property Name	1 detection rule
`NewValue` UnicodeString	New Value
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5123,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-11T09:21:24.702958Z",
    "event_record_id": 1207931,
    "correlation": {
      "#attributes": {
        "ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
      }
    },
    "execution": {
      "process_id": 576,
      "thread_id": 3544
    },
    "channel": "Security",
    "computer": "pki01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PropertyName": "MaxNumOfCacheEntries",
    "NewValue": "5000",
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x477ac56"
  }
}

Detection Rules #

Sigma # view in coverage

OCSP responder auditing settings changed or disabled source high: Detects scenarios where an attacker would attempt to alter or disable OCSP responder auditing settings to evade detection and perform further escalation via ADCS vulnerabilities.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5123
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 5124: A security setting was updated on OCSP Responder Service.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A security setting was updated on OCSP Responder Service.

Message #

A security setting was updated on OCSP Responder Service.

New Value: %1

Fields #

Name	Description
`NewSecuritySettings` UnicodeString	New Value
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5124,
    "version": 0,
    "level": 0,
    "task": 12805,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-11T09:21:50.109681Z",
    "event_record_id": 1207947,
    "correlation": {
      "#attributes": {
        "ActivityID": "2FEE2C3A-4F79-0001-502C-EE2F794FD601"
      }
    },
    "execution": {
      "process_id": 576,
      "thread_id": 3544
    },
    "channel": "Security",
    "computer": "pki01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "NewSecuritySettings": "\nAllow(0x00000101)\tBUILTIN\\Administrators\n\tOCSP Administrator\n\tRead\nAllow(0x00000300)\tIIS APPPOOL\\OCSPISAPIAppPool\n\tRead\n\tOCSP Requestor\n",
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x477ac56"
  }
}

Detection Rules #

Security-Auditing Event ID 5136: A directory service object was modified.OREvent ID 5137: A directory service object was created.

Sigma # view in coverage

OCSP responder security settings changed source high: Detects scenarios where an attacker would attempt to escalate privileges by changing the security settings of the responder.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5124
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 5125: A request was submitted to OCSP Responder Service.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A request was submitted to OCSP Responder Service.

Message #

A request was submitted to OCSP Responder Service.

Fields #

Name	Description
`SerialNumber` UnicodeString	Certificate Serial Number
`CAName` UnicodeString	Issuer CA Name
`Status` UnicodeString	Revocation Status NTSTATUS reference
`SubjectUserSid` SID	SID of the account that performed the operation.
`SubjectUserName` UnicodeString	Account name of the subject.
`SubjectDomainName` UnicodeString	Domain or machine name of the subject account.
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).

Event ID 5126: Signing Certificate was automatically updated by the OCSP Responder Service.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

Signing Certificate was automatically updated by the OCSP Responder Service.

Message #

Signing Certificate was automatically updated by the OCSP Responder Service.

CA Configuration ID: %1
New Signing Certificate Hash: %2

Fields #

Name	Description
`CAConfigurationId` UnicodeString	CA Configuration ID
`NewSigningCertificateHash` UnicodeString	New Signing Certificate Hash

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5126

Event ID 5127: The OCSP Revocation Provider successfully updated the revocation information.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The OCSP Revocation Provider successfully updated the revocation information.

Message #

The OCSP Revocation Provider successfully updated the revocation information.

CA Configuration ID: %1
Base CRL Number: %2
Base CRL This Update: %3
Base CRL Hash: %4
Delta CRL Number: %5
Delta CRL Indicator: %6
Delta CRL This Update: %7
Delta CRL Hash: %8

Fields #

Name	Description
`CAConfigurationId` UnicodeString	CA Configuration ID
`BaseCRLNumber` UnicodeString	Base CRL Number
`BaseCRLThisUpdate` UnicodeString	Base CRL This Update
`BaseCRLHash` UnicodeString	Base CRL Hash
`DeltaCRLNumber` UnicodeString	Delta CRL Number
`DeltaCRLIndicator` UnicodeString	Delta CRL Indicator
`DeltaCRLThisUpdate` UnicodeString	Delta CRL This Update
`DeltaCRLHash` UnicodeString	Delta CRL Hash

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5127

Event ID 5136: A directory service object was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Directory Service Changes
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time an Active Directory object is modified.

Message #

A directory service object was modified.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6

Directory Service:
	Name: %7
	Type: %8
	
Object:
	DN: %9
	GUID: %10
	Class: %11
	
Attribute:
	LDAP Display Name: %12
	Syntax (OID): %13
	Value: %14
	
Operation:
	Type: %15
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

Name	Description	Rules
`OpCorrelationID` GUID	Multiple modifications are often executed as one operation via LDAP.
`AppCorrelationID` UnicodeString	[Operation] Application Correlation ID.
`SubjectUserSid` SID	SID of account that requested the "modify object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "modify object" operation.	8 detection rules
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`DSName` UnicodeString	The name of the Active Directory domain where the modified object is located.
`DSType` UnicodeString	Has "Active Directory Domain Services" value for this event. Known values `%%14676` Active Directory Domain Services `%%14677` Active Directory Lightweight Directory Services	1 detection rule
`ObjectDN` UnicodeString	Distinguished name of the object that was modified.	10 detection rules
`ObjectGUID` GUID	Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world.	4 detection rules
`ObjectClass` UnicodeString	Class of the object that was modified.	39 detection rules
`AttributeLDAPDisplayName` UnicodeString	[Attribute] LDAP Display Name.	46 detection rules
`AttributeSyntaxOID` UnicodeString	The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types.
`AttributeValue` UnicodeString	The value which was added or deleted, depending on the Operation\Type field.	27 detection rules
`OperationType` UnicodeString	[Operation] Type. Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time	43 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5136,
    "version": 0,
    "level": 0,
    "task": 14081,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2019-03-25T10:33:56.457629Z",
    "event_record_id": 198238043,
    "correlation": {},
    "execution": {
      "process_id": 444,
      "thread_id": 3488
    },
    "channel": "Security",
    "computer": "DC1.insecurebank.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OpCorrelationID": "780EA6E1-6307-48D6-8B0D-8C45CC7534AE",
    "AppCorrelationID": "-",
    "SubjectUserSid": "S-1-5-21-738609754-2819869699-4189121830-1108",
    "SubjectUserName": "bob",
    "SubjectDomainName": "insecurebank",
    "SubjectLogonId": "0x8d7099",
    "DSName": "insecurebank.local",
    "DSType": "%%14676",
    "ObjectDN": "CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=INSECUREBANK,DC=LOCAL",
    "ObjectGUID": "6CDECDB5-7515-4511-8141-C34A7C3D4A0A",
    "ObjectClass": "groupPolicyContainer",
    "AttributeLDAPDisplayName": "versionNumber",
    "AttributeSyntaxOID": "2.5.5.9",
    "AttributeValue": "5",
    "OperationType": "%%14675"
  }
}

Detection Patterns #

5 rules

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Splunk

Mauricio Velazco

Raven Tait, Splunk

Security-Auditing Event ID 5136: A directory service object was modified.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

Execution At Scale

3 rules

Sigma

Persistence and Execution at Scale via GPO Scheduled Task (source)

Samir Bousseaden

Startup/Logon Script Added to Group Policy Object (source)

Elastic, Josh Nickels, Marius Rothenbücher

Elastic

Scheduled Task Execution at Scale via GPO (source)

Elastic

Kerberos Coercion

Security-Auditing Event ID 4662: An operation was performed on an object.OREvent ID 5136: A directory service object was modified.OREvent ID 5137: A directory service object was created.

3 rules

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Splunk

Windows Short Lived DNS Record (source)

Raven Tait, Splunk

Raven Tait, Splunk

Security-Auditing Event ID 4624: An account was successfully logged on.ANDEvent ID 5136: A directory service object was modified.

2 rules

Splunk

Windows AD Short Lived Domain Controller SPN Attribute (source)

Dean Luxton

Windows AD Suspicious Attribute Modification (source)

Dean Luxton

Persistence: Account Manipulation

Security-Auditing Event ID 4738: A user account was changed.OREvent ID 5136: A directory service object was modified.

2 rules

Sigma

Active Directory User Backdoors (source)

@neu5ron

Elastic

Account Configured with Never-Expiring Password (source)

Elastic

Show All Detection Patterns

Group Policy

Security-Auditing Event ID 5136: A directory service object was modified.OREvent ID 5137: A directory service object was created.OREvent ID 5138: A directory service object was undeleted.OREvent ID 5139: A directory service object was moved.OREvent ID 5141: A directory service object was deleted.

2 rules

Splunk

Mauricio Velazco

Security-Auditing Event ID 4742: A computer account was changed.OREvent ID 5136: A directory service object was modified.

Defense Impairment: Rogue Domain Controller

1 rule

Sigma

Possible DC Shadow Attack (source)

Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`OperationType`	eq	`%%14674`	17 rules	elastic, sigma, splunk
`AttributeLDAPDisplayName`	eq	`serviceprincipalname`	9 rules	elastic, kusto, sigma, splunk
`AttributeLDAPDisplayName`	eq	`gpcmachineextensionnames`	7 rules	elastic, sigma, splunk
`AttributeLDAPDisplayName`	eq	`ntsecuritydescriptor`	7 rules	elastic, sigma
`AttributeLDAPDisplayName`	eq	`gpcuserextensionnames`	4 rules	elastic, sigma
`AttributeLDAPDisplayName`	eq	`msds-allowedtoactonbehalfofotheridentity`	3 rules	kusto, sigma
`ObjectClass`	eq	`groupPolicyContainer`	6 rules	sigma, splunk
`ObjectClass`	eq	`user`	6 rules	elastic, kusto, sigma, splunk
`ObjectClass`	eq	`domainDNS`	4 rules	splunk
`ObjectClass`	eq	`dnsNode`	3 rules	elastic, sigma, splunk
`AccessList`	contains	`%%4417`	4 rules	elastic, sigma, splunk
`aceAccessRights`	in	`Full control`	4 rules	splunk
`aceAccessRights`	in	`All extended rights`	3 rules	splunk
`aceAccessRights`	in	`All validated writes`	3 rules	splunk
`aceAccessRights`	in	`CC`	3 rules	splunk

Community Notes #

May indicate high-impact changes in AD, like adding SID history or malicious GPOs. Attribute change to msDS-AllowedToActOnBehalfOfOtherIdentity is usually suspicious and indicates a Kerberos relay attack.

Detection Rules #

Security-Auditing Event ID 5136: A directory service object was modified.OREvent ID 5137: A directory service object was created.

Sigma # view in coverage

Powerview Add-DomainObjectAcl DCSync AD Extend Right source high: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
Windows Default Domain GPO Modification source medium: Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
Group Policy Abuse for Privilege Addition source medium: Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

Show 12 more (15 total)

Suspicious LDAP-Attributes Used source high: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
Possible Shadow Credentials Added source high: Detects possible addition of shadow credentials to an active directory object.
Permissions changed on a Group Policy (GPO) source medium: Detects scenarios where an attacker will attempt to take control over a group policy.
Suspicious modification of a sensitive Group Policy (GPO) source medium: Detects scenarios where an attacker will attempt to take control over a group policy.
AdminSDHolder permissions changed for persistence source high: Detects scenarios where an attacker changes permissions on the AdminSDHolder container to establish persistence.
Computer account modifying Active Directory permissions source high: Detects scenarios where an attacker compromise a server with high privileges to perform permissions changes. Note that a dedicated rule for Exchange exists.
Computer account manipulation for delegation (RBCD) source high: Detects scenarios where an attacker manipulate a computer object and updates its attribute 'msDS-AllowedToActOnBehalfOfOtherIdentity' to enable a resource to impersonate and authenticate any domain user.
Extended rights backdoor obfuscation (via localizationDisplayId attribute) source high: Detects scenarios where an attacker modifies the "configuration" partition in order to obfuscate sneaky changes that will allow him to introduce a stealthy AdminSDholder backdoor.
Replication privileges granted to perform DCSync attack source high: Detects scenarios where an attacker grants replication privilege to an account to exflitrate Active Directory credentials
Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services) source high: Detects scenarios where an attacker update the Service Principal Name (SPN) of a computer account in order to perform "Kerberos redirection" and escalate privileges.
Suspicious modification of a user account SPN to enable Kerberoast attack source high: Detects scenarios where an attacker update the Service Principal Name (SPN) of a user account in order to enable Kerberoast attack and crack its password.
Computer account modifying Active Directory permissions (PrivExchange) source high: Detects scenarios where an attacker compromise a server with high privileges to perform permissions changes. PrivExchange attack can be detected using this rule.

Elastic # view in coverage

Potential Active Directory Replication Account Backdoor source medium: Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
Potential Shadow Credentials added to AD Object source high: Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.
User account exposed to Kerberoasting source medium: Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.

Show 4 more (7 total)

AdminSDHolder Backdoor source high: Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.
AdminSDHolder SDProp Exclusion Added source high: Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.
Delegated Managed Service Account Modification by an Unusual User source high: Detects modifications to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account by an unusual subject account. Attackers can abuse this attribute to inherit a target account's permissions and further elevate privileges.
Modification of the msPKIAccountCredentials source medium: Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

Splunk # view in coverage

Windows AD AdminSDHolder ACL Modified source: The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on…
Windows AD Dangerous Deny ACL Modification source: This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.
Windows AD Dangerous Group ACL Modification source: This detection monitors the addition of the following ACLs to an Active Directory group object: "Full control", "All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree",…

Show 15 more (18 total)

Windows AD Dangerous User ACL Modification source: This detection monitors the addition of the following ACLs to an Active Directory user object: "Full control","All extended rights","All validated writes", "Create all child objects","Delete all child objects","Delete…
Windows AD DCShadow Privileges ACL Addition source: This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack.
Windows AD Domain Replication ACL Addition source: The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136…
Windows AD Domain Root ACL Deletion source: ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device…
Windows AD Domain Root ACL Modification source: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source…
Windows AD GPO Deleted source: This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console.
Windows AD GPO Disabled source: This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console.
Windows AD GPO New CSE Addition source: This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console.
Windows AD Hidden OU Creation source: This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators.
Windows AD Object Owner Updated source: AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object.
Windows AD Self DACL Assignment source: Detect when a user creates a new DACL in AD for their own AD object.
Windows AD ServicePrincipalName Added To Domain Account source: The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may…
Windows AD Short Lived Domain Account ServicePrincipalName source: The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to…
Windows AD SID History Attribute Modified source: The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the wineventlog_security data source to identify changes to the sIDHistory…
Windows Default Group Policy Object Modified source: The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the Default Domain Controllers Policy and Default Domain Policy, which are critical for enforcing security…

Kusto # view in coverage

AdminSDHolder Modifications source high: This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory. This query searches for the event id 5136 where the Object DN is AdminSDHolder. Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/
Possible Resource-Based Constrained Delegation Abuse source medium: This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object Class field is "computer" and the LDAP Display Name is "msDS-AllowedToActOnBehalfOfOtherIdentity" which is an indicator of Resource-based constrained delegation. Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
Service Principal Name (SPN) Assigned to User Account source medium: This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName". Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

Show 2 more (5 total)

Exchange OAB Virtual Directory Attribute Containing Potential Webshell source high: This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.
Shadow Credentials Added to Account source: This query searches for modifications to the 'msDS-KeyCredentialLink' property in Active Directory, introduced in Windows Server 2016. There are two different events which contain information to detect such changes 5136 and 4662. This detection uses the 5136, which is the preferred event to use.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5136.yml

Event ID 5137: A directory service object was created.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Directory Service Changes
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time an Active Directory object is created.

Message #

A directory service object was created.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6
	
Directory Service:
	Name: %7
	Type: %8
	
Object:
	DN: %9
	GUID: %10
	Class: %11
	
Operation:
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

Name	Description	Rules
`OpCorrelationID` GUID	Multiple modifications are often executed as one operation via LDAP.
`AppCorrelationID` UnicodeString	[Operation] Application Correlation ID.
`SubjectUserSid` SID	SID of account that requested the "create object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "create object" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`DSName` UnicodeString	The name of an Active Directory domain, where new object is created.
`DSType` UnicodeString	Has "Active Directory Domain Services" value for this event. Known values `%%14676` Active Directory Domain Services `%%14677` Active Directory Lightweight Directory Services
`ObjectDN` UnicodeString	Distinguished name of the object that was created.	2 detection rules
`ObjectGUID` GUID	Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world.
`ObjectClass` UnicodeString	Class of the object that was created.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5137,
    "version": 0,
    "level": 0,
    "task": 14081,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2021-04-27T11:04:13.291038Z",
    "event_record_id": 138520223,
    "correlation": {
      "#attributes": {
        "ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
      }
    },
    "execution": {
      "process_id": 548,
      "thread_id": 4324
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OpCorrelationID": "B960A203-A3DF-4586-A2ED-740024D6C42A",
    "AppCorrelationID": "-",
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x31a24611",
    "DSName": "offsec.lan",
    "DSType": "%%14676",
    "ObjectDN": "CN=JUMP01,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan",
    "ObjectGUID": "590B1EF4-6143-4C18-B554-1EE0A59BB7F8",
    "ObjectClass": "server"
  }
}

Detection Patterns #

5 rules

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Splunk

Mauricio Velazco

Raven Tait, Splunk

Security-Auditing Event ID 4662: An operation was performed on an object.OREvent ID 5136: A directory service object was modified.OREvent ID 5137: A directory service object was created.

Kerberos Coercion Via DNS

4 rules

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Elastic

Potential Kerberos Coercion via DNS-Based SPN Spoofing (source)

Elastic

Splunk

Windows Short Lived DNS Record (source)

Raven Tait, Splunk

Raven Tait, Splunk

Kerberos Coercion Via DNS

Security-Auditing Event ID 4662: An operation was performed on an object.OREvent ID 5137: A directory service object was created.

3 rules

Sigma

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

Elastic

Potential Kerberos Coercion via DNS-Based SPN Spoofing (source)

Elastic

Splunk

Raven Tait, Splunk

Group Policy

2 rules

Splunk

Mauricio Velazco

Security-Auditing Event ID 5137: A directory service object was created.→Event ID 5141: A directory service object was deleted.

Defense Impairment: Rogue Domain Controller

1 rule

Splunk

Windows AD Short Lived Server Object (source)

Mauricio Velazco, Splunk

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ObjectClass`	eq	`dnsNode`	4 rules	elastic, sigma, splunk
`ObjectClass`	eq	`groupPolicyContainer`	1 rule	sigma, splunk
`short_lived`	eq	`TRUE`	1 rule	splunk

Community Notes #

May indicate high-impact changes in AD.

Detection Rules #

Elastic # view in coverage

Potential ADIDNS Poisoning via Wildcard Record Creation source high: Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic for names that do not explicitly match records in the zone, positioning themselves as an adversary-in-the-middle and enabling credential interception or relay through ADIDNS manipulation similar in outcome to LLMNR/NBNS spoofing.
Potential WPAD Spoofing via DNS Record Creation source medium: Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.
Creation of a DNS-Named Record source low: Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.

Show 1 more (4 total)

dMSA Account Creation by an Unusual User source high: Detects creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse weak child-object or msDS-DelegatedManagedServiceAccount rights during account migration to elevate privileges.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5137
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5137.yml

Event ID 5138: A directory service object was undeleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Directory Service Changes
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the Active Directory Recycle Bin.

Message #

A directory service object was undeleted.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6
	
Directory Service:
	Name: %7
	Type: %8
	
Object:
	Old DN: %9
	New DN: %10
	GUID: %11
	Class: %12
	
Operation:
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

Name	Description
`OpCorrelationID` GUID	Multiple modifications are often executed as one operation via LDAP.
`AppCorrelationID` UnicodeString	[Operation] Application Correlation ID.
`SubjectUserSid` SID	SID of account that requested that the object be undeleted or restored.
`SubjectUserName` UnicodeString	Name of account that requested that the object be undeleted or restored.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`DSName` UnicodeString	The name of an Active Directory domain, where the object was undeleted.
`DSType` UnicodeString	Has "Active Directory Domain Services" value for this event. Known values `%%14676` Active Directory Domain Services `%%14677` Active Directory Lightweight Directory Services
`OldObjectDN` UnicodeString	Old distinguished name of undeleted object.
`NewObjectDN` UnicodeString	New distinguished name of undeleted object.
`ObjectGUID` GUID	Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world.
`ObjectClass` UnicodeString	Class of the object that was undeleted.

Detection Patterns #

Defense Impairment: Group Policy Modification

1 rule

Splunk

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5138
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5138.yml

Event ID 5139: A directory service object was moved.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Directory Service Changes
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time an Active Directory object is moved.

Message #

A directory service object was moved.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6
	
Directory Service:
	Name: %7
	Type: %8
	
Object:
	Old DN: %9
	New DN: %10
	GUID: %11
	Class: %12
	
Operation:
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

Name	Description
`OpCorrelationID` GUID	Multiple modifications are often executed as one operation via LDAP.
`AppCorrelationID` UnicodeString	[Operation] Application Correlation ID.
`SubjectUserSid` SID	SID of account that requested the "move object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "move object" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`DSName` UnicodeString	The name of an Active Directory domain, where the object was moved.
`DSType` UnicodeString	Has "Active Directory Domain Services" value for this event. Known values `%%14676` Active Directory Domain Services `%%14677` Active Directory Lightweight Directory Services
`OldObjectDN` UnicodeString	Old distinguished name of moved object.
`NewObjectDN` UnicodeString	New distinguished name of moved object.
`ObjectGUID` GUID	Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but.
`ObjectClass` UnicodeString	Class of the object that was moved.

Detection Patterns #

Defense Impairment: Group Policy Modification

1 rule

Splunk

Security-Auditing Event ID 5140: A network share object was accessed.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

Community Notes #

May indicate high-impact changes in AD.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5139.yml

Event ID 5140: A network share object was accessed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File Share
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

This event generates every time network share object was accessed.

Message #

A network share object was accessed.
	
Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Network Information:	
	Source Address: %5
	Source Port: %6
	
Share Name: %7

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested access to network share object.	2 detection rules
`SubjectUserName` UnicodeString	The name of the account that requested access to network share object.	8 detection rules
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectType` UnicodeString	The type of an object that was accessed during the operation. Always "File" for this event.
`IpAddress` UnicodeString	[Network Information] Source Address.	2 detection rules
`IpPort` UnicodeString	Source TCP or UDP port which was used from remote or local machine to request the access.
`ShareName` UnicodeString	[Share Information] Share Name.	12 detection rules
`ShareLocalPath` UnicodeString	The full system (NTFS) path for accessed share. The format is: \??\PATH.	1 detection rule
`AccessMask` HexInt32	The sum of hexadecimal values of requested access rights. See "Table 13. File access codes." Access mask reference Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects	2 detection rules
`AccessList` UnicodeString	The list of access rights which were requested by Subject\Security ID. These access rights depend on Object Type. Has always "ReadData (or ListDirectory)" value for this event.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5140,
    "version": 1,
    "level": 0,
    "task": 12808,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:05:55.4512375+00:00",
    "event_record_id": 3212141,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 7924
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x292ab9d",
    "ObjectType": "File",
    "IpAddress": "::1",
    "IpPort": "57857",
    "ShareName": "\\\\*\\SYSVOL",
    "ShareLocalPath": "\\??\\C:\\Windows\\SYSVOL\\sysvol",
    "AccessMask": "0x1",
    "AccessList": "%%4416\n\t\t\t\t"
  },
  "message": "A network share object was accessed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x292AB9D\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t::1\r\n\tSource Port:\t\t57857\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x1\r\n\tAccesses:\t\tReadData (or ListDirectory)\r\n\t\t\t\t\r\n"
}

Detection Patterns #

Event Log

8 rules

Sigma

Shared folder access with forged Golden ticket (source)

mdecrevoisier

Active Directory honeypot used for lateral movement (source)

mdecrevoisier

Windows Administrative Shares Accessed On Multiple Hosts (source)

mdecrevoisier

Splunk

Mauricio Velazco, Splunk

SMB Write Access on Administrative Share (Windows Event Log) (source)

Windows Admin$ Share Access (Windows Event Log) (source)

Active Directory honeypot used for lateral movement (source)

Share Access Windows Event

6 rules

Sigma

mdecrevoisier

SMB Write Access on Administrative Share (Windows Event Log) (source)

mdecrevoisier

Splunk

Windows Admin$ Share Access (Windows Event Log) (source)

Windows C$ Share Access (Windows Event Log) (source)

Security-Auditing Event ID 4625: An account failed to log on.OREvent ID 5140: A network share object was accessed.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Splunk

Meterpreter Reverse Shell (Windows Event Log) (source)

Initial Access: Exploit Public-Facing Application

1 rule

Splunk

Potential SMB Activity from External IP - Windows (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`AccessMask`	eq	`0x1`	1 rule	sigma, splunk
`ShareName`	in	`\\\\*\\C$`	1 rule	splunk
`ShareName`	wildcard	`\\*\ADMIN$`	1 rule	sigma
`SubjectUserSid`	starts_with	`S-1-5-21`	1 rule	elastic, sigma
`prefix`	eq	`geo`	1 rule	splunk
`signature_id`	eq	`4625`	1 rule	splunk
`unique_targets`	gt	`30`	1 rule	splunk

Community Notes #

Tracks who is accessing shared folders on the network. Very noisy.

Detection Rules #

Security-Auditing Event ID 5137: A directory service object was created.→Event ID 5141: A directory service object was deleted.

Sigma # view in coverage

Access To ADMIN$ Network Share source low: Detects access to ADMIN$ network share
Potential CVE-2023-36884 Exploitation - Share Access source high: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884

Splunk # view in coverage

Network Share Discovery Via Dir Command source: The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5140
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5140_v1.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format

Event ID 5141: A directory service object was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: DS Access → Directory Service Changes
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time an Active Directory object is deleted.

Message #

A directory service object was deleted.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6
	
Directory Service:
	Name: %7
	Type: %8
	
Object:
	DN: %9
	GUID: %10
	Class: %11
	
Operation:
	Tree Delete: %12
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

Name	Description
`OpCorrelationID` GUID	Multiple modifications are often executed as one operation via LDAP.
`AppCorrelationID` UnicodeString	[Operation] Application Correlation ID.
`SubjectUserSid` SID	SID of account that requested the "delete object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete object" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`DSName` UnicodeString	The name of an Active Directory domain, where the object was deleted.
`DSType` UnicodeString	Has "Active Directory Domain Services" value for this event. Known values `%%14676` Active Directory Domain Services `%%14677` Active Directory Lightweight Directory Services
`ObjectDN` UnicodeString	Distinguished name of the object that was deleted.
`ObjectGUID` GUID	Each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world.
`ObjectClass` UnicodeString	Class of the object that was deleted.
`TreeDelete` UnicodeString	Yes - "Delete Subtree" operation was performed. It happens, for example, if "Use Delete Subtree server control" check box was checked during delete operation using Active Directory Users and Computers management console. No - delete operation was performed without "Delete Subtree" server control.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5141,
    "version": 0,
    "level": 0,
    "task": 14081,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T23:09:16.430494+00:00",
    "event_record_id": 16632112,
    "correlation": {},
    "execution": {
      "process_id": 936,
      "thread_id": 724
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OpCorrelationID": "B2C1C1B5-B65D-4E48-B5C7-AD55815CDF5D",
    "AppCorrelationID": "-",
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xbefec",
    "DSName": "ludus.domain",
    "DSType": "%%14676",
    "ObjectDN": "CN=testaudit2,CN=Users,DC=ludus,DC=domain",
    "ObjectGUID": "E352E021-AD2D-40D3-B617-37AEF7687FFD",
    "ObjectClass": "user",
    "TreeDelete": "%%14679"
  },
  "message": ""
}

Detection Patterns #

Defense Impairment: Rogue Domain Controller

1 rule

Splunk

Windows AD Short Lived Server Object (source)

Mauricio Velazco, Splunk

Defense Impairment: Group Policy Modification

1 rule

Splunk

Security-Auditing Event ID 5142: A network share object was added.OREvent ID 5143: A network share object was modified.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`short_lived`	eq	`TRUE`	1 rule	splunk

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5141
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5141.yml

Event ID 5142: A network share object was added.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File Share
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

This event generates every time network share object was accessed.

Message #

A network share object was added.
	
Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Share Information:	
	Share Name: %5
	Share Path: %6

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested the "add network share object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "add network share object" operation.	1 detection rule
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ShareName` UnicodeString	The name of the added share object. The format is: *\SHARE_NAME.	2 detection rules
`ShareLocalPath` UnicodeString	The full system (NTFS) path for the added share object. The format is: \??\PATH.	1 detection rule

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5142,
    "version": 0,
    "level": 0,
    "task": 12808,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:33:03.1890042+00:00",
    "event_record_id": 1719451,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 176
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "ShareName": "\\\\*\\Public",
    "ShareLocalPath": "C:\\Public"
  },
  "message": "A network share object was added.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nShare Information:\t\r\n\tShare Name:\t\t\\\\*\\Public\r\n\tShare Path:\t\tC:\\Public"
}

Detection Patterns #

Lateral Movement: SMB/Windows Admin Shares

1 rule

Sigma

Shared printer creation (PrintNightmare vulnerability - CVE-2021-36958) (source)

mdecrevoisier

Community Notes #

May be a prelude to data exfiltration. Includes named pipes and IPC$ (confirm if the client address is external/unexpected). May indicate share enumeration and directory walking prior to exfiltration. The RelativeTargetName field may show the original file name and path on the attacker's machine.

Detection Rules #

Security-Auditing Event ID 5142: A network share object was added.OREvent ID 5143: A network share object was modified.

Sigma # view in coverage

New network file share created source medium: Detects scenarios when a new file share is created.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5142
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5142.yml

Event ID 5143: A network share object was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File Share
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

This event generates every time network share object was modified.

Message #

A network share object was modified.
	
Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Share Information:
	Object Type: %5
	Share Name: %6
	Share Path: %7
	Old Remark: %8
	New Remark: %9
	Old MaxUsers: %10
	New Maxusers: %11
	Old ShareFlags: %12
	New ShareFlags: %13
	Old SD: %14
	New SD: %15

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "modify network share object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "modify network share object" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectType` UnicodeString	The type of an object that was modified. Always "Directory" for this event.
`ShareName` UnicodeString	The name of the modified share object. The format is: *\SHARE_NAME.
`ShareLocalPath` UnicodeString	The full system (NTFS) path for the added share object.
`OldRemark` UnicodeString	The old value of network share "Comments:" field. Has "N/A" value if it is not set.
`NewRemark` UnicodeString	The new value of network share "Comments:" field. Has "N/A" value if it is not set.
`OldMaxUsers` HexInt32	Old hexadecimal value of "Limit the number of simultaneous user to:" field. Has "0xFFFFFFFF" value if the number of connections is unlimited.
`NewMaxUsers` HexInt32	New hexadecimal value of "Limit the number of simultaneous user to:" field. Has "0xFFFFFFFF" value if the number of connections is unlimited.
`OldShareFlags` HexInt32	Old hexadecimal value of "Offline Settings" caching settings window flags.
`NewShareFlags` HexInt32	New hexadecimal value of "Offline Settings" caching settings window flags.
`OldSD` UnicodeString	The old Security Descriptor Definition Language (SDDL) value for network share security descriptor.
`NewSD` UnicodeString	The new Security Descriptor Definition Language (SDDL) value for network share security descriptor.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5143,
    "version": 0,
    "level": 0,
    "task": 12808,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-07-11T17:17:32.128132Z",
    "event_record_id": 1228290,
    "correlation": {},
    "execution": {
      "process_id": 464,
      "thread_id": 472
    },
    "channel": "Security",
    "computer": "fs02.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x202dac8",
    "ObjectType": "Directory",
    "ShareName": "\\\\*\\hidden-share$",
    "ShareLocalPath": "C:\\TOOLS\\hidden-share$",
    "OldRemark": "N/A",
    "NewRemark": "N/A",
    "OldMaxUsers": "0xffffffff",
    "NewMaxUsers": "0xffffffff",
    "OldShareFlags": "0x0",
    "NewShareFlags": "0x0",
    "OldSD": "O:BAG:DUD:(A;;0x1200a9;;;WD)",
    "NewSD": "O:BAG:DUD:(A;;FA;;;S-1-5-21-4230534742-2542757381-3142984815-1107)(A;;0x1301bf;;;WD)"
  }
}

Detection Patterns #

Lateral Movement: SMB/Windows Admin Shares

1 rule

Sigma

Shared printer creation (PrintNightmare vulnerability - CVE-2021-36958) (source)

mdecrevoisier

Detection Rules #

Security-Auditing Event ID 5140: A network share object was accessed.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

Sigma # view in coverage

Suspicious permissions modification on a network share source medium: Detects scenarios where an attacker modifies network share permissions in order to facilitate lateral movement and avoid detection by creating new network shares

Kusto # view in coverage

Excessive share permissions source medium: The query searches for event 5143, which is triggered when a share is created or changed and includes de share permissions. First it checks to see if this is a whitelisted share for the system (e.g. domaincontroller netlogon, printserver print$ etc.). The share permissions are then checked against 'allow' rule (A) for a number of well known overly permissive groups, like all users, guests, authenticated users etc. If these are found, an alert is raised so the share creation may be audited. Note: this rule only checks for changed permissions, to prevent repeat alerts if for example a comment is changed, but the permissions are not altered.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5143
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5143.yml

Event ID 5144: A network share object was deleted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File Share
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

This event generates every time a network share object is deleted.

Message #

A network share object was deleted.
	
Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Share Information:	
	Share Name: %5
	Share Path: %6

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "delete network share object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete network share object" operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ShareName` UnicodeString	The name of the deleted share object. The format is: *\SHARE_NAME.
`ShareLocalPath` UnicodeString	The full system (NTFS) path for the deleted share object.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5144,
    "version": 0,
    "level": 0,
    "task": 12808,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:18:20.582403+00:00",
    "event_record_id": 16257540,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 2396
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "ShareName": "\\\\*\\EvtGenShare",
    "ShareLocalPath": "C:\\EvtGenFileTest\\Shared"
  },
  "message": ""
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5144.yml

Event ID 5145: A network share object was checked to see whether client can be granted desired access.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Detailed File Share
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

A network share object was checked to see whether client can be granted desired access.

Message #

A network share object was checked to see whether client can be granted desired access.
	
Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Network Information:	
	Object Type: %5
	Source Address: %6
	Source Port: %7
	
Share Information:
	Share Name: %8
	Share Path: %9
	Relative Target Name: %10

Access Request Information:
	Access Mask: %11
	Accesses: %12
Access Check Results:
	%13

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that requested access to network share object.
`SubjectUserName` UnicodeString	Name of the account that requested access to the network share object.	9 detection rules
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ObjectType` UnicodeString	Type of the accessed object. Always "File" for this event.	6 detection rules
`IpAddress` UnicodeString	Source IP address of the client.	5 detection rules
`IpPort` UnicodeString	Source TCP or UDP port which was used from remote or local machine to request the access.
`ShareName` UnicodeString	Name of the network share.	41 detection rules
`ShareLocalPath` UnicodeString	Full NTFS path of the network share. Formatted as \??\PATH.
`RelativeTargetName` UnicodeString	Path of the accessed file or folder relative to the share root. "\" if the share itself was the target.	139 detection rules
`AccessMask` HexInt32	Hexadecimal access mask for the requested access rights. Access mask reference Bitmask flags `0x80000000` GENERIC_READ `0x40000000` GENERIC_WRITE `0x20000000` GENERIC_EXECUTE `0x10000000` GENERIC_ALL `0x02000000` MAXIMUM_ALLOWED `0x01000000` ACCESS_SYSTEM_SECURITY `0x00100000` SYNCHRONIZE `0x00080000` WRITE_OWNER `0x00040000` WRITE_DAC `0x00020000` READ_CONTROL `0x00010000` DELETE `0x00000001` FILE_READ_DATA / FILE_LIST_DIRECTORY (file/dir); KEY_QUERY_VALUE (registry); ACTRL_DS_CREATE_CHILD (AD DS); SERVICE_QUERY_CONFIG (service) `0x00000002` FILE_WRITE_DATA / FILE_ADD_FILE (file/dir); KEY_SET_VALUE (registry); ACTRL_DS_DELETE_CHILD (AD DS); SERVICE_CHANGE_CONFIG (service) `0x00000004` FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY (file/dir); KEY_CREATE_SUB_KEY (registry); ACTRL_DS_LIST / DS_LIST_CONTENTS (AD DS); SERVICE_QUERY_STATUS (service) `0x00000008` FILE_READ_EA (file/dir); KEY_ENUMERATE_SUB_KEYS (registry); ACTRL_DS_SELF / DS_WRITE_PROPERTY_EXTENDED (AD DS); SERVICE_ENUMERATE_DEPENDENTS (service) `0x00000010` FILE_WRITE_EA (file/dir); KEY_NOTIFY (registry); ACTRL_DS_READ_PROP / DS_READ_PROPERTY (AD DS); SERVICE_START (service) `0x00000020` FILE_EXECUTE / FILE_TRAVERSE (file/dir); KEY_CREATE_LINK (registry); ACTRL_DS_WRITE_PROP / DS_WRITE_PROPERTY (AD DS); SERVICE_STOP (service) `0x00000040` FILE_DELETE_CHILD (file/dir); ACTRL_DS_DELETE_TREE (AD DS); SERVICE_PAUSE_CONTINUE (service) `0x00000080` FILE_READ_ATTRIBUTES (file/dir); ACTRL_DS_LIST_OBJECT (AD DS); SERVICE_INTERROGATE (service) `0x00000100` FILE_WRITE_ATTRIBUTES (file/dir); ACTRL_DS_CONTROL_ACCESS / DS_CONTROL_ACCESS (AD DS); SERVICE_USER_DEFINED_CONTROL (service); KEY_WOW64_64KEY (registry redirector; winnt.h) `0x00000200` KEY_WOW64_32KEY (registry redirector; winnt.h) `0x00000800` PROCESS_SUSPEND_RESUME (process; NtSuspendProcess / NtResumeProcess); also aliased as PROCESS_SET_PORT in legacy NT native headers; THREAD_QUERY_LIMITED_INFORMATION (thread) `0x00001000` PROCESS_QUERY_LIMITED_INFORMATION (process; subset query for protected-process scenarios; Vista+); THREAD_RESUME (thread) `0x00002000` PROCESS_SET_LIMITED_INFORMATION (process; write-side counterpart to QUERY_LIMITED_INFORMATION; not in MS Learn docs but defined in winnt.h and confirmed in System Informer / Process Hacker headers); not assigned for thread objects	8 detection rules
`AccessList` UnicodeString	Access rights requested.	14 detection rules
`AccessReason` UnicodeString	The list of access check results. Known values `%%1801` Granted by `%%1802` Denied by `%%1803` Denied by Integrity Policy check `%%1804` Granted by Ownership `%%1805` Not granted `%%1806` Granted by NULL DACL `%%1807` Denied by Empty DACL `%%1808` Granted by NULL Security Descriptor `%%1809` Unknown or unchecked `%%1810` Not granted due to missing `%%1811` Granted by ACE on parent folder `%%1812` Denied by ACE on parent folder `%%1813` Granted by Central Access Rule `%%1814` NOT Granted by Central Access Rule `%%1815` Granted by parent folder's Central Access Rule `%%1816` NOT Granted by parent folder's Central Access Rule `%%1830` Not granted to AppContainers `%%1841` Denied by Process Trust Label ACE `%%1856` Denied by Access Filter Ace

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5145,
    "version": 0,
    "level": 0,
    "task": 12811,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:05:55.4515712+00:00",
    "event_record_id": 3212142,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 5936
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-C$",
    "SubjectDomainName": "cell-c",
    "SubjectLogonId": "0x292ab9d",
    "ObjectType": "File",
    "IpAddress": "::1",
    "IpPort": "57857",
    "ShareName": "\\\\*\\SYSVOL",
    "ShareLocalPath": "\\??\\C:\\Windows\\SYSVOL\\sysvol",
    "RelativeTargetName": "\\",
    "AccessMask": "0x100080",
    "AccessList": "%%1541\n\t\t\t\t%%4423\n\t\t\t\t",
    "AccessReason": "%%1541:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4423:\t%%1801\tD:(A;;0x1200a9;;;WD)\n\t\t\t\t"
  },
  "message": "A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x292AB9D\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t::1\r\n\tSource Port:\t\t57857\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\SYSVOL\r\n\tShare Path:\t\t\\??\\C:\\Windows\\SYSVOL\\sysvol\r\n\tRelative Target Name:\t\\\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x100080\r\n\tAccesses:\t\tSYNCHRONIZE\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tSYNCHRONIZE:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;0x1200a9;;;WD)\r\n\t\t\t\t\r\n"
}

Detection Patterns #

Event Log

8 rules

Sigma

Shared folder access with forged Golden ticket (source)

mdecrevoisier

Active Directory honeypot used for lateral movement (source)

mdecrevoisier

Windows Administrative Shares Accessed On Multiple Hosts (source)

mdecrevoisier

Splunk

Mauricio Velazco, Splunk

SMB Write Access on Administrative Share (Windows Event Log) (source)

Windows Admin$ Share Access (Windows Event Log) (source)

Active Directory honeypot used for lateral movement (source)

Share Access Windows Event

6 rules

Sigma

mdecrevoisier

SMB Write Access on Administrative Share (Windows Event Log) (source)

mdecrevoisier

Splunk

Windows Admin$ Share Access (Windows Event Log) (source)

Windows C$ Share Access (Windows Event Log) (source)

Security-Auditing Event ID 5136: A directory service object was modified.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

Execution At Scale

3 rules

Sigma

Persistence and Execution at Scale via GPO Scheduled Task (source)

Samir Bousseaden

Startup/Logon Script Added to Group Policy Object (source)

Elastic, Josh Nickels, Marius Rothenbücher

Elastic

Scheduled Task Execution at Scale via GPO (source)

Elastic

Event Log

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

3 rules

Splunk

Command Output Redirected to Localhost (Windows Event Log) (source)

Impacket PSexec (Windows Event Log) (source)

Certificate Enumeration - Windows (Windows Event Log) (source)

Relay Attack Against

3 rules

Elastic

Potential Kerberos Relay Attack against a Computer Account (source)

Elastic

Potential NTLM Relay Attack against a Computer Account (source)

Elastic

Splunk

Suspicious Spool Authentication (Windows Event Log) (source)

Show All Detection Patterns

Event Log

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 5145: A network share object was checked to see whether client can be granted desired access.

3 rules

Sigma

SecretsDump Credential Harvest (Windows Event Log) (source)

mdecrevoisier

Splunk

Suspicious Spool Authentication (Windows Event Log) (source)

Credential Access: Security Account Manager

2 rules

Sigma

SecretsDump Credential Harvest (Windows Event Log) (source)

mdecrevoisier

Splunk

Security-Auditing Event ID 4672: Special privileges assigned to new logon.→Event ID 5145: A network share object was checked to see whether client can be granted desired access.

1 rule

Elastic

Suspicious Remote Registry Access via SeBackupPrivilege (source)

Elastic

Initial Access: Exploit Public-Facing Application

1 rule

Splunk

Potential SMB Activity from External IP - Windows (Windows Event Log) (source)

Persistence: Account Manipulation

1 rule

Sigma

User password change without previous password known - SetNTLM (Mimikatz) (source)

mdecrevoisier

Stealth: Process Injection

Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent

1 rule

Kusto

Solorigate Named Pipe (source)

Microsoft Security Research

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task (source)

Impact: Data Encrypted for Impact

1 rule

Sigma

BlueSky Ransomware Artefacts (source)

j4son

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ShareName`	eq	`\\\\\*\\IPC$`	7 rules	sigma
`ShareName`	wildcard	`\\*\IPC$`	11 rules	sigma
`ShareName`	wildcard	`\\*\C$`	7 rules	sigma
`ShareName`	wildcard	`\\*\ADMIN$`	6 rules	sigma
`AccessList`	contains	`%%4417`	9 rules	elastic, sigma, splunk
`AccessList`	contains	`writedata`	4 rules	sigma
`RelativeTargetName`	eq	`svcctl`	6 rules	kusto, sigma
`RelativeTargetName`	eq	`atsvc`	4 rules	kusto, sigma
`LogonType`	eq	`Network`	5 rules	elastic, kusto, sigma, splunk
`AttributeLDAPDisplayName`	eq	`gpcmachineextensionnames`	4 rules	elastic, sigma, splunk
`AttributeLDAPDisplayName`	eq	`gpcuserextensionnames`	4 rules	elastic, sigma
`ObjectType`	eq	`File`	4 rules	sigma, splunk
`src_ip`	is_not_null		4 rules	elastic, kusto, panther
`src_ip`	ne	`127.0.0.1`	4 rules	elastic, splunk
`src_ip`	ne	`::1`	4 rules	elastic, splunk

Detection Rules #

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.OREvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.OREvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.OREvent ID 5157: The Windows Filtering Platform has blocked a connection.OREvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.OREvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ORSysmon Event ID 3: Network connection

Sigma # view in coverage

Remote Task Creation via ATSVC Named Pipe source medium: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
DCERPC SMB Spoolss Named Pipe source medium: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security source high: Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Show 17 more (35 total)

Impacket PsExec Execution source high: Detects execution of Impacket's psexec.py.
Possible Impacket SecretDump Remote Activity source high: Detect AD credential dumping using impacket secretdump HKTL
First Time Seen Remote Named Pipe source high: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Windows Network Access Suspicious desktop.ini Action source medium: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Possible PetitPotam Coerce Authentication Attempt source high: Detect PetitPotam coerced authentication activity.
Protected Storage Service Access source high: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
SMB Create Remote File Admin Share source high: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Suspicious PsExec Execution source high: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Suspicious Access to Sensitive File Extensions source medium: Detects known sensitive file extensions accessed on a network share
Remote Service Activity via SVCCTL Named Pipe source medium: Detects remote service activity via remote access to the svcctl named pipe
Transferring Files with Credential Data via Network Shares source medium: Transferring files with well-known filenames (sensitive files with credential data) using network shares
T1047 Wmiprvse Wbemcomn DLL Hijack source high: Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.
Azure Active Directory Connect credentials dump via network share source high: Detects scenarios where an attacker attempt to dump Azure Active Directory Connect credentials via network share.
User browser credentials dump via network share (DonPapi, Lazagne) source high: Detects scenarios where an attacker attempt to dump browser credentials (Firefox, Google Chrome, ...) via network share.
LSASS credential dump with LSASSY (admin share) source high: Detects scenarios where an attacker remotely dump LSASS credentials using the LSASSY tool.
PSexec execution over SMB share source medium: Detects scenarios where an attacker execute PSexec on a remote host via SMB
Impacket WMIexec execution via SMB admin share source high: Detects scenarios where an attacker attempts to remotely execute WMIexec via SMB admin share in order to escalate privileges.

Elastic # view in coverage

Active Directory Forced Authentication from Linux Host - SMB Named Pipes source medium: Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.
Potential Machine Account Relay Attack via SMB source high: Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate an SMB relay attack.
Potential Network Share Discovery source low: Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.

Splunk # view in coverage

Executable File Written in Administrative SMB Share source: The following analytic detects executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$). It leverages Windows Security Event Logs with EventCode 5145 to identify this activity. This behavior is…
High Frequency Copy Of Files In Network Share source: The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor…
PetitPotam Network Share Access Request source: The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as…

Show 2 more (5 total)

Windows Scheduled Task Created in a Group Policy Object source: When a scheduled task is created within a Group Policy, a characteristic file ScheduledTasks.xml with its definition is created in the respective subfolder of the SYSVOL share. This rule can hit on legitimate GPO scheduled task creation,…
Windows Share Multiple File Access (Windows Event Log) source: SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. This use case looks…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-share
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5145.yml
MS Learn ACCESS_MASK format https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask-format

Event ID 5146: The Windows Filtering Platform has blocked a packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

The Windows Filtering Platform has blocked a packet.

Message #

The Windows Filtering Platform has blocked a packet.

Network Information:
	Direction: %1
	Source Address: %2
	Destination Address: %3
	EtherType: %4
	VlanTag: %5
	vSwitchId: %6
	Source vSwitch Port: %7
	Destination vSwitch Port: %8

Filter Information:
	Filter Run-Time ID: %9
	Layer Name: %10
	Layer Run-Time ID: %11

Fields #

Name	Description
`Direction` UnicodeString	[Network Information] Direction Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString	[Network Information] Source Address
`DestAddress` UnicodeString	[Network Information] Destination Address
`EtherType` HexInt32	[Network Information] EtherType
`VlanTag` HexInt32	[Network Information] VlanTag
`vSwitchID` UnicodeString	[Network Information] vSwitchId
`SourcevSwitchPort` UInt32	[Network Information] Source vSwitch Port
`DestinationvSwitchPort` UInt32	[Network Information] Destination vSwitch Port
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID
`LayerName` UnicodeString	[Filter Information] Layer Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID

Event ID 5147: A more restrictive Windows Filtering Platform filter has blocked a packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

A more restrictive Windows Filtering Platform filter has blocked a packet.

Message #

A more restrictive Windows Filtering Platform filter has blocked a packet.

Network Information:
	Direction: %1
	Source Address: %2
	Destination Address: %3
	EtherType: %4
	VlanTag: %5
	vSwitchId: %6
	Source vSwitch Port: %7
	Destination vSwitch Port: %8

Filter Information:
	Filter Run-Time ID: %9
	Layer Name: %10
	Layer Run-Time ID: %11

Fields #

Name	Description
`Direction` UnicodeString	[Network Information] Direction Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString	[Network Information] Source Address
`DestAddress` UnicodeString	[Network Information] Destination Address
`EtherType` HexInt32	[Network Information] EtherType
`VlanTag` HexInt32	[Network Information] VlanTag
`vSwitchID` UnicodeString	[Network Information] vSwitchId
`SourcevSwitchPort` UInt32	[Network Information] Source vSwitch Port
`DestinationvSwitchPort` UInt32	[Network Information] Destination vSwitch Port
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID
`LayerName` UnicodeString	[Filter Information] Layer Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID

Event ID 5148: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

Message #

The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

Network Information:
	Type: %1

Fields #

Name	Description
`Type` UnicodeString	[Network Information] Type

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5148
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events

Event ID 5149: The DoS attack has subsided and normal processing is being resumed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

The DoS attack has subsided and normal processing is being resumed.

Message #

The DoS attack has subsided and normal processing is being resumed.

Network Information:
	Type: %1
	Packets Discarded: %2

Fields #

Name	Description
`Type` UnicodeString	[Network Information] Type
`PacketsDiscarded` UInt64	[Network Information] Packets Discarded

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5149
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events

Event ID 5150: The Windows Filtering Platform has blocked a packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

The Windows Filtering Platform has blocked a packet.

Message #

The Windows Filtering Platform has blocked a packet.

Network Information:
	Direction: %1
	Source Address: %2
	Destination Address: %3
	EtherType: %4
	MediaType: %5
	InterfaceType: %6
	VlanTag: %7

Filter Information:
	Filter Run-Time ID: %8
	Layer Name: %9
	Layer Run-Time ID: %10

Fields #

Name	Description
`Direction` UnicodeString	[Network Information] Direction Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString	[Network Information] Source Address
`DestAddress` UnicodeString	[Network Information] Destination Address
`EtherType` HexInt32	[Network Information] EtherType
`MediaType` UInt32	[Network Information] MediaType
`InterfaceType` UInt32	[Network Information] InterfaceType
`VlanTag` HexInt32	[Network Information] VlanTag
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID
`LayerName` UnicodeString	[Filter Information] Layer Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5150
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection

Event ID 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

A more restrictive Windows Filtering Platform filter has blocked a packet.

Message #

A more restrictive Windows Filtering Platform filter has blocked a packet.

Network Information:
	Direction: %1
	Source Address: %2
	Destination Address: %3
	EtherType: %4
	MediaType: %5
	InterfaceType: %6
	VlanTag: %7

Filter Information:
	Filter Run-Time ID: %8
	Layer Name: %9
	Layer Run-Time ID: %10

Fields #

Name	Description
`Direction` UnicodeString	[Network Information] Direction Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString	[Network Information] Source Address
`DestAddress` UnicodeString	[Network Information] Destination Address
`EtherType` HexInt32	[Network Information] EtherType
`MediaType` UInt32	[Network Information] MediaType
`InterfaceType` UInt32	[Network Information] InterfaceType
`VlanTag` HexInt32	[Network Information] VlanTag
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID
`LayerName` UnicodeString	[Filter Information] Layer Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection

Event ID 5152: The Windows Filtering Platform blocked a packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Packet Drop
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The Windows Filtering Platform has blocked a packet.

Message #

The Windows Filtering Platform has blocked a packet.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Direction: %3
	Source Address: %4
	Source Port: %5
	Destination Address: %6
	Destination Port: %7
	Protocol: %8

Filter Information:
	Filter Run-Time ID: %9
	Layer Name: %10
	Layer Run-Time ID: %11

Fields #

Name	Description
`ProcessId` UInt64	Hexadecimal Process ID of the process to which blocked network packet was sent.
`Application` UnicodeString	[Application Information] Application Name.
`Direction` UnicodeString	Full path and the name of the executable for the process. Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString	Local IP address on which application received the packet.
`SourcePort` UnicodeString	Port number on which application received the packet.
`DestAddress` UnicodeString	[Network Information] Destination Address.
`DestPort` UnicodeString	Port number which was used from remote machine to send the packet.
`Protocol` UInt32	[Network Information] Protocol. Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`FilterOrigin` UnicodeString	[Filter Information] Filter Origin.
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID.
`LayerName` UnicodeString	[Filter Information] Layer Name. Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5152,
    "version": 1,
    "level": 0,
    "task": 12809,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-13T20:18:50.483625+00:00",
    "event_record_id": 16258577,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 3152
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": 0,
    "Application": "-",
    "Direction": "%%14592",
    "SourceAddress": "10.2.10.21",
    "SourcePort": "5355",
    "DestAddress": "10.2.10.11",
    "DestPort": "53173",
    "Protocol": 17,
    "FilterOrigin": "Stealth",
    "FilterRTID": 70356,
    "LayerName": "%%14597",
    "LayerRTID": 13
  },
  "message": ""
}

Detection Patterns #

Asim Network Session Schema

8 rules

3 rules

Splunk

Internal Port Scan - Critical Ports (Windows Event Log) (source)

Kusto

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Command & Control: Application Layer Protocol

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection

2 rules

Kusto

Google Threat Intelligence - Threat Hunting IP (source)

Potential beaconing activity (ASIM Network Session schema) (source)

Stealth: Disable or Modify System Firewall

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.OREvent ID 5157: The Windows Filtering Platform has blocked a connection.ORSysmon Event ID 3: Network connection

1 rule

Elastic

Potential Evasion via Windows Filtering Platform (source)

Elastic

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`IsActive`	eq	`true`	2 rules	kusto
`ObservableKey`	eq	`ipv4-addr:value`	2 rules	kusto
`ObservableValue`	is_not_null		2 rules	kusto
`dest_ip`	is_not_null		2 rules	chronicle, elastic, kusto
`src_ip`	cidr_match	`10.0.0.0/8`	1 rule	elastic, kusto
`src_ip`	ne	`DstIpAddr`	2 rules	kusto
`BeaconPercent`	gt	`80`	1 rule	kusto
`Count`	gt	`5000`	1 rule	kusto
`NetworkDirection`	eq	`Inbound`	1 rule	kusto
`SourceSystem`	eq	`Google Threat Intelligence`	1 rule	kusto
`ValidUntil`	is_null		1 rule	kusto
`description`	starts_with	`Recorded Future - Threat Hunt`	1 rule	kusto
`process_name`	eq	`elastic-endpoint.exe`	1 rule	elastic
`process_name`	eq	`esensor.exe`	1 rule	elastic
`process_name`	eq	`msmpeng.exe`	1 rule	elastic

Community Notes #

Prefer 5157 when both are available as it is per-connection.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5152
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5152.yml

Event ID 5153: A more restrictive Windows Filtering Platform filter has blocked a packet.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Packet Drop
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A more restrictive Windows Filtering Platform filter has blocked a packet.

Message #

A more restrictive Windows Filtering Platform filter has blocked a packet.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Direction: %3
	Source Address: %4
	Source Port: %5
	Destination Address: %6
	Destination Port: %7
	Protocol: %8

Filter Information:
	Filter Run-Time ID: %9
	Layer Name: %10
	Layer Run-Time ID: %11

Fields #

Name	Description
`ProcessId` UInt64	[Application Information] Process ID
`Application` UnicodeString	[Application Information] Application Name
`Direction` UnicodeString	[Network Information] Direction Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString	[Network Information] Source Address
`SourcePort` UnicodeString	[Network Information] Source Port
`DestAddress` UnicodeString	[Network Information] Destination Address
`DestPort` UnicodeString	[Network Information] Destination Port
`Protocol` UInt32	[Network Information] Protocol Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`FilterOrigin` UnicodeString	[Filter Information] Filter Origin
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID
`LayerName` UnicodeString	[Filter Information] Layer Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop

Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Message #

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Source Address: %3
	Source Port: %4
	Protocol: %5

Filter Information:
	Filter Run-Time ID: %6
	Layer Name: %7
	Layer Run-Time ID: %8

Fields #

Name	Description
`ProcessId` UInt64	Hexadecimal Process ID of the process which was permitted to listen on the port.
`Application` UnicodeString	[Application Information] Application Name.
`SourceAddress` UnicodeString	Local IP address on which application requested to listen on the port.
`SourcePort` UnicodeString	Source TCP\UDP port number which was requested for listening by application.
`Protocol` UInt32	[Network Information] Protocol. Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`FilterRTID` UInt64	Unique filter ID which allows application to listen on the specific port.
`LayerName` UnicodeString	[Filter Information] Layer Name. Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5154,
    "version": 0,
    "level": 0,
    "task": 12810,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-12T01:42:03.150814+00:00",
    "event_record_id": 2727618,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8992
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": 764,
    "Application": "\\device\\harddiskvolume4\\users\\localuser\\appdata\\local\\microsoft\\onedrive\\26.026.0209.0004\\onedrive.sync.service.exe",
    "SourceAddress": "::1",
    "SourcePort": "42050",
    "Protocol": 6,
    "FilterRTID": 0,
    "LayerName": "%%14609",
    "LayerRTID": 42
  },
  "message": ""
}

Detection Patterns #

Asim Network Session Schema

7 rules

Kusto

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Google Threat Intelligence - Threat Hunting IP (source)

Command & Control: Application Layer Protocol

2 rules

Kusto

Potential beaconing activity (ASIM Network Session schema) (source)

Lateral Movement: Exploitation of Remote Services

Security-Auditing Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Splunk

Potential network connection with CVE-2023-21554 (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`IsActive`	eq	`true`	2 rules	kusto
`ObservableKey`	eq	`ipv4-addr:value`	2 rules	kusto
`ObservableValue`	is_not_null		2 rules	kusto
`dest_ip`	is_not_null		2 rules	chronicle, elastic, kusto
`src_ip`	cidr_match	`10.0.0.0/8`	1 rule	elastic, kusto
`src_ip`	cidr_match	`127.0.0.0/8`	1 rule	elastic, kusto
`src_ip`	cidr_match	`169.254.0.0/16`	1 rule	elastic, kusto
`src_ip`	cidr_match	`172.16.0.0/12`	1 rule	elastic, kusto
`src_ip`	ne	`DstIpAddr`	2 rules	kusto
`BeaconPercent`	gt	`80`	1 rule	kusto
`Count`	gt	`5000`	1 rule	kusto
`NetworkDirection`	eq	`Inbound`	1 rule	kusto
`SourceSystem`	eq	`Google Threat Intelligence`	1 rule	kusto
`ValidUntil`	is_null		1 rule	kusto
`description`	starts_with	`Recorded Future - Threat Hunt`	1 rule	kusto

Community Notes #

Detects unexpected services binding, often precedes C2 beaconing.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5154
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5154.yml

Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Message #

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Source Address: %3
	Source Port: %4
	Protocol: %5

Filter Information:
	Filter Run-Time ID: %6
	Layer Name: %7
	Layer Run-Time ID: %8

Fields #

Name	Description
`ProcessId` UInt64	Hexadecimal Process ID (PID) of the process which was permitted to bind to the local port.
`Application` UnicodeString	[Application Information] Application Name.
`SourceAddress` UnicodeString	The local IP address of the computer running the application.
`SourcePort` UnicodeString	[Network Information] Source Port.
`Protocol` UInt32	[Network Information] Protocol. Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`FilterRTID` UInt64	A unique filter ID which blocks the application from binding to the port.
`LayerName` UnicodeString	[Filter Information] Layer Name. Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID.

Detection Patterns #

Asim Network Session Schema

7 rules

Kusto

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Google Threat Intelligence - Threat Hunting IP (source)

Command & Control: Application Layer Protocol

2 rules

Kusto

Potential beaconing activity (ASIM Network Session schema) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`IsActive`	eq	`true`	2 rules	kusto
`ObservableKey`	eq	`ipv4-addr:value`	2 rules	kusto
`ObservableValue`	is_not_null		2 rules	kusto
`dest_ip`	is_not_null		2 rules	chronicle, elastic, kusto
`src_ip`	cidr_match	`10.0.0.0/8`	1 rule	elastic, kusto
`src_ip`	cidr_match	`127.0.0.0/8`	1 rule	elastic, kusto
`src_ip`	cidr_match	`169.254.0.0/16`	1 rule	elastic, kusto
`src_ip`	cidr_match	`172.16.0.0/12`	1 rule	elastic, kusto
`src_ip`	ne	`DstIpAddr`	2 rules	kusto
`BeaconPercent`	gt	`80`	1 rule	kusto
`Count`	gt	`5000`	1 rule	kusto
`NetworkDirection`	eq	`Inbound`	1 rule	kusto
`SourceSystem`	eq	`Google Threat Intelligence`	1 rule	kusto
`ValidUntil`	is_null		1 rule	kusto
`description`	starts_with	`Recorded Future - Threat Hunt`	1 rule	kusto

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5155.yml

Event ID 5156: The Windows Filtering Platform has permitted a connection.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has permitted a connection.

Message #

The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Direction: %3
	Source Address: %4
	Source Port: %5
	Destination Address: %6
	Destination Port: %7
	Protocol: %8

Filter Information:
	Filter Run-Time ID: %9
	Layer Name: %10
	Layer Run-Time ID: %11

Fields #

Name	Description	Rules
`ProcessID` UInt64	Hexadecimal Process ID of the process which received the connection.
`Application` UnicodeString	[Application Information] Application Name.	15 detection rules
`Direction` UnicodeString	[Network Information] Direction. Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional	1 detection rule
`SourceAddress` UnicodeString	[Network Information] Source Address.	2 detection rules
`SourcePort` UnicodeString	Port number from which the connection was initiated.	1 detection rule
`DestAddress` UnicodeString	[Network Information] Destination Address.	2 detection rules
`DestPort` UnicodeString	[Network Information] Destination Port.	4 detection rules
`Protocol` UInt32	[Network Information] Protocol. Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`InterfaceIndex`
`FilterOrigin`		1 detection rule
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID.
`LayerName` UnicodeString	[Filter Information] Layer Name. Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID.	1 detection rule
`RemoteUserID` SID	[Filter Information] Remote User ID.
`RemoteMachineID` SID	[Filter Information] Remote Machine ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5156,
    "version": 1,
    "level": 0,
    "task": 12810,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:49.4177045+00:00",
    "event_record_id": 3213620,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4672
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessID": "896",
    "Application": "\\device\\harddiskvolume1\\windows\\system32\\lsass.exe",
    "Direction": "%%14592",
    "SourceAddress": "10.1.40.21",
    "SourcePort": "53695",
    "DestAddress": "10.1.40.11",
    "DestPort": "49668",
    "Protocol": "6",
    "InterfaceIndex": "3",
    "FilterOrigin": "Unknown",
    "FilterRTID": "68110",
    "LayerName": "%%14610",
    "LayerRTID": "44",
    "RemoteUserID": "S-1-0-0",
    "RemoteMachineID": "S-1-0-0"
  },
  "message": "The Windows Filtering Platform has permitted a connection.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t896\r\n\tApplication Name:\t\\device\\harddiskvolume1\\windows\\system32\\lsass.exe\r\n\r\nNetwork Information:\r\n\tDirection:\t\tInbound\r\n\tSource Address:\t\t10.1.40.21\r\n\tSource Port:\t\t53695\r\n\tDestination Address:\t10.1.40.11\r\n\tDestination Port:\t\t49668\r\n\tProtocol:\t\t6\r\n\tInterface Index:\t\t3\r\n\r\nFilter Information:\r\n\tFilter Origin:\t\tUnknown\r\n\tFilter Run-Time ID:\t68110\r\n\tLayer Name:\t\tReceive/Accept\r\n\tLayer Run-Time ID:\t44\r\n\tRemote User ID:\t\tS-1-0-0\r\n\tRemote Machine ID:\tS-1-0-0"
}

Detection Patterns #

14 rules

Splunk

Internal Port Scan - Critical Ports (Windows Event Log) (source)

Kusto

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Show 10 more (13 total) on the rules page

Security-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection

13 rules

Kusto

SUNBURST network beacons (source)

Detect Msiexec executing DLL network connections (source)

Robbe Van den Daele

Rouge RDP: Suspicious File Creation (source)

Cyb3rMonk

Show 10 more (13 total) on the rules page

Security-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.OREvent ID 5157: The Windows Filtering Platform has blocked a connection.ORSysmon Event ID 3: Network connection

7 rules

Kusto

Detect process drops via Azure Custom Script Extension performing lateral movement (source)

Robbe Van den Daele

DCOM Lateral Movement (source)

Anomaly in SMB Traffic(ASIM Network Session schema) (source)

Defender-DeviceNetworkEvents any: Network activityORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection

Lateral Movement: Distributed Component Object Model

7 rules

Kusto

DCOM Lateral Movement (source)

Hunt for ADWS requests from unknown devices (source)

Robbe Van den Daele

Anomaly in SMB Traffic(ASIM Network Session schema) (source)

Security-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connectionORThreat-Intelligence Event ID 3: Remote Section Map

Adws Connection

3 rules

Kusto

ADWS Connection from Process Injection Target (source)

FalconForce

ADWS Connection from Unexpected Binary (source)

FalconForce

Hunt for ADWS requests from unknown devices (source)

Robbe Van den Daele

Show All Detection Patterns

Asim Network Session Schema

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

3 rules

Splunk

Internal Port Scan - Critical Ports (Windows Event Log) (source)

Kusto

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Command & Control: Application Layer Protocol

2 rules

Kusto

Google Threat Intelligence - Threat Hunting IP (source)

Potential beaconing activity (ASIM Network Session schema) (source)

Security-Auditing Event ID 4625: An account failed to log on.OREvent ID 5140: A network share object was accessed.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Splunk

Meterpreter Reverse Shell (Windows Event Log) (source)

Security-Auditing Event ID 4625: An account failed to log on.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Splunk

RDP Brute-force Detection (Windows Event Log) (source)

Execution: Exploitation for Client Execution

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 1: Process creation

1 rule

Kusto

Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 (source)

Lateral Movement: SMB/Windows Admin Shares

Defender-DeviceNetworkEvents InboundConnectionAccepted: Inbound connection acceptedORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Kusto

SMB/Windows Admin Shares (source)

Lateral Movement: Exploitation of Remote Services

1 rule

Splunk

Potential network connection with CVE-2023-21554 (Windows Event Log) (source)

Collection: Data from Local System

Security-Auditing Event ID 412: AD FS authentication failure.ANDEvent ID 501: AD FS proxy authentication request.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Kusto

AD FS Remote Auth Sync Connection (source)

Exfiltration: Exfiltration Over Alternative Protocol

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.

1 rule

Splunk

PuTTY Secure Copy Client Execution (Windows Event Log) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ConnectionSuccess`	7 rules	kusto
`EventType`	in	`ConnectionSuccess`	3 rules	kusto
`graph.metadata.entity_type`	eq	`IP_ADDRESS`	7 rules	chronicle
`graph.metadata.entity_type`	eq	`FILE`	4 rules	chronicle
`graph.metadata.source_type`	eq	`GLOBAL_CONTEXT`	6 rules	chronicle
`graph.metadata.product_name`	eq	`GCTI Feed`	4 rules	chronicle
`graph.metadata.threat.threat_feed_name`	eq	`Tor Exit Nodes`	4 rules	chronicle
`DestinationPort`	eq	`3389`	3 rules	elastic, kusto, sigma, splunk
`DestinationPort`	eq	`5985`	2 rules	chronicle, sigma
`DestinationPort`	eq	`5986`	2 rules	chronicle, sigma
`DestinationPort`	eq	`9389`	2 rules	elastic, kusto, sigma, splunk
`DestinationPort`	in	`445`	3 rules	elastic, kusto
`DestinationPort`	in	`135`	2 rules	kusto
`dest_ip`	is_not_null		3 rules	chronicle, elastic, kusto
`graph.metadata.vendor_name`	eq	`Google Cloud Threat Intelligence`	3 rules	chronicle

Community Notes #

Indicates what process (application path) on the local machine made an outbound connection to a specific destination IP and port. Helpful for reviewing connections made by a suspect process.

Detection Rules #

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Sigma # view in coverage

RDP over Reverse SSH Tunnel WFP source high: Detects svchost hosting RDP termsvcs communicating with the loopback address
Remote PowerShell Sessions Network Connections (WinRM) source high: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
Uncommon Outbound Kerberos Connection - Security source medium: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Splunk # view in coverage

Command and Control Detection (Windows Event Log) source: Detects malicious (like Github repositories or known suspicious IPs) sources based on a list of IPs and domains
Network Connection with Suspicious Folder (Windows Event Log) source: Detects potential downloads to suspicious file locations like temp, appdata, and downloads
Potential CVE-2024-21413: Outbound SMB from Outlook (Windows Event Log) source: A critical vulnerability CVE-2024-21413 in Microsoft Outlook, discovered by Check Point, enables remote code execution from merely opening an email containing malicious links, bypassing Outlook's Protected View. This flaw, exploitable…

Show 5 more (8 total)

Process Connection to Mega - Windows (Windows Event Log) source: Mega is a cloud storage service used by many threat actors due to its use of end-to-end encryption and semi-anonymous payment options. The client application MEGAsync.exe and command-line interface utility MegaCMD allow threat actors to…
RDP Connection (Windows Event Log) source: This use case looks for when an RDP network connection has been established
Script Connected to External Destination - Windows (Windows Event Log) source: Adversaries may use scripts to connect to external locations for C2 communications, downloading and executing payloads, data exfiltration, or redirection. This use case detects when a Windows script interpreter (wscript, cscript, mshta,…
Unexpected Network Connection from System Process (Windows Event Log) source: Threat actors may abuse legitimate system processes that typically lack network functionality to perform malicious network activity, helping evade detection and blend in with normal system behavior. This technique is often associated with…
wuauclt.exe Network Connection (Windows Event Log) source: wuauclt.exe is the Windows Update client. It can be abused to proxy execution of malicious code as documented in the LOLBAS project. This use case detects network connection events with wuauclt.exe. Connections to Microsoft-owned IPs are…

Kusto # view in coverage

Zinc Actor IOCs files - October 2022 source high: Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/↳ also matches Event ID 4688: A new process has been created.
Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.↳ also matches Event ID 4663: An attempt was made to access an object., Event ID 4688: A new process has been created.
RITA Beacon Analyzer for Windows Firewall Events source: Below queries analyze Windows Firewall logs and applies RITA beacon analyzer algorithm for C2 beaconing detection.

Show 9 more (12 total)

Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents Aggregated Reports telemetry. Use it as a starting point and refine further as it may generate too many results.
Suspicious Network Beacons - Microsoft Defender(MDE/M365D) source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents data.
Suspicious Network Connections - Supply Chain Attack source: Below query detects unusual network conenctions from servers that have 3rd party software installed.
You can further improve the query by using a list of servers that have privileges across the whole domain.
Server Network Connection Anomalies source: Servers have a specific baseline. This makes it easy to create a baseline and detect anomalies.
Below queries analyze the network connections made by the specified servers and detects the rare/anomalous ones.
You can add process info to the analysis, but it will probably generate more results(different processes for the same IP).
Detect CVE exploits on network for which a device is vulnerable source: This detection query can be used to find specific CVE exploits passing on the wire for which the device is vulnerable. This query should have a very high TP rate, and can be considered as a 'High severity' query.
Hunt for public facing devices via DeviceNetworkEvents source: Find public facing devices via the DeviceNetworkEvents table.
Hunt for Defender for Identity NNR issues source: This query can help you in finding Network Name Resolution health issues of Microsoft Defender for Identity. NNR is a critical component which is used to get more information on IP addresses seen by MDI. Without NNR proparly working, MDI can throw a lot of False Positive alerts.↳ also matches Event ID 5157: The Windows Filtering Platform has blocked a connection.
Hunt MDE with GSA events source: This rule correlates the Microsoft Defender for Endpoint DeviceNetworkEvents table with the Global Secure Access NetworkAccessTraffic table. By doing this, you can enrich the MDE events which contains detailed process information with the GSA events that contains detailed HTTP header information and more.
Potential Kerberos Relaying Activity - MDE source: The below query detects potential Kerberos relaying event chain generated by KrbRelay.↳ also matches Event ID 4688: A new process has been created.

YARA-L # view in coverage

Potential Remote PowerShell Session Initiated source: Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
High Risk User Download Executable From Macro source: Executable downloaded by Microsoft Excel by user with GCP entity relationship
Network Traffic To Specific Country source: Identify network traffic based on target country

Show 11 more (14 total)

Suspicious ASN source: Identify network traffic based on a specific ASN
Suspicious ASN Watchlist source: Identify any network connections to a list of ASNs
GCTI Benign Binaries Contacts Tor Exit Node source: Alert on Benign Binary contacting a TOR IP
GCTI Tor Exit Nodes source: Alert traffic destined for known Tor exit nodes
Google Safebrowsing File Contacts Tor Exit Node source: A malicious file contacting a known Tor Exit Node.
IOC IP Target source: Detect network events that indicate communication to a watchlisted IP address
IP Target Prevalence source: Detect events that are communicating to IP addresses that have a low rolling max prevalence.
Network Connection First Seen In Past Day source: Detect network connection to an ip address that was only seen for the first time in the past 24 hours
VT Relationships File Contacts IP source: Alert on known Hash contacting known IP with VT Relationships
VT Relationships File Contacts Tor IP source: Alert on known Hash contacting Tor IP with VT Relationships.
WHOIS Recently Created Domain Access source: Detects access attempts to a newly created domain via WHOIS enrichment.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5156
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-5156-wfp-permitted.md
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5156_v1.yml

Event ID 5157: The Windows Filtering Platform has blocked a connection.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has blocked a connection.

Message #

The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Direction: %3
	Source Address: %4
	Source Port: %5
	Destination Address: %6
	Destination Port: %7
	Protocol: %8

Filter Information:
	Filter Run-Time ID: %9
	Layer Name: %10
	Layer Run-Time ID: %11

Fields #

Name	Description	Rules
`ProcessID` UInt64	Hexadecimal Process ID of the process that attempted to create the connection.
`Application` UnicodeString	[Application Information] Application Name.	69 detection rules
`Direction` UnicodeString	[Network Information] Direction. Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString	Local IP address on which application received the connection.
`SourcePort` UnicodeString	Port number on which application received the connection.
`DestAddress` UnicodeString	[Network Information] Destination Address.
`DestPort` UnicodeString	Port number which was used from remote machine to initiate connection.
`Protocol` UInt32	[Network Information] Protocol. Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`InterfaceIndex` UInt32	[Network Information] Interface Index.
`FilterOrigin` UnicodeString	[Filter Information] Filter Origin.
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID.
`LayerName` UnicodeString	[Filter Information] Layer Name. Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID.
`RemoteUserID` SID	[Filter Information] Remote User ID.
`RemoteMachineID` SID	[Filter Information] Remote Machine ID.
`OriginalProfile` UnicodeString	[Filter Information] Original Profile.
`CurrentProfile` UnicodeString	[Filter Information] Current Profile.
`IsLoopback` UnicodeString	[Filter Information] Is Loopback.
`HasRemoteDynamicKeywordAddress` UnicodeString	[Filter Information] Has Remote Dynamic Keyword Address.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5157,
    "version": 3,
    "level": 0,
    "task": 12810,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-11T06:32:07.887002+00:00",
    "event_record_id": 2461636,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 352
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessID": 6872,
    "Application": "\\device\\harddiskvolume4\\windows\\system32\\svchost.exe",
    "Direction": "%%14592",
    "SourceAddress": "172.18.253.78",
    "SourcePort": "37359",
    "DestAddress": "172.18.240.1",
    "DestPort": "53",
    "Protocol": 17,
    "InterfaceIndex": 12,
    "FilterOrigin": "Quarantine Default",
    "FilterRTID": 66241,
    "LayerName": "%%14610",
    "LayerRTID": 44,
    "RemoteUserID": "S-1-0-0",
    "RemoteMachineID": "S-1-0-0",
    "OriginalProfile": "%%14643",
    "CurrentProfile": "%%14643",
    "IsLoopback": "%%1826",
    "HasRemoteDynamicKeywordAddress": "%%1826"
  },
  "message": ""
}

Detection Patterns #

Asim Network Session Schema

9 rules

Kusto

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Detect process drops via Azure Custom Script Extension performing lateral movement (source)

3 rules

Kusto

Robbe Van den Daele

Anomaly in SMB Traffic(ASIM Network Session schema) (source)

Detect Unknown process using SMB or WinRM (source)

Robbe Van den Daele

Command & Control: Application Layer Protocol

2 rules

Kusto

Google Threat Intelligence - Threat Hunting IP (source)

Potential beaconing activity (ASIM Network Session schema) (source)

Stealth: Disable or Modify System Firewall

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.OREvent ID 5157: The Windows Filtering Platform has blocked a connection.ORSysmon Event ID 3: Network connection

1 rule

Elastic

Potential Evasion via Windows Filtering Platform (source)

Elastic

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`DestinationPort`	in	`135`	2 rules	kusto
`DestinationPort`	in	`3389`	2 rules	elastic, kusto
`DestinationPort`	in	`445`	2 rules	elastic, kusto
`DestinationPort`	in	`5985`	2 rules	elastic, kusto
`DestinationPort`	in	`5986`	2 rules	elastic, kusto
`DestinationPort`	in	`22`	1 rule	elastic, kusto
`EventType`	in	`ConnectionAttempt`	2 rules	kusto
`EventType`	in	`ConnectionFailed`	2 rules	kusto
`EventType`	in	`ConnectionRequest`	2 rules	kusto
`EventType`	in	`ConnectionSuccess`	2 rules	kusto
`ObservableKey`	eq	`ipv4-addr:value`	2 rules	kusto
`dest_ip`	is_not_null		2 rules	chronicle, elastic, kusto
`src_ip`	ne	`DstIpAddr`	2 rules	kusto
`BeaconPercent`	gt	`80`	1 rule	kusto
`Count`	gt	`5000`	1 rule	kusto

Detection Rules #

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Sigma # view in coverage

Windows Filtering Platform Blocked Connection From EDR Agent Binary source high: Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

Splunk # view in coverage

WFP Blocked Connection from EDR Agent (Windows Event Log) source: Threat actors may abuse WFP filters to prevent EDR agents from reporting security events, as observed with tools like EDRSilencer or EDRNoisemaker. This use case detects when the Windows Filtering Platform blocks a connective event…

Kusto # view in coverage

Hunt for Defender for Identity NNR issues source: This query can help you in finding Network Name Resolution health issues of Microsoft Defender for Identity. NNR is a critical component which is used to get more information on IP addresses seen by MDI. Without NNR proparly working, MDI can throw a lot of False Positive alerts.↳ also matches Event ID 5156: The Windows Filtering Platform has permitted a connection.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5157_v1.yml

Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time Windows Filtering Platform permits an application or service to bind to a local port.

Message #

The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Source Address: %3
	Source Port: %4
	Protocol: %5

Filter Information:
	Filter Run-Time ID: %6
	Layer Name: %7
	Layer Run-Time ID: %8

Fields #

Name	Description
`ProcessId` UInt64	Hexadecimal Process ID of the process which was permitted to bind to the local port.
`Application` UnicodeString	[Application Information] Application Name.
`SourceAddress` UnicodeString	Local IP address on which application was bind the port.
`SourcePort` UnicodeString	[Network Information] Source Port.
`Protocol` UInt32	[Network Information] Protocol. Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`FilterRTID` UInt64	Unique filter ID which allows application to bind the port.
`LayerName` UnicodeString	[Filter Information] Layer Name. Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5158,
    "version": 0,
    "level": 0,
    "task": 12810,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T14:08:44.1796221+00:00",
    "event_record_id": 3213525,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 2064
    },
    "channel": "Security",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": "3932",
    "Application": "\\device\\harddiskvolume1\\windows\\adws\\microsoft.activedirectory.webservices.exe",
    "SourceAddress": "0.0.0.0",
    "SourcePort": "57865",
    "Protocol": "6",
    "FilterRTID": "0",
    "LayerName": "%%14608",
    "LayerRTID": "36"
  },
  "message": "The Windows Filtering Platform has permitted a bind to a local port.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t3932\r\n\tApplication Name:\t\\device\\harddiskvolume1\\windows\\adws\\microsoft.activedirectory.webservices.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t0.0.0.0\r\n\tSource Port:\t\t57865\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t0\r\n\tLayer Name:\t\tResource Assignment\r\n\tLayer Run-Time ID:\t36"
}

Detection Patterns #

Asim Network Session Schema

7 rules

Kusto

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Google Threat Intelligence - Threat Hunting IP (source)

Command & Control: Application Layer Protocol

2 rules

Kusto

Potential beaconing activity (ASIM Network Session schema) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ObservableKey`	eq	`ipv4-addr:value`	2 rules	kusto
`dest_ip`	is_not_null		2 rules	chronicle, elastic, kusto
`src_ip`	cidr_match	`10.0.0.0/8`	1 rule	elastic, kusto
`src_ip`	cidr_match	`127.0.0.0/8`	1 rule	elastic, kusto
`src_ip`	cidr_match	`169.254.0.0/16`	1 rule	elastic, kusto
`src_ip`	cidr_match	`172.16.0.0/12`	1 rule	elastic, kusto
`src_ip`	cidr_match	`192.168.0.0/16`	1 rule	elastic, kusto
`src_ip`	ne	`DstIpAddr`	2 rules	kusto
`BeaconPercent`	gt	`80`	1 rule	kusto
`Count`	gt	`5000`	1 rule	kusto
`NetworkDirection`	eq	`Inbound`	1 rule	kusto

Community Notes #

Unexpected binds on high ports may be a prelude to data exfiltration.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5158.yml

Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has blocked a bind to a local port.

Message #

The Windows Filtering Platform has blocked a bind to a local port.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Source Address: %3
	Source Port: %4
	Protocol: %5

Filter Information:
	Filter Run-Time ID: %6
	Layer Name: %7
	Layer Run-Time ID: %8

Fields #

Name	Description
`ProcessId` UInt64	Hexadecimal Process ID of the process which was permitted to bind to the local port.
`Application` UnicodeString	[Application Information] Application Name.
`SourceAddress` UnicodeString	The local IP address of the computer running the application.
`SourcePort` UnicodeString	[Network Information] Source Port.
`Protocol` UInt32	[Network Information] Protocol. Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`FilterRTID` UInt64	Unique filter ID which blocks the application from binding to the port.
`LayerName` UnicodeString	[Filter Information] Layer Name. Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5159,
    "version": 0,
    "level": 0,
    "task": 12810,
    "opcode": 0,
    "keywords": -9218868437227405312,
    "time_created": "2026-05-30T14:09:50.4393548+00:00",
    "event_record_id": 23555454,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 10140
    },
    "channel": "Security",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": "11692",
    "Application": "\\device\\harddiskvolume1\\windows\\system32\\wsmprovhost.exe",
    "SourceAddress": "127.0.0.1",
    "SourcePort": "53999",
    "Protocol": "6",
    "FilterRTID": "79026",
    "LayerName": "%%14608",
    "LayerRTID": "36"
  },
  "message": "The Windows Filtering Platform has blocked a bind to a local port.\r\n\r\nApplication Information:\r\n\tProcess ID:\t\t11692\r\n\tApplication Name:\t\\device\\harddiskvolume1\\windows\\system32\\wsmprovhost.exe\r\n\r\nNetwork Information:\r\n\tSource Address:\t\t127.0.0.1\r\n\tSource Port:\t\t53999\r\n\tProtocol:\t\t6\r\n\r\nFilter Information:\r\n\tFilter Run-Time ID:\t79026\r\n\tLayer Name:\t\tResource Assignment\r\n\tLayer Run-Time ID:\t36"
}

Detection Patterns #

Asim Network Session Schema

7 rules

Kusto

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Google Threat Intelligence - Threat Hunting IP (source)

Command & Control: Application Layer Protocol

2 rules

Kusto

Potential beaconing activity (ASIM Network Session schema) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ObservableKey`	eq	`ipv4-addr:value`	2 rules	kusto
`src_ip`	cidr_match	`10.0.0.0/8`	1 rule	elastic, kusto
`src_ip`	cidr_match	`169.254.0.0/16`	1 rule	elastic, kusto
`src_ip`	cidr_match	`172.16.0.0/12`	1 rule	elastic, kusto
`src_ip`	cidr_match	`192.168.0.0/16`	1 rule	elastic, kusto
`src_ip`	ne	`DstIpAddr`	2 rules	kusto
`BeaconPercent`	gt	`80`	1 rule	kusto
`Count`	gt	`5000`	1 rule	kusto
`NetworkDirection`	eq	`Inbound`	1 rule	kusto

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5159.yml

Event ID 5160: The Windows Filtering Platform Audit Mode has allowed a connection or packet that would have been blocked.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security

Description

The Windows Filtering Platform Audit Mode has allowed a connection or packet that would have been blocked.

Message #

The Windows Filtering Platform Audit Mode has allowed a connection or packet that would have been blocked.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Direction: %3
	Source Address: %4
	Source Port: %5
	Destination Address: %6
	Destination Port: %7
	Protocol: %8
	Interface Index: %9

Filter Information:
	Filter Origin: %10
	Filter Run-Time ID: %11
	Layer Name: %12
	Layer Run-Time ID: %13
	Remote User ID: %14
	Remote Machine ID: %15
	Original Profile: %16
	Current Profile: %17
	Is Loopback: %18
	Has Remote Dynamic Keyword Address: %19

Firewall Information:

	Policy Store: %20
	Modifiable: %21
	Callout Involved: %22
	Callout ID: %23

Fields #

Name	Description
`ProcessID` UInt64
`Application` UnicodeString
`Direction` UnicodeString	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString
`SourcePort` UnicodeString
`DestAddress` UnicodeString
`DestPort` UnicodeString
`Protocol` UInt32	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`InterfaceIndex` UInt32
`FilterOrigin` UnicodeString
`FilterRTID` UInt64
`LayerName` UnicodeString	Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerRTID` UInt64
`RemoteUserID` SID
`RemoteMachineID` SID
`OriginalProfile` UnicodeString
`CurrentProfile` UnicodeString
`IsLoopback` UnicodeString
`HasRemoteDynamicKeywordAddress` UnicodeString
`FirewallPolicyStore` UnicodeString
`Modifiable` UnicodeString
`CalloutInvolved` UnicodeString
`CalloutID` UInt32

Event ID 5168: SPN check for SMB/SMB2 fails.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → File Share
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

Spn check for SMB/SMB2 fails.

Message #

Spn check for SMB/SMB2 fails.
	
Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

SPN:	
	SPN Name: %5
	Error Code: %6

Server Information:
	Server Names: %7
	Configured Names: %8
	IP Addresses: %9

Fields #

Name	Description
`SubjectUserSid` SID	SID of account for which SPN check operation was failed.
`SubjectUserName` UnicodeString	The name of the account for which SPN check operation was failed.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`SpnName` UnicodeString	SPN which was used to access the server.
`ErrorCode` HexInt32	Hexadecimal error code, for example "0xC0000022" = STATUS_ACCESS_DENIED.
`ServerNames` UnicodeString	Information about possible server names to use to access the target server (NETBIOS, DNS, localhost, etc.).
`ConfiguredNames` UnicodeString	Information about the names which were provided for validation.
`IpAddresses` UnicodeString	Information about possible IP addresses to use to access the target server (IPv4, IPv6).

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5168
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5168.yml

Event ID 5169: A directory service object was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

A directory service object was modified.

Message #

A directory service object was modified.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6

Directory Service:
	Name: %7
	Type: %8
	
Object:
	DN: %9
	GUID: %10
	Class: %11
	
Attribute:
	LDAP Display Name: %12
	Syntax (OID): %13
	Value: %14
	Expiration Time: %15
	
Operation:
	Type: %16
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

Name	Description
`OpCorrelationID` GUID	[Operation] Correlation ID
`AppCorrelationID` UnicodeString	[Operation] Application Correlation ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`DSName` UnicodeString	[Directory Service] Name
`DSType` UnicodeString	[Directory Service] Type Known values `%%14676` Active Directory Domain Services `%%14677` Active Directory Lightweight Directory Services
`ObjectDN` UnicodeString	[Object] DN
`ObjectGUID` GUID	[Object] GUID
`ObjectClass` UnicodeString	[Object] Class
`AttributeLDAPDisplayName` UnicodeString	[Attribute] LDAP Display Name
`AttributeSyntaxOID` UnicodeString	[Attribute] Syntax (OID)
`AttributeValue` UnicodeString	[Attribute] Value
`ExpirationTime` FILETIME	[Attribute] Expiration Time
`OperationType` UnicodeString	[Operation] Type Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time

Event ID 5170: A directory service object was modified during a background cleanup task.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

A directory service object was modified during a background cleanup task.

Message #

A directory service object was modified during a background cleanup task.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6

Directory Service:
	Name: %7
	Type: %8
	
Object:
	DN: %9
	GUID: %10
	Class: %11
	
Attribute:
	LDAP Display Name: %12
	Syntax (OID): %13
	Value: %14
	Expiration Time: %15
	
Operation:
	Type: %16
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

Name	Description
`OpCorrelationID` GUID	[Operation] Correlation ID
`AppCorrelationID` UnicodeString	[Operation] Application Correlation ID
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`DSName` UnicodeString	[Directory Service] Name
`DSType` UnicodeString	[Directory Service] Type Known values `%%14676` Active Directory Domain Services `%%14677` Active Directory Lightweight Directory Services
`ObjectDN` UnicodeString	[Object] DN
`ObjectGUID` GUID	[Object] GUID
`ObjectClass` UnicodeString	[Object] Class
`AttributeLDAPDisplayName` UnicodeString	[Attribute] LDAP Display Name
`AttributeSyntaxOID` UnicodeString	[Attribute] Syntax (OID)
`AttributeValue` UnicodeString	[Attribute] Value
`ExpirationTime` FILETIME	[Attribute] Expiration Time
`OperationType` UnicodeString	[Operation] Type Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time

Event ID 5376: Credential Manager credentials were backed up.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time the user (Subject) successfully backs up the credential manager database.

Message #

Credential Manager credentials were backed up.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

This event occurs when a user backs up their own Credential Manager credentials. A user (even an Administrator) cannot back up the credentials of an account other than his own.

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that performed the restore operation.
`SubjectUserName` UnicodeString	The name of the account that performed the restore operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`BackupFileName` UnicodeString	[Subject] BackupFileName.
`ProcessCreationTime` FILETIME
`ClientProcessId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5376,
    "version": 1,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2022-09-24T19:57:32.266266+00:00",
    "event_record_id": 150002,
    "correlation": {
      "ActivityID": "B2946CF1-CF76-0001-5C6D-94B276CFD801"
    },
    "execution": {
      "process_id": 804,
      "thread_id": 5832
    },
    "channel": "Security",
    "computer": "GUAPOS-PC",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-3960598978-2723104146-531989891-1001",
    "SubjectUserName": "FOXTWO",
    "SubjectDomainName": "GUAPOS-PC",
    "SubjectLogonId": 894283,
    "BackupFileName": "C:\\Windows\\TEMP\\CRD46C3.tmp",
    "ProcessCreationTime": 1664049447.1706607,
    "ClientProcessId": 5400
  },
  "message": "Credential Manager credentials were backed up.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3960598978-2723104146-531989891-1001\n\tAccount Name:\t\tFOXTWO\n\tAccount Domain:\t\tGUAPOS-PC\n\tLogon ID:\t\t894283\n\tBackupFileName:\t\tC:\\Windows\\TEMP\\CRD46C3.tmp\n\nThis event occurs when a user backs up their own Credential Manager credentials. A user (even an Administrator) cannot back up the credentials of an account other than his own."
}

Community Notes #

Backup of Credential Manager vault, shows a user exporting stored passwords and keys. Often precedes lateral movement or exfiltration.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5376.yml

Event ID 5377: Credential Manager credentials were restored from a backup.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

This event generates every time the user (Subject) successfully restores the credential manager database.

Message #

Credential Manager credentials were restored from a backup.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

This event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that performed the restore operation.
`SubjectUserName` UnicodeString	The name of the account that performed the restore operation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`BackupFileName` UnicodeString	[Subject] BackupFileName.
`ProcessCreationTime` FILETIME
`ClientProcessId` UInt32

Community Notes #

Credential Manager credentials were restored from a backup, may indicate import of stolen vaults from another host.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5377.yml

Event ID 5378: The requested credentials delegation was disallowed by policy.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

The requested credentials delegation was disallowed by policy.

Message #

The requested credentials delegation was disallowed by policy.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Credential Delegation Information:
	Security Package: %5
	User's UPN: %6
	Target Server: %7
	Credential Type: %8

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested credentials delegation.
`SubjectUserName` UnicodeString	The name of the account that requested credentials delegation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`Package` UnicodeString	[Credential Delegation Information] Security Package.
`UserUPN` UnicodeString	[Credential Delegation Information] User's UPN.
`TargetServer` UnicodeString	[Credential Delegation Information] Target Server.
`CredType` UnicodeString	[Credential Delegation Information] Credential Type.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5378
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5378.yml

Event ID 5379: Credential Manager credentials were read.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event occurs when a user performs a read operation on stored credentials in Credential Manager.

Message #

Credential Manager credentials were read.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Read Operation: %8

This event occurs when a user performs a read operation on stored credentials in Credential Manager.

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that performed a read operation on stored credentials in CM.
`SubjectUserName` UnicodeString	The name of the account that performed a read operation on stored credentials in CM.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`TargetName` UnicodeString	Stored credentials that were read.	13 detection rules
`Type` UInt32
`CountOfCredentialsReturned` UInt32
`ReadOperation` UnicodeString	[Subject] Read Operation. Known values `%%8099` Read Credential `%%8100` Enumerate Credentials `%%8101` Read Domain Credentials `%%8102` Find Best Credential `%%8103` Read By Token Handle
`ReturnCode` UInt32
`ProcessCreationTime` FILETIME
`ClientProcessId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5379,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:14:51.1394534+00:00",
    "event_record_id": 2627764,
    "correlation": {
      "ActivityID": "{5FF94DC5-EF8A-0001-304E-F95F8AEFDC01}"
    },
    "execution": {
      "process_id": 816,
      "thread_id": 7608
    },
    "channel": "Security",
    "computer": "telemetry-DC-b.cell-b.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-B$",
    "SubjectDomainName": "cell-b",
    "SubjectLogonId": "0x3e7",
    "TargetName": "MicrosoftAccount:user=02sjgunjlchdgook",
    "Type": "0",
    "CountOfCredentialsReturned": "0",
    "ReadOperation": "%%8100",
    "ReturnCode": "3221226021",
    "ProcessCreationTime": "2026-06-13T05:14:50.6021504Z",
    "ClientProcessId": "2828"
  },
  "message": "Credential Manager credentials were read.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-B$\r\n\tAccount Domain:\t\tcell-b\r\n\tLogon ID:\t\t0x3E7\r\n\tRead Operation:\t\tEnumerate Credentials\r\n\r\nThis event occurs when a user performs a read operation on stored credentials in Credential Manager."
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetName`	contains	`microsoft_windows_shell_zipfolder:filename`	3 rules	sigma

Community Notes #

Credential Manager credentials were read. Large numbers of reads may indicate automated credential theft.

Detection Rules #

Sigma # view in coverage

Password Protected ZIP File Opened source medium: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Suspicious Filenames) source high: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment) source high: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5379.yml

Event ID 5380: Vault Find Credential.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

Vault Find Credential.

Message #

Vault Find Credential.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

This event occurs when a user finds stored vault credentials.

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`SearchString` UnicodeString
`SchemaFriendlyName` UnicodeString
`Schema` GUID
`CountOfCredentialsReturned` UInt32
`ProcessCreationTime` FILETIME
`ClientProcessId` UInt32

Event ID 5381: Vault credentials were read.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

Vault credentials were read.

Message #

Vault credentials were read.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

This event occurs when a user enumerates stored vault credentials.

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`Flags` UInt32
`CountOfCredentialsReturned` UInt32
`ProcessCreationTime` FILETIME
`ClientProcessId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5381,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2022-09-24T20:05:50.571779+00:00",
    "event_record_id": 150026,
    "correlation": {},
    "execution": {
      "process_id": 804,
      "thread_id": 5636
    },
    "channel": "Security",
    "computer": "GUAPOS-PC",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-3960598978-2723104146-531989891-1001",
    "SubjectUserName": "FOXTWO",
    "SubjectDomainName": "GUAPOS-PC",
    "SubjectLogonId": 894283,
    "Flags": 0,
    "CountOfCredentialsReturned": 1,
    "ProcessCreationTime": 1664049942.3177185,
    "ClientProcessId": 10620
  },
  "message": "Vault credentials were read.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3960598978-2723104146-531989891-1001\n\tAccount Name:\t\tFOXTWO\n\tAccount Domain:\t\tGUAPOS-PC\n\tLogon ID:\t\t894283\n\nThis event occurs when a user enumerates stored vault credentials."
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 5382: Vault credentials were read.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Management → User Account Management
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

Vault credentials were read.

Message #

Vault credentials were read.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

This event occurs when a user reads a stored vault credential.

Fields #

Name	Description	Rules
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`SchemaFriendlyName` UnicodeString
`Schema` GUID
`Resource` UnicodeString		1 detection rule
`Identity` UnicodeString		1 detection rule
`PackageSid` UnicodeString
`Flags` UInt32
`ReturnCode` UInt32
`ProcessCreationTime` FILETIME
`ClientProcessId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5382,
    "version": 0,
    "level": 0,
    "task": 13824,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-28T12:08:16.9460514+00:00",
    "event_record_id": 193082,
    "correlation": {},
    "execution": {
      "process_id": 736,
      "thread_id": 5236
    },
    "channel": "Security",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-D$",
    "SubjectDomainName": "cell-d",
    "SubjectLogonId": "0x3e7",
    "SchemaFriendlyName": "NGC Local Accoount Logon Vault Resource Schema",
    "Schema": "{1d4350a3-330d-4af9-b3ff-a927a45998ac}",
    "Resource": "NGC Local Accoount Logon Vault Resource",
    "Identity": "0105000000000005150000002CEB013C77E92B81704FF55751040000",
    "PackageSid": "",
    "Flags": "0",
    "ReturnCode": "1168",
    "ProcessCreationTime": "2026-05-28T12:08:16.0370643Z",
    "ClientProcessId": "6100"
  },
  "message": "Vault credentials were read.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-D$\r\n\tAccount Domain:\t\tcell-d\r\n\tLogon ID:\t\t0x3E7\r\n\r\nThis event occurs when a user reads a stored vault credential."
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Resource`	starts_with	`http`	2 rules	elastic, sigma

Detection Rules #

Security-Auditing Event ID 5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started.OREvent ID 5447: A Windows Filtering Platform filter has been changed.

Sigma # view in coverage

Vault credentials manager accessed source medium: Detects scenarios where an attacker attempts to access vault credentials

Elastic # view in coverage

Multiple Vault Web Credentials Read source medium: Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382

Event ID 5440: The following callout was present when the Windows Filtering Platform Base Filtering Engine started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The following callout was present when the Windows Filtering Platform Base Filtering Engine started.

Message #

The following callout was present when the Windows Filtering Platform Base Filtering Engine started.

Provider Information:	
	ID: %1
	Name: %2

Callout Information:
	ID: %3
	Name: %4
	Type: %5
	Run-Time ID: %6

Layer Information:
	ID: %7
	Name: %8
	Run-Time ID: %9

Fields #

Name	Description
`ProviderKey` GUID	[Provider Information] ID
`ProviderName` UnicodeString	[Provider Information] Name
`CalloutKey` GUID	[Callout Information] ID
`CalloutName` UnicodeString	[Callout Information] Name
`CalloutType` UnicodeString	[Callout Information] Type
`CalloutId` UInt32	[Callout Information] Run-Time ID
`LayerKey` GUID	[Layer Information] ID
`LayerName` UnicodeString	[Layer Information] Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerId` UInt32	[Layer Information] Run-Time ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5440
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

Message #

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

Provider Information:	
	ID: %1
	Name: %2

Filter Information:
	ID: %3
	Name: %4
	Type: %5
	Run-Time ID: %6

Layer Information:
	ID: %7
	Name: %8
	Run-Time ID: %9
	Weight: %10
	
Additional Information:
	Conditions: %11
	Filter Action: %12
	Callout ID: %13
	Callout Name: %14

Fields #

Name	Description	Rules
`ProviderKey` GUID	[Provider Information] ID
`ProviderName` UnicodeString	[Provider Information] Name
`FilterKey` GUID	[Filter Information] ID
`FilterName` UnicodeString	[Filter Information] Name	1 detection rule
`FilterType` UnicodeString	[Filter Information] Type
`FilterId` UInt64	[Filter Information] Run-Time ID
`LayerKey` GUID	[Layer Information] ID
`LayerName` UnicodeString	[Layer Information] Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerId` UInt32	[Layer Information] Run-Time ID
`Weight` UInt64	[Layer Information] Weight
`Conditions` UnicodeString	[Additional Information] Conditions
`Action` UnicodeString	[Additional Information] Filter Action
`CalloutKey` GUID	[Additional Information] Callout ID
`CalloutName` UnicodeString	[Additional Information] Callout Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5441,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:54.4982531+00:00",
    "event_record_id": 1716190,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 968
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProviderKey": "{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}",
    "ProviderName": "Microsoft Corporation",
    "FilterKey": "{b98b75dc-17c0-4e84-bd4e-2080527ca6a6}",
    "FilterName": "AppContainerBoottimeFilter",
    "FilterType": "%%16387",
    "FilterId": "67416",
    "LayerKey": "{a3b42c97-9f04-4672-b87e-cee9c483257f}",
    "LayerName": "ALE Receive/Accept v6 Layer",
    "LayerId": "46",
    "Weight": "18446744073709551615",
    "Conditions": "\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tAll flags set\n\tCondition value:\t0x00400000\n",
    "Action": "%%16390",
    "CalloutKey": "{00000000-0000-0000-0000-000000000000}",
    "CalloutName": "-"
  },
  "message": "The following filter was present when the Windows Filtering Platform Base Filtering Engine started.\r\n\r\nProvider Information:\t\r\n\tID:\t\t{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}\r\n\tName:\t\tMicrosoft Corporation\r\n\r\nFilter Information:\r\n\tID:\t\t{b98b75dc-17c0-4e84-bd4e-2080527ca6a6}\r\n\tName:\t\tAppContainerBoottimeFilter\r\n\tType:\t\tPersistent\r\n\tRun-Time ID:\t67416\r\n\r\nLayer Information:\r\n\tID:\t\t{a3b42c97-9f04-4672-b87e-cee9c483257f}\r\n\tName:\t\tALE Receive/Accept v6 Layer\r\n\tRun-Time ID:\t46\r\n\tWeight:\t\t18446744073709551615\r\n\t\r\nAdditional Information:\r\n\tConditions:\t\n\tCondition ID:\t{632ce23b-5167-435c-86d7-e903684aa80c}\n\tMatch value:\tAll flags set\n\tCondition value:\t0x00400000\n\r\n\tFilter Action:\tPermit\r\n\tCallout ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tCallout Name:\t-"
}

Detection Patterns #

Defense Impairment: Disable or Modify Tools

1 rule

Sigma

HackTool - EDRSilencer Execution - Filter Added (source)

Thodoris Polyzos (@SmoothDeploy)

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5441
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5441

Event ID 5442: The following provider was present when the Windows Filtering Platform Base Filtering Engine started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The following provider was present when the Windows Filtering Platform Base Filtering Engine started.

Message #

The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
	
Provider ID: %1
Provider Name: %2
Provider Type: %3

Fields #

Name	Description
`ProviderKey` GUID	Provider ID
`ProviderName` UnicodeString	Provider Name
`ProviderType` UnicodeString	Provider Type

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5442,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:54.5026697+00:00",
    "event_record_id": 1716197,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 968
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProviderKey": "{17171717-1717-1717-1717-171717171717}",
    "ProviderName": "RPCFW",
    "ProviderType": "%%16387"
  },
  "message": "The following provider was present when the Windows Filtering Platform Base Filtering Engine started.\r\n\t\r\nProvider ID:\t{17171717-1717-1717-1717-171717171717}\r\nProvider Name:\tRPCFW\r\nProvider Type:\tPersistent"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5442
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5442

Event ID 5443: The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.

Message #

The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
	
Provider ID: %1
Provider Name: %2
Provider Context ID: %3
Provider Context Name: %4
Provider Context Type: %5

Fields #

Name	Description
`ProviderKey` GUID	Provider ID
`ProviderName` UnicodeString	Provider Name
`ProviderContextKey` GUID	Provider Context ID
`ProviderContextName` UnicodeString	Provider Context Name
`ProviderContextType` UnicodeString	Provider Context Type

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5443,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:54.4986713+00:00",
    "event_record_id": 1716194,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 968
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProviderKey": "{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}",
    "ProviderName": "Microsoft Corporation",
    "ProviderContextKey": "{93132c36-6e06-4e6f-a10b-218787cd49cf}",
    "ProviderContextName": "MPSSVC",
    "ProviderContextType": "%%16387"
  },
  "message": "The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.\r\n\t\r\nProvider ID:\t{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}\r\nProvider Name:\tMicrosoft Corporation\r\nProvider Context ID:\t{93132c36-6e06-4e6f-a10b-218787cd49cf}\r\nProvider Context Name:\tMPSSVC\r\nProvider Context Type:\tPersistent"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5443
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5443

Event ID 5444: The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.

Message #

The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
	
Provider ID: %1
Provider Name: %2
Sub-layer ID: %3
Sub-layer Name: %4
Sub-layer Type: %5
Weight: %6

Fields #

Name	Description
`ProviderKey` GUID	Provider ID
`ProviderName` UnicodeString	Provider Name
`SubLayerKey` GUID	Sub-layer ID
`SubLayerName` UnicodeString	Sub-layer Name
`SubLayerType` UnicodeString	Sub-layer Type
`Weight` UInt32	Weight

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5444,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:32:54.4985884+00:00",
    "event_record_id": 1716192,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 968
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProviderKey": "{17171717-1717-1717-1717-171717171717}",
    "ProviderName": "RPCFW",
    "SubLayerKey": "{77777777-1717-1717-1717-171717171717}",
    "SubLayerName": "RPCFWSublayer",
    "SubLayerType": "%%16387",
    "Weight": "32769"
  },
  "message": "The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.\r\n\t\r\nProvider ID:\t{17171717-1717-1717-1717-171717171717}\r\nProvider Name:\tRPCFW\r\nSub-layer ID:\t{77777777-1717-1717-1717-171717171717}\r\nSub-layer Name:\tRPCFWSublayer\r\nSub-layer Type:\tPersistent\r\nWeight:\t\t32769"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5444
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5444

Event ID 5446: A Windows Filtering Platform callout has been changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A Windows Filtering Platform callout has been changed.

Message #

A Windows Filtering Platform callout has been changed.
	
Subject:
	Security ID: %2
	Account Name: %3

Process Information:
	Process ID: %1

Provider Information:
	ID: %4
	Name: %5

Change Information:
	Change Type: %6

Callout Information:
	ID: %7
	Name: %8
	Type: %9
	Run-Time ID: %10

Layer Information:
	ID: %11
	Name: %12
	Run-Time ID: %13

Fields #

Name	Description
`ProcessId` UInt32	[Process Information] Process ID
`UserSid` SID	[Subject] Security ID
`UserName` UnicodeString	[Subject] Account Name
`ProviderKey` GUID	[Provider Information] ID
`ProviderName` UnicodeString	[Provider Information] Name
`ChangeType` UnicodeString	[Change Information] Change Type
`CalloutKey` GUID	[Callout Information] ID
`CalloutName` UnicodeString	[Callout Information] Name
`CalloutType` UnicodeString	[Callout Information] Type
`CalloutId` UInt32	[Callout Information] Run-Time ID
`LayerKey` GUID	[Layer Information] ID
`LayerName` UnicodeString	[Layer Information] Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerId` UInt32	[Layer Information] Run-Time ID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5446,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:51:41.9871103+00:00",
    "event_record_id": 1905148,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 7632
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": "6836",
    "UserSid": "S-1-5-19",
    "UserName": "NT AUTHORITY\\LOCAL SERVICE",
    "ProviderKey": "{00000000-0000-0000-0000-000000000000}",
    "ProviderName": "-",
    "ChangeType": "%%16384",
    "CalloutKey": "{31114833-2891-4edd-a8ec-2ff8549aa491}",
    "CalloutName": "windefend_flow_established_v6",
    "CalloutType": "%%16388",
    "CalloutId": "289",
    "LayerKey": "{7021d2b3-dfa4-406e-afeb-6afaf7e70efd}",
    "LayerName": "ALE Flow Established v6 Layer",
    "LayerId": "54"
  },
  "message": "A Windows Filtering Platform callout has been changed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\r\n\r\nProcess Information:\r\n\tProcess ID:\t6836\r\n\r\nProvider Information:\r\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tName:\t\t-\r\n\r\nChange Information:\r\n\tChange Type:\tAdd\r\n\r\nCallout Information:\r\n\tID:\t\t{31114833-2891-4edd-a8ec-2ff8549aa491}\r\n\tName:\t\twindefend_flow_established_v6\r\n\tType:\t\tNot persistent\r\n\tRun-Time ID:\t289\r\n\r\nLayer Information:\r\n\tID:\t\t{7021d2b3-dfa4-406e-afeb-6afaf7e70efd}\r\n\tName:\t\tALE Flow Established v6 Layer\r\n\tRun-Time ID:\t54"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5446
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5446

Event ID 5447: A Windows Filtering Platform filter has been changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A Windows Filtering Platform filter has been changed.

Message #

A Windows Filtering Platform filter has been changed.
	
Subject:
	Security ID: %2
	Account Name: %3

Process Information:
	Process ID: %1

Provider Information:
	ID: %4
	Name: %5

Change Information:
	Change Type: %6

Filter Information:
	ID: %7
	Name: %8
	Type: %9
	Run-Time ID: %10

Layer Information:
	ID: %11
	Name: %12
	Run-Time ID: %13

Callout Information:
	ID: %17
	Name: %18

Additional Information:
	Weight: %14	
	Conditions: %15
	Filter Action: %16

Fields #

Name	Description	Rules
`ProcessId` UInt32	[Process Information] Process ID.
`UserSid` SID	[Subject] Security ID.
`UserName` UnicodeString	[Subject] Account Name.
`ProviderKey` GUID	[Provider Information] ID.
`ProviderName` UnicodeString	[Provider Information] Name.
`ChangeType` UnicodeString	[Change Information] Change Type.
`FilterKey` GUID	[Filter Information] ID.
`FilterName` UnicodeString	[Filter Information] Name.	1 detection rule
`FilterType` UnicodeString	[Filter Information] Type.
`FilterId` UInt64	[Filter Information] Run-Time ID.
`LayerKey` GUID	[Layer Information] ID.
`LayerName` UnicodeString	[Layer Information] Name. Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown `ALE Receive/Accept v4 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4; resolved alias matching %%14610 variant `ALE Receive/Accept v6 Layer` WFP FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6; resolved alias matching %%14610 variant `ALE Connect v4 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V4; resolved alias matching %%14611 variant `ALE Connect v6 Layer` WFP FWPM_LAYER_ALE_AUTH_CONNECT_V6; resolved alias matching %%14611 variant `ALE Listen v4 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V4; resolved alias matching %%14609 variant `ALE Listen v6 Layer` WFP FWPM_LAYER_ALE_AUTH_LISTEN_V6; resolved alias matching %%14609 variant `ALE Flow Established v4 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; resolved alias matching %%14612 variant `ALE Flow Established v6 Layer` WFP FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6; resolved alias matching %%14612 variant `ALE Resource Assignment v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4; resolved alias matching %%14608 variant `ALE Resource Assignment v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6; resolved alias matching %%14608 variant `ALE Resource Release v4 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V4; resolved alias matching %%14614 variant `ALE Resource Release v6 Layer` WFP FWPM_LAYER_ALE_RESOURCE_RELEASE_V6; resolved alias matching %%14614 variant
`LayerId` UInt32	[Layer Information] Run-Time ID.
`Weight` UInt64	[Additional Information] Weight.
`Conditions` UnicodeString	[Additional Information] Conditions.
`Action` UnicodeString	[Additional Information] Filter Action.
`CalloutKey` GUID	[Callout Information] ID.
`CalloutName` UnicodeString	[Callout Information] Name.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5447,
    "version": 0,
    "level": 0,
    "task": 13573,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:51:41.9868983+00:00",
    "event_record_id": 1905144,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 7632
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": "6836",
    "UserSid": "S-1-5-19",
    "UserName": "NT AUTHORITY\\LOCAL SERVICE",
    "ProviderKey": "{00000000-0000-0000-0000-000000000000}",
    "ProviderName": "-",
    "ChangeType": "%%16384",
    "FilterKey": "{4994b7fe-47d8-4ac5-8fa8-77b203c5b640}",
    "FilterName": "windefend_flow_established_v6",
    "FilterType": "%%16388",
    "FilterId": "69778",
    "LayerKey": "{7021d2b3-dfa4-406e-afeb-6afaf7e70efd}",
    "LayerName": "ALE Flow Established v6 Layer",
    "LayerId": "54",
    "Weight": "33286004704",
    "Conditions": "\n\tCondition ID:\t{8784c146-ca97-44d6-9fd1-19fb1840cbf7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000000\n\n\tCondition ID:\t{8784c146-ca97-44d6-9fd1-19fb1840cbf7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000001\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x11\n",
    "Action": "%%16391",
    "CalloutKey": "{31114833-2891-4edd-a8ec-2ff8549aa491}",
    "CalloutName": "windefend_flow_established_v6"
  },
  "message": "A Windows Filtering Platform filter has been changed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\r\n\r\nProcess Information:\r\n\tProcess ID:\t6836\r\n\r\nProvider Information:\r\n\tID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tName:\t\t-\r\n\r\nChange Information:\r\n\tChange Type:\tAdd\r\n\r\nFilter Information:\r\n\tID:\t\t{4994b7fe-47d8-4ac5-8fa8-77b203c5b640}\r\n\tName:\t\twindefend_flow_established_v6\r\n\tType:\t\tNot persistent\r\n\tRun-Time ID:\t69778\r\n\r\nLayer Information:\r\n\tID:\t\t{7021d2b3-dfa4-406e-afeb-6afaf7e70efd}\r\n\tName:\t\tALE Flow Established v6 Layer\r\n\tRun-Time ID:\t54\r\n\r\nCallout Information:\r\n\tID:\t\t{31114833-2891-4edd-a8ec-2ff8549aa491}\r\n\tName:\t\twindefend_flow_established_v6\r\n\r\nAdditional Information:\r\n\tWeight:\t33286004704\t\r\n\tConditions:\t\n\tCondition ID:\t{8784c146-ca97-44d6-9fd1-19fb1840cbf7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000000\n\n\tCondition ID:\t{8784c146-ca97-44d6-9fd1-19fb1840cbf7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x00000001\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x06\n\n\tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}\n\tMatch value:\tEqual to\n\tCondition value:\t0x11\n\r\n\tFilter Action:\tCallout"
}

Detection Patterns #

Stealth: Token Impersonation/Theft

Security-Auditing Event ID 5447: A Windows Filtering Platform filter has been changed.OREvent ID 5449: A Windows Filtering Platform provider context has been changed.

1 rule

Sigma

HackTool - NoFilter Execution (source)

Stamatis Chatzimangou (st0pp3r)

Stealth: Impair Defenses

Security-Auditing Event ID 5447: A Windows Filtering Platform filter has been changed.OREvent ID 5448: A Windows Filtering Platform provider has been changed.

1 rule

Splunk

WFP Filter and Provider Changed (Windows Event Log) (source)

Defense Impairment: Disable or Modify Tools

1 rule

Sigma

HackTool - EDRSilencer Execution - Filter Added (source)

Thodoris Polyzos (@SmoothDeploy)

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5447
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5447
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5447.yml

Event ID 5448: A Windows Filtering Platform provider has been changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A Windows Filtering Platform provider has been changed.

Message #

A Windows Filtering Platform provider has been changed.
	
Subject:
	Security ID: %2
	Account Name: %3

Process Information:
	Process ID: %1

Change Information:
	Change Type: %4

Provider Information:
	ID: %5
	Name: %6
	Type: %7

Fields #

Name	Description
`ProcessId` UInt32	[Process Information] Process ID
`UserSid` SID	[Subject] Security ID
`UserName` UnicodeString	[Subject] Account Name
`ChangeType` UnicodeString	[Change Information] Change Type
`ProviderKey` GUID	[Provider Information] ID
`ProviderName` UnicodeString	[Provider Information] Name
`ProviderType` UnicodeString	[Provider Information] Type

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5448,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T06:27:26.268863+00:00",
    "event_record_id": 2450415,
    "correlation": {
      "ActivityID": "164E10E5-B120-0003-FC10-4E1620B1DC01"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 1044
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": 3624,
    "UserSid": "S-1-5-18",
    "UserName": "NT AUTHORITY\\SYSTEM",
    "ChangeType": "%%16384",
    "ProviderKey": "32B38E01-DDB2-45AB-A37A-189A2BCA5CFC",
    "ProviderName": "Microsoft Corporation",
    "ProviderType": "%%16388"
  },
  "message": ""
}

Detection Patterns #

Stealth: Impair Defenses

Security-Auditing Event ID 5447: A Windows Filtering Platform filter has been changed.OREvent ID 5448: A Windows Filtering Platform provider has been changed.

1 rule

Splunk

WFP Filter and Provider Changed (Windows Event Log) (source)

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5448
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5449: A Windows Filtering Platform provider context has been changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A Windows Filtering Platform provider context has been changed.

Message #

A Windows Filtering Platform provider context has been changed.
	
Subject:
	Security ID: %2
	Account Name: %3

Process Information:
	Process ID: %1

Provider Information:
	Provider ID: %4
	Provider Name: %5

Change Information:
	Change Type: %6

Provider Context:
	ID: %7
	Name: %8
	Type: %9

Fields #

Name	Description
`ProcessId` UInt32	[Process Information] Process ID
`UserSid` SID	[Subject] Security ID
`UserName` UnicodeString	[Subject] Account Name
`ProviderKey` GUID	[Provider Information] Provider ID
`ProviderName` UnicodeString	[Provider Information] Provider Name
`ChangeType` UnicodeString	[Change Information] Change Type
`ProviderContextKey` GUID	[Provider Context] ID
`ProviderContextName` UnicodeString	[Provider Context] Name
`ProviderContextType` UnicodeString	[Provider Context] Type

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5449,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:51:26.0889469+00:00",
    "event_record_id": 1904802,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 4240
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": "1812",
    "UserSid": "S-1-5-19",
    "UserName": "NT AUTHORITY\\LOCAL SERVICE",
    "ProviderKey": "{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}",
    "ProviderName": "Microsoft Corporation",
    "ChangeType": "%%16385",
    "ProviderContextKey": "{c0bd751f-d66c-4b96-ac14-d47629a19bac}",
    "ProviderContextName": "MPSSVC",
    "ProviderContextType": "%%16388"
  },
  "message": "A Windows Filtering Platform provider context has been changed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\r\n\r\nProcess Information:\r\n\tProcess ID:\t1812\r\n\r\nProvider Information:\r\n\tProvider ID:\t{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}\r\n\tProvider Name:\tMicrosoft Corporation\r\n\r\nChange Information:\r\n\tChange Type:\tDelete\r\n\r\nProvider Context:\r\n\tID:\t{c0bd751f-d66c-4b96-ac14-d47629a19bac}\r\n\tName:\tMPSSVC\r\n\tType:\tNot persistent"
}

Detection Patterns #

Stealth: Token Impersonation/Theft

Security-Auditing Event ID 5447: A Windows Filtering Platform filter has been changed.OREvent ID 5449: A Windows Filtering Platform provider context has been changed.

1 rule

Sigma

HackTool - NoFilter Execution (source)

Stamatis Chatzimangou (st0pp3r)

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5449
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5449

Event ID 5450: A Windows Filtering Platform sub-layer has been changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A Windows Filtering Platform sub-layer has been changed.

Message #

A Windows Filtering Platform sub-layer has been changed.
	
Subject:
	Security ID: %2
	Account Name: %3

Process Information:
	Process ID: %1

Provider Information:
	Provider ID: %4
	Provider Name: %5

Change Information:
	Change Type: %6

Sub-layer Information:
	Sub-layer ID: %7
	Sub-layer Name: %8
	Sub-layer Type: %9

Additional Information:
	Weight: %10

Fields #

Name	Description
`ProcessId` UInt32	[Process Information] Process ID
`UserSid` SID	[Subject] Security ID
`UserName` UnicodeString	[Subject] Account Name
`ProviderKey` GUID	[Provider Information] Provider ID
`ProviderName` UnicodeString	[Provider Information] Provider Name
`ChangeType` UnicodeString	[Change Information] Change Type
`SubLayerKey` GUID	[Sub-layer Information] Sub-layer ID
`SubLayerName` UnicodeString	[Sub-layer Information] Sub-layer Name
`SubLayerType` UnicodeString	[Sub-layer Information] Sub-layer Type
`Weight` UInt32	[Additional Information] Weight

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 5450,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-06-13T05:51:41.9871510+00:00",
    "event_record_id": 1905149,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
    },
    "execution": {
      "process_id": 812,
      "thread_id": 7632
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": "6836",
    "UserSid": "S-1-5-19",
    "UserName": "NT AUTHORITY\\LOCAL SERVICE",
    "ProviderKey": "{00000000-0000-0000-0000-000000000000}",
    "ProviderName": "-",
    "ChangeType": "%%16384",
    "SubLayerKey": "{3c1cd879-1b8c-4ab4-8f83-5ed129176ef3}",
    "SubLayerName": "windefend",
    "SubLayerType": "%%16388",
    "Weight": "4096"
  },
  "message": "A Windows Filtering Platform sub-layer has been changed.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-19\r\n\tAccount Name:\t\tNT AUTHORITY\\LOCAL SERVICE\r\n\r\nProcess Information:\r\n\tProcess ID:\t6836\r\n\r\nProvider Information:\r\n\tProvider ID:\t{00000000-0000-0000-0000-000000000000}\r\n\tProvider Name:\t-\r\n\r\nChange Information:\r\n\tChange Type:\tAdd\r\n\r\nSub-layer Information:\r\n\tSub-layer ID:\t{3c1cd879-1b8c-4ab4-8f83-5ed129176ef3}\r\n\tSub-layer Name:\twindefend\r\n\tSub-layer Type:\tNot persistent\r\n\r\nAdditional Information:\r\n\tWeight:\t4096"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5450
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5450

Event ID 5451: An IPsec quick mode security association was established.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Quick Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec quick mode security association was established.

Message #

An IPsec quick mode security association was established.
	
Local Endpoint:
	Network Address: %1
	Network Address mask: %2
	Port: %3
	Tunnel Endpoint: %4

Remote Endpoint:
	Network Address: %5
	Network Address Mask: %6
	Port: %7
	Private Address: %8
	Tunnel Endpoint: %9

	Protocol: %10
	Keying Module Name: %11

Cryptographic Information:
	Integrity Algorithm - AH: %12
	Integrity Algorithm - ESP: %13
	Encryption Algorithm: %14

Security Association Information:
	Lifetime - seconds: %15
	Lifetime - data: %16
	Lifetime - packets: %17
	Mode: %18
	Role: %19
	Quick Mode Filter ID: %20
	Main Mode SA ID: %21
	Quick Mode SA ID: %22

Additional Information:
	Inbound SPI: %23
	Outbound SPI: %24

Fields #

Name	Description
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalAddressMask` UnicodeString	[Local Endpoint] Network Address mask
`LocalPort` UInt32	[Local Endpoint] Port
`LocalTunnelEndpoint` UnicodeString	[Local Endpoint] Tunnel Endpoint
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteAddressMask` UnicodeString	[Remote Endpoint] Network Address Mask
`RemotePort` UInt32	[Remote Endpoint] Port
`PeerPrivateAddress` UnicodeString	[Remote Endpoint] Private Address
`RemoteTunnelEndpoint` UnicodeString	[Remote Endpoint] Tunnel Endpoint
`IpProtocol` UInt32	[Remote Endpoint] Protocol
`KeyingModuleName` UnicodeString	[Remote Endpoint] Keying Module Name
`AhAuthType` UnicodeString	[Cryptographic Information] Integrity Algorithm - AH
`EspAuthType` UnicodeString	[Cryptographic Information] Integrity Algorithm - ESP
`CipherType` UnicodeString	[Cryptographic Information] Encryption Algorithm
`LifetimeSeconds` UInt32	[Security Association Information] Lifetime - seconds
`LifetimeKilobytes` UInt32	[Security Association Information] Lifetime - data
`LifetimePackets` UInt32	[Security Association Information] Lifetime - packets
`Mode` UnicodeString	[Security Association Information] Mode
`Role` UnicodeString	[Security Association Information] Role
`TransportFilterId` UInt64	[Security Association Information] Quick Mode Filter ID
`MainModeSaId` UInt64	[Security Association Information] Main Mode SA ID
`QuickModeSaId` UInt64	[Security Association Information] Quick Mode SA ID
`InboundSpi` UInt64	[Additional Information] Inbound SPI
`OutboundSpi` UInt64	[Additional Information] Outbound SPI
`TunnelId` UInt64	[Additional Information] Virtual Interface Tunnel ID
`TrafficSelectorId` UInt64	[Additional Information] Traffic Selector ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5451
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode

Event ID 5452: An IPsec quick mode security association ended.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Quick Mode
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec quick mode security association ended.

Message #

An IPsec quick mode security association ended.
	
Local Endpoint:
	Network Address: %1
	Port: %2
	Tunnel Endpoint: %3

Remote Endpoint:
	Network Address: %4
	Port: %5
	Tunnel Endpoint: %6

Additional Information:
	Protocol: %7
	Quick Mode SA ID: %8

Fields #

Name	Description
`LocalAddress` UnicodeString	[Local Endpoint] Network Address
`LocalAddressMask` UnicodeString	[Local Endpoint] Network Address mask
`LocalPort` UInt32	[Local Endpoint] Port
`LocalTunnelEndpoint` UnicodeString	[Local Endpoint] Tunnel Endpoint
`RemoteAddress` UnicodeString	[Remote Endpoint] Network Address
`RemoteAddressMask` UnicodeString	[Remote Endpoint] Network Address mask
`RemotePort` UInt32	[Remote Endpoint] Port
`RemoteTunnelEndpoint` UnicodeString	[Remote Endpoint] Tunnel Endpoint
`IpProtocol` UInt32	[Additional Information] Protocol
`QuickModeSaId` UInt64	[Additional Information] Quick Mode SA ID
`TunnelId` UInt64	[Additional Information] Virtual Interface Tunnel ID
`TrafficSelectorId` UInt64	[Additional Information] Traffic Selector ID

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5452
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode

Event ID 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → IPsec Main Mode
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

Message #

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode

Event ID 5456: PAStore Engine applied Active Directory storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.

Message #

IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.

Policy: %1

Fields #

Name	Description
`Policy` UnicodeString	Policy

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5456
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5457: PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.

Message #

IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.

DN: %1
Error code: %2

Fields #

Name	Description
`Policy` UnicodeString	DN
`Error` UnicodeString	Error code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5457
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5458: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.

Message #

IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.

Policy: %1

Fields #

Name	Description
`Policy` UnicodeString	Policy

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5459: PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.

Message #

IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.

Policy: %1
Error Code: %2

Fields #

Name	Description
`Policy` UnicodeString	Policy
`Error` UnicodeString	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5460: PAStore Engine applied local registry storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent applied local registry storage IPsec policy on the computer.

Message #

IPsec Policy Agent applied local registry storage IPsec policy on the computer.

Policy: %1

Fields #

Name	Description
`Policy` UnicodeString	Policy

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5461: PAStore Engine failed to apply local registry storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer.

Message #

IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer.

Policy: %1
Error Code: %2

Fields #

Name	Description
`Policy` UnicodeString	Policy
`Error` UnicodeString	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5462: PAStore Engine failed to apply some rules of the active IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.

Message #

IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.

Policy: %1
Error Code: %2

Fields #

Name	Description
`Policy` UnicodeString	Policy
`Error` UnicodeString	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5463: PAStore Engine polled for changes to the active IPsec policy and detected no changes.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.

Message #

IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5464: PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.

Message #

IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5465: PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.

Message #

IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5466: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.

Message #

IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5467: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.

Message #

IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5468: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.

Message #

IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5471: PAStore Engine loaded local storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent loaded local storage IPsec policy on the computer.

Message #

IPsec Policy Agent loaded local storage IPsec policy on the computer.

Policy: %1

Fields #

Name	Description
`Policy` UnicodeString	Policy

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5472: PAStore Engine failed to load local storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to load local storage IPsec policy on the computer.

Message #

IPsec Policy Agent failed to load local storage IPsec policy on the computer.

Policy: %1
Error Code: %2

Fields #

Name	Description
`Policy` UnicodeString	Policy
`Error` UnicodeString	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5473: PAStore Engine loaded directory storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent loaded directory storage IPsec policy on the computer.

Message #

IPsec Policy Agent loaded directory storage IPsec policy on the computer.

Policy: %1

Fields #

Name	Description
`Policy` UnicodeString	Policy

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5474: PAStore Engine failed to load directory storage IPsec policy on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to load directory storage IPsec policy on the computer.

Message #

IPsec Policy Agent failed to load directory storage IPsec policy on the computer.

Policy: %1
Error Code: %2

Fields #

Name	Description
`Policy` UnicodeString	Policy
`Error` UnicodeString	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5477: PAStore Engine failed to add quick mode filter.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Filtering Platform Policy Change
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to add quick mode filter.

Message #

IPsec Policy Agent failed to add quick mode filter.

Quick Mode Filter: %1
Error Code: %2

Fields #

Name	Description
`QuickModeFilter` UnicodeString	Quick Mode Filter
`Error` UnicodeString	Error Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5477
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change

Event ID 5478: IPsec Services has started successfully.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The IPsec Policy Agent service was started.

Message #

The IPsec Policy Agent service was started.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 5479: IPsec Services has been shut down successfully.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

The IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack or expose the computer to potential security risks.

Message #

The IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack or expose the computer to potential security risks.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 5480: IPsec Services failed to get the complete list of network interfaces on the computer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

Message #

IPsec Policy Agent failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 5483: IPsec Services failed to initialize RPC server.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

The IPsec Policy Agent service failed to initialize its RPC server. The service could not be started.

Message #

The IPsec Policy Agent service failed to initialize its RPC server. The service could not be started.

Error Code: %1

Fields #

Name	Description
`Error` UnicodeString	Error Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5483
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 5484: IPsec Services has experienced a critical failure and has been shut down.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

The IPsec Policy Agent service experienced a critical failure and has shut down. The shutdown of this service can put the computer at greater risk of network attack or expose the computer to potential security risks. Error Code: Error

Message #

The IPsec Policy Agent service experienced a critical failure and has shut down. The shutdown of this service can put the computer at greater risk of network attack or expose the computer to potential security risks.

Error Code: %1

Fields #

Name	Description
`Error` UnicodeString	Error Code

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → IPsec Driver
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

Message #

IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver

Event ID 5632: A request was made to authenticate to a wireless network.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

This event generates when 802.1x authentication attempt was made for wireless network.

Message #

A request was made to authenticate to a wireless network.

Subject:
	Security ID: %2
	Account Name: %3
	Account Domain: %4
	Logon ID: %5

Network Information:
	Name (SSID): %1
	Interface GUID: %8
	Local MAC Address: %7
	Peer MAC Address: %6

Additional Information:
	Reason Code: %10 (%9)
	Error Code: %11

Fields #

Name	Description
`SSID` UnicodeString	SSID of the wireless network to which authentication request was sent.
`Identity` UnicodeString	User Principal Name (UPN) or another type of account identifier for which 802.1x authentication request was made.
`SubjectUserName` UnicodeString	The name of the account for which 802.1x authentication request was made.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`PeerMac` UnicodeString	[Network Information] Peer MAC Address.
`LocalMac` UnicodeString	[Network Information] Local MAC Address.
`IntfGuid` GUID	GUID of the network interface which was used for authentication request.
`ReasonCode` HexInt32	Hexadecimal Reason Code for wired authentication results.
`ReasonText` UnicodeString	Contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results.
`ErrorCode` HexInt32	There is no information about this field in this document.
`EAPReasonCode` HexInt32	Related to NPS (Network Policy Server) error code. [See NPS error codes](https://technet.microsoft.com/library/dd197570(v=ws.10).aspx).
`EapRootCauseString` UnicodeString	[Additional Information] EAP Root Cause String.
`EAPErrorCode` HexInt32	[Additional Information] EAP Error Code.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5632
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5632_v1.yml

Event ID 5633: A request was made to authenticate to a wired network.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Other Logon/Logoff Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when 802.1x authentication attempt was made for wired network.

Message #

A request was made to authenticate to a wired network.

Subject:
	Security ID: %2
	Account Name: %3
	Account Domain: %4
	Logon ID: %5

Interface:
	Name: %1

Additional Information
	Reason Code: %7 (%6)
	Error Code: %8

Fields #

Name	Description
`InterfaceName` UnicodeString	The name (description) of network interface which was used for authentication request. You can get the list of all available network adapters using "ipconfig /all" command.
`Identity` UnicodeString	User Principal Name (UPN) of account for which 802.1x authentication request was made.
`SubjectUserName` UnicodeString	The name of the account for which 802.1x authentication request was made.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Logon session ID of the account that requested the operation. Correlates with Event ID 4624.
`ReasonCode` HexInt32	Hexadecimal Reason Code for wired authentication results.
`ReasonText` UnicodeString	Contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results.
`ErrorCode` HexInt32	[Interface] Error Code.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5633
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5633.yml

Event ID 5712: A Remote Procedure Call (RPC) was attempted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → RPC Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

A Remote Procedure Call (RPC) was attempted.

Message #

A Remote Procedure Call (RPC) was attempted.

Subject:
	SID: %1
	Name: %2
	Account Domain: %3
	LogonId: %4

Process Information:
	PID: %5
	Name: %6

Network Information:
	Remote IP Address: %7
	Remote Port: %8

RPC Attributes:
	Interface UUID: %9
	Protocol Sequence: %10
	Authentication Service: %11
	Authentication Level: %12

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] SID
`SubjectUserName` UnicodeString	[Subject] Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` UInt64	[Subject] LogonId
`ProcessId` UInt32	[Process Information] PID
`ProcessName` UnicodeString	[Process Information] Name
`RemoteIpAddress` UnicodeString	[Network Information] Remote IP Address
`RemotePort` UnicodeString	[Network Information] Remote Port
`InterfaceUuid` GUID	[RPC Attributes] Interface UUID
`ProtocolSequence` UnicodeString	[RPC Attributes] Protocol Sequence
`AuthenticationService` UInt32	[RPC Attributes] Authentication Service
`AuthenticationLevel` UInt32	[RPC Attributes] Authentication Level
`OpNum` UInt32
`Endpoint` UnicodeString
`RemoteHost` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5712
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-rpc-events

Event ID 5888: An object in the COM+ Catalog was modified.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An object in the COM+ Catalog was modified.

Message #

An object in the COM+ Catalog was modified.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	COM+ Catalog Collection: %5
	Object Name: %6
	Object Properties Modified: %7

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "modify/change object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "modify/change object" operation.
`SubjectUserDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` UInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectCollectionName` UnicodeString	The name of COM+ collection in which the object was modified.
`ObjectIdentifyingProperties` UnicodeString	Object-specific fields with the names and identifiers for the modified object.
`ModifiedObjectProperties` UnicodeString	The list of object's (Object Name) properties which were modified.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5888,
    "version": 0,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:07:28.323865+00:00",
    "event_record_id": 2042752,
    "correlation": {
      "ActivityID": "56E3EAD5-F269-44B1-8096-7C737168F10A"
    },
    "execution": {
      "process_id": 984,
      "thread_id": 1556
    },
    "channel": "Security",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "SYSTEM",
    "SubjectUserDomainName": "NT AUTHORITY",
    "SubjectLogonId": 999,
    "ObjectCollectionName": "Components",
    "ObjectIdentifyingProperties": "\r\n\t\tCLSID = {315FA593-3CF5-4310-887B-3977A578488A}\r\n\t\tBitness = 2\r\n\t\tApplicationID = {5268CA1B-44FF-4FE6-9D5F-9CF63F69C4E3}",
    "ModifiedObjectProperties": "\r\n\t\tApplicationID = '<null>' -> '{5268CA1B-44FF-4FE6-9D5F-9CF63F69C4E3}'\r\n\t\tTransaction = '0' -> '1'\r\n\t\tSynchronization = '0' -> '3'\r\n\t\tJustInTimeActivation = '0' -> '1'\r\n\t\tEventTrackingEnabled = '0' -> '1'\r\n\t\tSavedProgId = '<null>' -> 'IISFtpHost.IISFtpHost.1'\r\n\t\tAllowInprocSubscribers = '0' -> '1'\r\n\t\tIsEnabled = '0' -> '1'\r\n\t\tTxIsolationLevel = '0' -> '4'"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5888
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5888.yml

Event ID 5889: An object was deleted from the COM+ Catalog.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

An object was deleted from the COM+ Catalog.

Message #

An object was deleted from the COM+ Catalog.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	COM+ Catalog Collection: %5
	Object Name: %6
	Object Details: %7
This event occurs when an object is deleted from the COM+ catalog.

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "delete object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "delete object" operation.
`SubjectUserDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` UInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectCollectionName` UnicodeString	The name of COM+ collection in which COM+ object was deleted.
`ObjectIdentifyingProperties` UnicodeString	Object-specific fields with the names and identifiers for the deleted object.
`ObjectProperties` UnicodeString	The list of deleted object's (Object Name) properties.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5889,
    "version": 0,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-05T22:30:46.980255+00:00",
    "event_record_id": 3332,
    "correlation": {
      "ActivityID": "59A0D65F-1037-0001-A7D6-A0593710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 888
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "SYSTEM",
    "SubjectUserDomainName": "NT AUTHORITY",
    "SubjectLogonId": 999,
    "ObjectCollectionName": "Applications",
    "ObjectIdentifyingProperties": "\r\n\t\tID = {A14C837E-C9BC-4E79-B228-2A6CB72524A5}\r\n\t\tAppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}",
    "ObjectProperties": "\r\n\t\tName = VMware Snapshot Provider\r\n\t\tApplicationProxyServerName = \r\n\t\tProcessType = 2\r\n\t\tCommandLine = \r\n\t\tServiceName = vmvss\r\n\t\tRunAsUserType = 1\r\n\t\tIdentity = LocalSystem\r\n\t\tDescription = VMware Snapshot Provider\r\n\t\tIsSystem = N\r\n\t\tAuthentication = 6\r\n\t\tShutdownAfter = 3\r\n\t\tRunForever = N\r\n\t\tPassword = ********\r\n\t\tActivation = Local\r\n\t\tChangeable = Y\r\n\t\tDeleteable = Y\r\n\t\tCreatedBy = \r\n\t\tAccessChecksLevel = 1\r\n\t\tApplicationAccessChecksEnabled = 0\r\n\t\tcCOL_SecurityDescriptor = <Opaque>\r\n\t\tImpersonationLevel = 2\r\n\t\tAuthenticationCapability = 2\r\n\t\tCRMEnabled = 0\r\n\t\t3GigSupportEnabled = 0\r\n\t\tQueuingEnabled = 0\r\n\t\tQueueListenerEnabled = N\r\n\t\tEventsEnabled = 1\r\n\t\tProcessFlags = 0\r\n\t\tThreadMax = 0\r\n\t\tApplicationProxy = 0\r\n\t\tCRMLogFile = \r\n\t\tDumpEnabled = 0\r\n\t\tDumpOnException = 0\r\n\t\tDumpOnFailfast = 0\r\n\t\tMaxDumpCount = 5\r\n\t\tDumpPath = %systemroot%\\system32\\com\\dmp\r\n\t\tIsEnabled = 1\r\n\t\tAppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}\r\n\t\tConcurrentApps = 1\r\n\t\tRecycleLifetimeLimit = 0\r\n\t\tRecycleCallLimit = 0\r\n\t\tRecycleActivationLimit = 0\r\n\t\tRecycleMemoryLimit = 0\r\n\t\tRecycleExpirationTimeout = 15\r\n\t\tQCListenerMaxThreads = 0\r\n\t\tQCAuthenticateMsgs = 0\r\n\t\tApplicationDirectory = \r\n\t\tSRPTrustLevel = 262144\r\n\t\tSRPEnabled = 0\r\n\t\tSoapActivated = 0\r\n\t\tSoapVRoot = \r\n\t\tSoapMailTo = \r\n\t\tSoapBaseUrl = \r\n\t\tReplicable = 1"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5889
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5889
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5889.yml

Event ID 5890: An object was added to the COM+ Catalog.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Other Object Access Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates when new object was added to the COM+ Catalog.

Message #

An object was added to the COM+ Catalog.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	COM+ Catalog Collection: %5
	Object Name: %6
	Object Details: %7

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that requested the "add object" operation.
`SubjectUserName` UnicodeString	The name of the account that requested the "add object" operation.
`SubjectUserDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` UInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`ObjectCollectionName` UnicodeString	The name of COM+ collection to which the new object was added.
`ObjectIdentifyingProperties` UnicodeString	Object-specific fields with the names and identifiers for the new object.
`ObjectProperties` UnicodeString	The list of new object's (Object Name) properties.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5890,
    "version": 0,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-05T22:30:50.680307+00:00",
    "event_record_id": 3348,
    "correlation": {
      "ActivityID": "59A0D65F-1037-0001-A7D6-A0593710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "SYSTEM",
    "SubjectUserDomainName": "NT AUTHORITY",
    "SubjectLogonId": 999,
    "ObjectCollectionName": "UsersInRole",
    "ObjectIdentifyingProperties": "\r\n\t\tApplId = {B0C2D0B3-B19E-4769-B00B-A0D5996BAD73}\r\n\t\tName = Administrators\r\n\t\tUser = SYSTEM",
    "ObjectProperties": "\r\n\t\t<null>"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5890
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5890
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-5890.yml

Event ID 6144: Security policy in the group policy objects has been applied successfully.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Low (Microsoft-AppendixL)
Opcode: Info

Description

This event generates every time settings from the "Security Settings" section in the group policy object are applied successfully to a computer, without any errors.

Message #

Security policy in the group policy objects has been applied successfully. 

Return Code: %1

GPO List:
%2

Fields #

Name	Description
`ErrorCode` UInt32	Always has "0" value for this event.
`GPOList` UnicodeString	The list of Group Policy Objects that include "Security Settings" policies, and that were applied to the computer.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6144
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6144.yml

Event ID 6145: One or more errors occured while processing security policy in the group policy objects.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Other Policy Change Events
Collection Priority: Medium (Microsoft-AppendixL)
Opcode: Info

Description

This event generates every time settings from the "Security Settings" section in the group policy object are applied to a computer with one or more errors.

Message #

One or more errors occured while processing security policy in the group policy objects.

Error Code: %1
GPO List:
%2

Fields #

Name	Description
`ErrorCode` UInt32	Specific error code which shows the error which happened during Group Policy processing.
`GPOList` UnicodeString	The list of Group Policy Objects that include "Security Settings" policies, and that were applied with errors to the computer.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6145.yml

Event ID 6272: Network Policy Server granted access to a user.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

Network Policy Server granted access to a user.

Message #

Network Policy Server granted access to a user.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Client Machine:
	Security ID: %5
	Account Name: %6
	Fully Qualified Account Name: %7
	OS-Version: %8
	Called Station Identifier: %9
	Calling Station Identifier: %10

NAS:
	NAS IPv4 Address: %11
	NAS IPv6 Address: %12
	NAS Identifier: %13
	NAS Port-Type: %14
	NAS Port: %15

RADIUS Client:
	Client Friendly Name: %16
	Client IP Address: %17

Authentication Details:
	Proxy Policy Name: %18
	Network Policy Name: %19
	Authentication Provider: %20
	Authentication Server: %21
	Authentication Type: %22
	EAP Type: %23
	Account Session Identifier: %24

Quarantine Information:
	Result: %25
	Session Identifier: %26

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name
`SubjectMachineSID` SID	[Client Machine] Security ID
`SubjectMachineName` UnicodeString	[Client Machine] Account Name
`FullyQualifiedSubjectMachineName` UnicodeString	[Client Machine] Fully Qualified Account Name
`CalledStationID` UnicodeString	[Client Machine] Called Station Identifier
`CallingStationID` UnicodeString	[Client Machine] Calling Station Identifier
`NASIPv4Address` UnicodeString	[NAS] NAS IPv4 Address
`NASIPv6Address` UnicodeString	[NAS] NAS IPv6 Address
`NASIdentifier` UnicodeString	[NAS] NAS Identifier
`NASPortType` UnicodeString	[NAS] NAS Port-Type
`NASPort` UnicodeString	[NAS] NAS Port
`ClientName` UnicodeString	[RADIUS Client] Client Friendly Name
`ClientIPAddress` UnicodeString	[RADIUS Client] Client IP Address
`ProxyPolicyName` UnicodeString	[Authentication Details] Connection Request Policy Name
`NetworkPolicyName` UnicodeString	[Authentication Details] Network Policy Name
`AuthenticationProvider` UnicodeString	[Authentication Details] Authentication Provider
`AuthenticationServer` UnicodeString	[Authentication Details] Authentication Server
`AuthenticationType` UnicodeString	[Authentication Details] Authentication Type
`EAPType` UnicodeString	[Authentication Details] EAP Type
`AccountSessionIdentifier` UnicodeString	[Authentication Details] Account Session Identifier
`LoggingResult` UnicodeString	[Authentication Details] Logging Results

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6272
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6273: Network Policy Server denied access to a user.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server denied access to a user.

Message #

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Client Machine:
	Security ID: %5
	Account Name: %6
	Fully Qualified Account Name: %7
	OS-Version: %8
	Called Station Identifier: %9
	Calling Station Identifier: %10

NAS:
	NAS IPv4 Address: %11
	NAS IPv6 Address: %12
	NAS Identifier: %13
	NAS Port-Type: %14
	NAS Port: %15

RADIUS Client:
	Client Friendly Name: %16
	Client IP Address: %17

Authentication Details:
	Proxy Policy Name: %18
	Network Policy Name: %19
	Authentication Provider: %20
	Authentication Server: %21
	Authentication Type: %22
	EAP Type: %23
	Account Session Identifier: %24
	Reason Code: %25
	Reason: %26

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name
`SubjectMachineSID` SID	[Client Machine] Security ID
`SubjectMachineName` UnicodeString	[Client Machine] Account Name
`FullyQualifiedSubjectMachineName` UnicodeString	[Client Machine] Fully Qualified Account Name
`CalledStationID` UnicodeString	[Client Machine] Called Station Identifier
`CallingStationID` UnicodeString	[Client Machine] Calling Station Identifier
`NASIPv4Address` UnicodeString	[NAS] NAS IPv4 Address
`NASIPv6Address` UnicodeString	[NAS] NAS IPv6 Address
`NASIdentifier` UnicodeString	[NAS] NAS Identifier
`NASPortType` UnicodeString	[NAS] NAS Port-Type
`NASPort` UnicodeString	[NAS] NAS Port
`ClientName` UnicodeString	[RADIUS Client] Client Friendly Name
`ClientIPAddress` UnicodeString	[RADIUS Client] Client IP Address
`ProxyPolicyName` UnicodeString	[Authentication Details] Connection Request Policy Name
`NetworkPolicyName` UnicodeString	[Authentication Details] Network Policy Name
`AuthenticationProvider` UnicodeString	[Authentication Details] Authentication Provider
`AuthenticationServer` UnicodeString	[Authentication Details] Authentication Server
`AuthenticationType` UnicodeString	[Authentication Details] Authentication Type
`EAPType` UnicodeString	[Authentication Details] EAP Type
`AccountSessionIdentifier` UnicodeString	[Authentication Details] Account Session Identifier
`ReasonCode` UnicodeString	[Authentication Details] Reason Code
`Reason` UnicodeString	[Authentication Details] Reason
`LoggingResult` UnicodeString	[Authentication Details] Logging Results

Community Notes #

Large numbers of Reason 16 or 23 from the same IP or MAC indicates bruting of WiFi, VPN, 802.1x portals. Repeat denials for privileged accounts should be investigated.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6273
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6274: Network Policy Server discarded the request for a user.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server discarded the request for a user.

Message #

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Client Machine:
	Security ID: %5
	Account Name: %6
	Fully Qualified Account Name: %7
	OS-Version: %8
	Called Station Identifier: %9
	Calling Station Identifier: %10

NAS:
	NAS IPv4 Address: %11
	NAS IPv6 Address: %12
	NAS Identifier: %13
	NAS Port-Type: %14
	NAS Port: %15

RADIUS Client:
	Client Friendly Name: %16
	Client IP Address: %17

Authentication Details:
	Connection Request Policy Name: %18
	Network Policy Name: %19
	Authentication Provider: %20
	Authentication Server: %21
	Authentication Type: %22
	EAP Type: %23
	Account Session Identifier: %24
	Reason Code: %25
	Reason: %26

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name
`SubjectMachineSID` SID	[Client Machine] Security ID
`SubjectMachineName` UnicodeString	[Client Machine] Account Name
`FullyQualifiedSubjectMachineName` UnicodeString	[Client Machine] Fully Qualified Account Name
`CalledStationID` UnicodeString	[Client Machine] Called Station Identifier
`CallingStationID` UnicodeString	[Client Machine] Calling Station Identifier
`NASIPv4Address` UnicodeString	[NAS] NAS IPv4 Address
`NASIPv6Address` UnicodeString	[NAS] NAS IPv6 Address
`NASIdentifier` UnicodeString	[NAS] NAS Identifier
`NASPortType` UnicodeString	[NAS] NAS Port-Type
`NASPort` UnicodeString	[NAS] NAS Port
`ClientName` UnicodeString	[RADIUS Client] Client Friendly Name
`ClientIPAddress` UnicodeString	[RADIUS Client] Client IP Address
`ProxyPolicyName` UnicodeString	[Authentication Details] Connection Request Policy Name
`NetworkPolicyName` UnicodeString	[Authentication Details] Network Policy Name
`AuthenticationProvider` UnicodeString	[Authentication Details] Authentication Provider
`AuthenticationServer` UnicodeString	[Authentication Details] Authentication Server
`AuthenticationType` UnicodeString	[Authentication Details] Authentication Type
`EAPType` UnicodeString	[Authentication Details] EAP Type
`AccountSessionIdentifier` UnicodeString	[Authentication Details] Account Session Identifier
`ReasonCode` UnicodeString	[Authentication Details] Reason Code
`Reason` UnicodeString	[Authentication Details] Reason

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6275: Network Policy Server discarded the accounting request for a user.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server discarded the accounting request for a user.

Message #

Network Policy Server discarded the accounting request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Client Machine:
	Security ID: %5
	Account Name: %6
	Fully Qualified Account Name: %7
	OS-Version: %8
	Called Station Identifier: %9
	Calling Station Identifier: %10

NAS:
	NAS IPv4 Address: %11
	NAS IPv6 Address: %12
	NAS Identifier: %13
	NAS Port-Type: %14
	NAS Port: %15

RADIUS Client:
	Client Friendly Name: %16
	Client IP Address: %17

Authentication Details:
	Connection Request Policy Name: %18
	Network Policy Name: %19
	Authentication Provider: %20
	Authentication Server: %21
	Authentication Type: %22
	EAP Type: %23
	Account Session Identifier: %24
	Reason Code: %25
	Reason: %26

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name
`SubjectMachineSID` SID	[Client Machine] Security ID
`SubjectMachineName` UnicodeString	[Client Machine] Account Name
`FullyQualifiedSubjectMachineName` UnicodeString	[Client Machine] Fully Qualified Account Name
`CalledStationID` UnicodeString	[Client Machine] Called Station Identifier
`CallingStationID` UnicodeString	[Client Machine] Calling Station Identifier
`NASIPv4Address` UnicodeString	[NAS] NAS IPv4 Address
`NASIPv6Address` UnicodeString	[NAS] NAS IPv6 Address
`NASIdentifier` UnicodeString	[NAS] NAS Identifier
`NASPortType` UnicodeString	[NAS] NAS Port-Type
`NASPort` UnicodeString	[NAS] NAS Port
`ClientName` UnicodeString	[RADIUS Client] Client Friendly Name
`ClientIPAddress` UnicodeString	[RADIUS Client] Client IP Address
`ProxyPolicyName` UnicodeString	[Authentication Details] Connection Request Policy Name
`NetworkPolicyName` UnicodeString	[Authentication Details] Network Policy Name
`AuthenticationProvider` UnicodeString	[Authentication Details] Authentication Provider
`AuthenticationServer` UnicodeString	[Authentication Details] Authentication Server
`AuthenticationType` UnicodeString	[Authentication Details] Authentication Type
`EAPType` UnicodeString	[Authentication Details] EAP Type
`AccountSessionIdentifier` UnicodeString	[Authentication Details] Account Session Identifier
`ReasonCode` UnicodeString	[Authentication Details] Reason Code
`Reason` UnicodeString	[Authentication Details] Reason

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6276: Network Policy Server quarantined a user.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server quarantined a user.

Message #

Network Policy Server quarantined a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Client Machine:
	Security ID: %5
	Account Name: %6
	Fully Qualified Account Name: %7
	OS-Version: %8
	Called Station Identifier: %9
	Calling Station Identifier: %10

NAS:
	NAS IPv4 Address: %11
	NAS IPv6 Address: %12
	NAS Identifier: %13
	NAS Port-Type: %14
	NAS Port: %15

RADIUS Client:
	Client Friendly Name: %16
	Client IP Address: %17

Authentication Details:
	Connection Request Policy Name: %18
	Network Policy Name: %19
	Authentication Provider: %20
	Authentication Server: %21
	Authentication Type: %22
	EAP Type: %23
	Account Session Identifier: %24

Quarantine Information:
	Result: %25
	Extended-Result: %26
	Session Identifier: %27
	Help URL: %28
	System Health Validator Result(s): %29

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name
`SubjectMachineSID` SID	[Client Machine] Security ID
`SubjectMachineName` UnicodeString	[Client Machine] Account Name
`FullyQualifiedSubjectMachineName` UnicodeString	[Client Machine] Fully Qualified Account Name
`MachineInventory` UnicodeString	[Client Machine] OS-Version
`CalledStationID` UnicodeString	[Client Machine] Called Station Identifier
`CallingStationID` UnicodeString	[Client Machine] Calling Station Identifier
`NASIPv4Address` UnicodeString	[NAS] NAS IPv4 Address
`NASIPv6Address` UnicodeString	[NAS] NAS IPv6 Address
`NASIdentifier` UnicodeString	[NAS] NAS Identifier
`NASPortType` UnicodeString	[NAS] NAS Port-Type
`NASPort` UnicodeString	[NAS] NAS Port
`ClientName` UnicodeString	[RADIUS Client] Client Friendly Name
`ClientIPAddress` UnicodeString	[RADIUS Client] Client IP Address
`ProxyPolicyName` UnicodeString	[Authentication Details] Connection Request Policy Name
`NetworkPolicyName` UnicodeString	[Authentication Details] Network Policy Name
`AuthenticationProvider` UnicodeString	[Authentication Details] Authentication Provider
`AuthenticationServer` UnicodeString	[Authentication Details] Authentication Server
`AuthenticationType` UnicodeString	[Authentication Details] Authentication Type
`EAPType` UnicodeString	[Authentication Details] EAP Type
`AccountSessionIdentifier` UnicodeString	[Authentication Details] Account Session Identifier
`QuarantineState` UnicodeString	[Quarantine Information] Result
`ExtendedQuarantineState` UnicodeString	[Quarantine Information] Extended-Result
`QuarantineSessionID` UnicodeString	[Quarantine Information] Session Identifier
`QuarantineHelpURL` UnicodeString	[Quarantine Information] Help URL
`QuarantineSystemHealthResult` UnicodeString	[Quarantine Information] System Health Validator Result(s)

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6276
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

Message #

Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

Contact the Network Policy Server administrator for more information.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Client Machine:
	Security ID: %5
	Account Name: %6
	Fully Qualified Account Name: %7
	OS-Version: %8
	Called Station Identifier: %9
	Calling Station Identifier: %10

NAS:
	NAS IPv4 Address: %11
	NAS IPv6 Address: %12
	NAS Identifier: %13
	NAS Port-Type: %14
	NAS Port: %15

RADIUS Client:
	Client Friendly Name: %16
	Client IP Address: %17

Authentication Details:
	Connection Request Policy Name: %18
	Network Policy Name: %19
	Authentication Provider: %20
	Authentication Server: %21
	Authentication Type: %22
	EAP Type: %23
	Account Session Identifier: %24

Quarantine Information:
	Result: %25
	Extended-Result: %26
	Session Identifier: %27
	Help URL: %28
	System Health Validator Result(s): %29
	Quarantine Grace Time: %30

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name
`SubjectMachineSID` SID	[Client Machine] Security ID
`SubjectMachineName` UnicodeString	[Client Machine] Account Name
`FullyQualifiedSubjectMachineName` UnicodeString	[Client Machine] Fully Qualified Account Name
`MachineInventory` UnicodeString	[Client Machine] OS-Version
`CalledStationID` UnicodeString	[Client Machine] Called Station Identifier
`CallingStationID` UnicodeString	[Client Machine] Calling Station Identifier
`NASIPv4Address` UnicodeString	[NAS] NAS IPv4 Address
`NASIPv6Address` UnicodeString	[NAS] NAS IPv6 Address
`NASIdentifier` UnicodeString	[NAS] NAS Identifier
`NASPortType` UnicodeString	[NAS] NAS Port-Type
`NASPort` UnicodeString	[NAS] NAS Port
`ClientName` UnicodeString	[RADIUS Client] Client Friendly Name
`ClientIPAddress` UnicodeString	[RADIUS Client] Client IP Address
`ProxyPolicyName` UnicodeString	[Authentication Details] Connection Request Policy Name
`NetworkPolicyName` UnicodeString	[Authentication Details] Network Policy Name
`AuthenticationProvider` UnicodeString	[Authentication Details] Authentication Provider
`AuthenticationServer` UnicodeString	[Authentication Details] Authentication Server
`AuthenticationType` UnicodeString	[Authentication Details] Authentication Type
`EAPType` UnicodeString	[Authentication Details] EAP Type
`AccountSessionIdentifier` UnicodeString	[Authentication Details] Account Session Identifier
`QuarantineState` UnicodeString	[Quarantine Information] Result
`ExtendedQuarantineState` UnicodeString	[Quarantine Information] Extended-Result
`QuarantineSessionID` UnicodeString	[Quarantine Information] Session Identifier
`QuarantineHelpURL` UnicodeString	[Quarantine Information] Help URL
`QuarantineSystemHealthResult` UnicodeString	[Quarantine Information] System Health Validator Result(s)
`QuarantineGraceTime` UnicodeString	[Quarantine Information] Quarantine Grace Time

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6277
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6278: Network Policy Server granted full access to a user because the host met the defined health policy.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server granted full access to a user because the host met the defined health policy.

Message #

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Client Machine:
	Security ID: %5
	Account Name: %6
	Fully Qualified Account Name: %7
	OS-Version: %8
	Called Station Identifier: %9
	Calling Station Identifier: %10

NAS:
	NAS IPv4 Address: %11
	NAS IPv6 Address: %12
	NAS Identifier: %13
	NAS Port-Type: %14
	NAS Port: %15

RADIUS Client:
	Client Friendly Name: %16
	Client IP Address: %17

Authentication Details:
	Connection Request Policy Name: %18
	Network Policy Name: %19
	Authentication Provider: %20
	Authentication Server: %21
	Authentication Type: %22
	EAP Type: %23
	Account Session Identifier: %24

Quarantine Information:
	Result: %25
	Extended-Result: %26
	Session Identifier: %27
	Help URL: %28
	System Health Validator Result(s): %29

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name
`SubjectMachineSID` SID	[Client Machine] Security ID
`SubjectMachineName` UnicodeString	[Client Machine] Account Name
`FullyQualifiedSubjectMachineName` UnicodeString	[Client Machine] Fully Qualified Account Name
`MachineInventory` UnicodeString	[Client Machine] OS-Version
`CalledStationID` UnicodeString	[Client Machine] Called Station Identifier
`CallingStationID` UnicodeString	[Client Machine] Calling Station Identifier
`NASIPv4Address` UnicodeString	[NAS] NAS IPv4 Address
`NASIPv6Address` UnicodeString	[NAS] NAS IPv6 Address
`NASIdentifier` UnicodeString	[NAS] NAS Identifier
`NASPortType` UnicodeString	[NAS] NAS Port-Type
`NASPort` UnicodeString	[NAS] NAS Port
`ClientName` UnicodeString	[RADIUS Client] Client Friendly Name
`ClientIPAddress` UnicodeString	[RADIUS Client] Client IP Address
`ProxyPolicyName` UnicodeString	[Authentication Details] Connection Request Policy Name
`NetworkPolicyName` UnicodeString	[Authentication Details] Network Policy Name
`AuthenticationProvider` UnicodeString	[Authentication Details] Authentication Provider
`AuthenticationServer` UnicodeString	[Authentication Details] Authentication Server
`AuthenticationType` UnicodeString	[Authentication Details] Authentication Type
`EAPType` UnicodeString	[Authentication Details] EAP Type
`AccountSessionIdentifier` UnicodeString	[Authentication Details] Account Session Identifier
`QuarantineState` UnicodeString	[Quarantine Information] Result
`ExtendedQuarantineState` UnicodeString	[Quarantine Information] Extended-Result
`QuarantineSessionID` UnicodeString	[Quarantine Information] Session Identifier
`QuarantineHelpURL` UnicodeString	[Quarantine Information] Help URL
`QuarantineSystemHealthResult` UnicodeString	[Quarantine Information] System Health Validator Result(s)

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server locked the user account due to repeated failed authentication attempts.

Message #

Network Policy Server locked the user account due to repeated failed authentication attempts.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6279
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6280: Network Policy Server unlocked the user account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server unlocked the user account.

Message #

Network Policy Server unlocked the user account.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server

Event ID 6281: Code Integrity determined that the page hashes of an image file are not valid.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: param1

Message #

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: %1

Fields #

Name	Description
`param1` UnicodeString	File Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "event_id": 6281,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "time_created": "2026-05-27T16:20:14.3413842+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Security"
  },
  "event_data": {
    "param1": "\\Device\\HarddiskVolume4\\Windows\\System32\\fcon.dll"
  }
}

Detection Patterns #

Stealth: Binary Padding

Security-Auditing Event ID 5038: Code integrity determined that the image hash of a file is not valid.OREvent ID 6281: Code Integrity determined that the page hashes of an image file are not valid.

1 rule

Sigma

Failed Code Integrity Checks (source)

Thomas Patzke

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity

Event ID 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

BranchCache: Received an incorrectly formatted response while discovering availability of content.

Message #

BranchCache: Received an incorrectly formatted response while discovering availability of content. 

IP address of the client that sent this response: %1

Fields #

Name	Description
`ClientIPAddress` UnicodeString	IP address of the client that sent this response

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6400
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6401: BranchCache: Received invalid data from a peer.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

BranchCache: Received invalid data from a peer. Data discarded.

Message #

BranchCache: Received invalid data from a peer. Data discarded. 

IP address of the client that sent this data: %1

Fields #

Name	Description
`ClientIPAddress` UnicodeString	IP address of the client that sent this data

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

BranchCache: The message to the hosted cache offering it data is incorrectly formatted.

Message #

BranchCache: The message to the hosted cache offering it data is incorrectly formatted. 

IP address of the client that sent this message: %1

Fields #

Name	Description
`ClientIPAddress` UnicodeString	IP address of the client that sent this message

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.

Message #

BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data. 

Domain name of the hosted cache is: %1

Fields #

Name	Description
`HostedCacheName` UnicodeString	Domain name of the hosted cache is

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6403
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.

Message #

BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. 

Domain name of the hosted cache: %1
	
Error Code: %2

Fields #

Name	Description
`HostedCacheName` UnicodeString	Domain name of the hosted cache
`ErrorCode` UInt32	Error Code

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6404
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6405: BranchCache: Count instance(s) of event id EventId occurred.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

BranchCache: Count instance(s) of event id EventId occurred.

Message #

BranchCache: %2 instance(s) of event id %1 occurred.

Fields #

Name	Description
`EventId` UInt32	instance(s) of event id
`Count` UInt32	BranchCache

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6405
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6406: ProductName registered to Windows Firewall to control filtering for the following.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

ProductName registered to Windows Firewall to control filtering for the following.

Message #

%1 registered to Windows Firewall to control filtering for the following: 
%2.

Fields #

Name	Description
`ProductName` UnicodeString
`Categories` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6406
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6407: Firewall category unregistered: Message

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

Message

Message #

%1

Fields #

Name	Description
`Message` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6407
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6408: Registered product ProductName failed and Windows Firewall is now controlling the filtering for Categories.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

Registered product ProductName failed and Windows Firewall is now controlling the filtering for Categories.

Message #

Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.

Fields #

Name	Description
`ProductName` UnicodeString	Registered product
`Categories` UnicodeString	failed and Windows Firewall is now controlling the filtering for

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6409: BranchCache: A service connection point object could not be parsed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → Other System Events
Opcode: Info

Description

BranchCache: A service connection point object could not be parsed.

Message #

BranchCache: A service connection point object could not be parsed. 

SCP object GUID: %1

Fields #

Name	Description
`GUID` UnicodeString	SCP object GUID

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events

Event ID 6410: Code integrity determined that a file does not meet the security requirements to load into a process.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.

Message #

Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.

File Name: %1

Fields #

Name	Description
`param1` UnicodeString	File Name

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity

Event ID 6416: A new external device was recognized by the system.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Plug and Play Events
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

This event generates every time a new external device is recognized by a system.

Message #

A new external device was recognized by the system.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Class ID: %5

Vendor IDs: %6

Compatible IDs: %7

Location Information: %8

Fields #

Name	Description	Rules
`SubjectUserSid` SID	SID of account that registered the new device.
`SubjectUserName` UnicodeString	The name of the account that registered the new device.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`DeviceId` UnicodeString	"Device instance path" attribute of device.
`DeviceDescription` UnicodeString	"Device description" attribute of device.	4 detection rules
`ClassId` GUID	"Class Guid" attribute of device.
`ClassName` UnicodeString	Class Name.	1 detection rule
`VendorIds` UnicodeString	"Hardware Ids" attribute of device.
`CompatibleIds` UnicodeString	"Compatible Ids" attribute of device.
`LocationInformation` UnicodeString	"Location information" attribute of device.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 6416,
    "version": 1,
    "level": 0,
    "task": 13316,
    "opcode": 0,
    "keywords": -9214364837600034816,
    "time_created": "2026-05-29T16:33:58.4662298+00:00",
    "event_record_id": 1724262,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 1936
    },
    "channel": "Security",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "TELEMETRY-DC-A$",
    "SubjectDomainName": "cell-a",
    "SubjectLogonId": "0x3e7",
    "DeviceId": "SWD\\PRINTENUM\\{F1CCC35B-6BA0-41BE-B88E-DA82067D6391}",
    "DeviceDescription": "Microsoft Print to PDF",
    "ClassId": "{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}",
    "ClassName": "PrintQueue",
    "VendorIds": "\n\t\tPRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}\n\t\tPRINTENUM\\LocalPrintQueue\n\t\t{084f01fa-e634-4d77-83ee-074817c03581}\n\t\t\n\t\t",
    "CompatibleIds": "\n\t\tGenPrintQueue\n\t\tSWD\\GenericRaw\n\t\tSWD\\Generic\n\t\t\n\t\t",
    "LocationInformation": "-"
  },
  "message": "A new external device was recognized by the system.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-A$\r\n\tAccount Domain:\t\tcell-a\r\n\tLogon ID:\t\t0x3E7\r\n\r\nDevice ID:\tSWD\\PRINTENUM\\{F1CCC35B-6BA0-41BE-B88E-DA82067D6391}\r\n\r\nDevice Name:\tMicrosoft Print to PDF\r\n\r\nClass ID:\t\t{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}\r\n\r\nClass Name:\tPrintQueue\r\n\r\nVendor IDs:\t\r\n\t\tPRINTENUM\\{084f01fa-e634-4d77-83ee-074817c03581}\r\n\t\tPRINTENUM\\LocalPrintQueue\r\n\t\t{084f01fa-e634-4d77-83ee-074817c03581}\r\n\t\t\r\n\t\t\r\n\r\nCompatible IDs:\t\r\n\t\tGenPrintQueue\r\n\t\tSWD\\GenericRaw\r\n\t\tSWD\\Generic\r\n\t\t\r\n\t\t\r\n\r\nLocation Information:\t-"
}

Detection Rules #

Sigma # view in coverage

External Disk Drive Or USB Storage Device Was Recognized By The System source low: Detects external disk drives or plugged-in USB devices.
SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) source high: Detects scenarios where an attacker exploit the PrintNightmare vulnerability by abusing the Windows print spooler using the service exposed by Gentilkiwi

Splunk # view in coverage

Removable Media Detected (Windows Event Log) source: Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of…

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6416
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6416_v1.yml

Event ID 6417: The FIPS mode crypto selftests succeeded.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

The FIPS mode crypto selftests succeeded.

Message #

The FIPS mode crypto selftests succeeded.

	Process ID: %1
	Process Name: %2

Fields #

Name	Description
`ProcessId` Pointer	Process ID
`ProcessName` UnicodeString	Process Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "event_id": 6417,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "time_created": "2026-05-27T19:31:54.4018912+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Security"
  },
  "event_data": {
    "ProcessName": "C:\\Windows\\System32\\lsass.exe",
    "ProcessId": "0x3b0"
  }
}

Event ID 6418: The FIPS mode crypto selftests failed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

The FIPS mode crypto selftests failed.

Message #

The FIPS mode crypto selftests failed.

	Process ID: %1
	Process Name: %2
	Failed test code: %3

Fields #

Name	Description
`ProcessId` Pointer	Process ID
`ProcessName` UnicodeString	Process Name
`FatalCode` UInt32	Failed test code

Event ID 6419: A request was made to disable a device.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Plug and Play Events
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

This event generates every time when someone made a request to disable a device.

Message #

A request was made to disable a device.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Device ID: %5

Device Name: %6

Class ID: %7

Class Name: %8

Hardware IDs: %9

Compatible IDs: %10

Location Information: %11

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that made the request.
`SubjectUserName` UnicodeString	The name of the account that made the request.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`DeviceId` UnicodeString	"Device instance path" attribute of device.
`DeviceDescription` UnicodeString	"Device description" attribute of device.
`ClassId` GUID	"Class Guid" attribute of device.
`ClassName` UnicodeString	Class Name.
`HardwareIds` UnicodeString	"Hardware Ids" attribute of device.
`CompatibleIds` UnicodeString	"Compatible Ids" attribute of device.
`LocationInformation` UnicodeString	"Location information" attribute of device.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 6419,
    "version": 0,
    "level": 0,
    "task": 13316,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:18:51.247229+00:00",
    "event_record_id": 16259082,
    "correlation": {},
    "execution": {
      "process_id": 6984,
      "thread_id": 9864
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "DeviceId": "PCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\\3&267A616A&0&90",
    "DeviceDescription": "Red Hat VirtIO Ethernet Adapter",
    "ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
    "ClassName": "Net",
    "HardwareIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_020000\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_0200\r\n\t\t\r\n\t\t",
    "CompatibleIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000\r\n\t\tPCI\\VEN_1AF4&CC_020000\r\n\t\tPCI\\VEN_1AF4&CC_0200\r\n\t\tPCI\\VEN_1AF4\r\n\t\tPCI\\CC_020000\r\n\t\tPCI\\CC_0200\r\n\t\t\r\n\t\t",
    "LocationInformation": "-"
  },
  "message": ""
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6419.yml

Event ID 6420: A device was disabled.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Plug and Play Events
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

This event generates every time specific device was disabled.

Message #

A device was disabled.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Device ID: %5

Device Name: %6

Class ID: %7

Class Name: %8

Hardware IDs: %9

Compatible IDs: %10

Location Information: %11

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that disabled the device.
`SubjectUserName` UnicodeString	The name of the account that disabled the device.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`DeviceId` UnicodeString	"Device instance path" attribute of device.
`DeviceDescription` UnicodeString	"Device description" attribute of device.
`ClassId` GUID	"Class Guid" attribute of device.
`ClassName` UnicodeString	Class Name.
`HardwareIds` UnicodeString	"Hardware Ids" attribute of device.
`CompatibleIds` UnicodeString	"Compatible Ids" attribute of device.
`LocationInformation` UnicodeString	"Location information" attribute of device.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 6420,
    "version": 0,
    "level": 0,
    "task": 13316,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T06:32:01.859671+00:00",
    "event_record_id": 2461244,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 356
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "LAB-WIN11$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "DeviceId": "ROOT\\VMS_VSMP\\0000",
    "DeviceDescription": "Hyper-V Virtual Switch Extension Adapter",
    "ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
    "ClassName": "Net",
    "HardwareIds": "\r\n\t\tvms_vsmp\r\n\t\t\r\n\t\t",
    "CompatibleIds": "-",
    "LocationInformation": "-"
  },
  "message": ""
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6420.yml

Event ID 6421: A request was made to enable a device.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Plug and Play Events
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

This event generates every time when someone made a request to enable a device.

Message #

A request was made to enable a device.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Device ID: %5

Device Name: %6

Class ID: %7

Class Name: %8

Hardware IDs: %9

Compatible IDs: %10

Location Information: %11

Fields #

Name	Description
`SubjectUserSid` SID	"Location information" attribute of device.
`SubjectUserName` UnicodeString	The name of the account that made the request.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`DeviceId` UnicodeString	"Device instance path" attribute of device.
`DeviceDescription` UnicodeString	"Device description" attribute of device.
`ClassId` GUID	"Class Guid" attribute of device.
`ClassName` UnicodeString	Class Name.
`HardwareIds` UnicodeString	"Hardware Ids" attribute of device.
`CompatibleIds` UnicodeString	"Compatible Ids" attribute of device.
`LocationInformation` UnicodeString	"Location information" attribute of device.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 6421,
    "version": 0,
    "level": 0,
    "task": 13316,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-13T20:18:54.348192+00:00",
    "event_record_id": 16267789,
    "correlation": {},
    "execution": {
      "process_id": 6984,
      "thread_id": 6948
    },
    "channel": "Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "SubjectUserName": "domainadmin",
    "SubjectDomainName": "ludus",
    "SubjectLogonId": "0xa981e",
    "DeviceId": "PCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\\3&267A616A&0&90",
    "DeviceDescription": "Red Hat VirtIO Ethernet Adapter",
    "ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
    "ClassName": "Net",
    "HardwareIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000&SUBSYS_00011AF4\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_020000\r\n\t\tPCI\\VEN_1AF4&DEV_1000&CC_0200\r\n\t\t\r\n\t\t",
    "CompatibleIds": "\r\n\t\tPCI\\VEN_1AF4&DEV_1000&REV_00\r\n\t\tPCI\\VEN_1AF4&DEV_1000\r\n\t\tPCI\\VEN_1AF4&CC_020000\r\n\t\tPCI\\VEN_1AF4&CC_0200\r\n\t\tPCI\\VEN_1AF4\r\n\t\tPCI\\CC_020000\r\n\t\tPCI\\CC_0200\r\n\t\t\r\n\t\t",
    "LocationInformation": "-"
  },
  "message": ""
}

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6421.yml

Event ID 6422: A device was enabled.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Plug and Play Events
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

This event generates every time specific device was enabled.

Message #

A device was enabled.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Device ID: %5

Device Name: %6

Class ID: %7

Class Name: %8

Hardware IDs: %9

Compatible IDs: %10

Location Information: %11

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that enabled the device.
`SubjectUserName` UnicodeString	The name of the account that enabled the device.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`DeviceId` UnicodeString	"Device instance path" attribute of device.
`DeviceDescription` UnicodeString	"Device description" attribute of device.
`ClassId` GUID	"Class Guid" attribute of device.
`ClassName` UnicodeString	Class Name.
`HardwareIds` UnicodeString	"Hardware Ids" attribute of device.
`CompatibleIds` UnicodeString	"Compatible Ids" attribute of device.
`LocationInformation` UnicodeString	"Location information" attribute of device.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 6422,
    "version": 0,
    "level": 0,
    "task": 13316,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T06:32:01.861463+00:00",
    "event_record_id": 2461246,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 3728
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "LAB-WIN11$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "DeviceId": "ROOT\\VMS_VSMP\\0000",
    "DeviceDescription": "Hyper-V Virtual Switch Extension Adapter",
    "ClassId": "4D36E972-E325-11CE-BFC1-08002BE10318",
    "ClassName": "Net",
    "HardwareIds": "\r\n\t\tvms_vsmp\r\n\t\t\r\n\t\t",
    "CompatibleIds": "-",
    "LocationInformation": "-"
  },
  "message": ""
}

Community Notes #

May indicate removable storage or network adapters to stage tools or exfiltrate data.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity
OSSEM Data Dictionary https://github.com/OTRF/OSSEM-DD/blob/main/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-6422.yml

Event ID 6423: The installation of this device is forbidden by system policy.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Plug and Play Events
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

The installation of this device is forbidden by system policy.

Message #

The installation of this device is forbidden by system policy.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Device ID: %5

Device Name: %6

Class ID: %7

Class Name: %8

Hardware IDs: %9

Compatible IDs: %10

Location Information: %11

Fields #

Name	Description
`SubjectUserSid` SID	SID of account that forbids the device installation.
`SubjectUserName` UnicodeString	The name of the account that forbids the device installation.
`SubjectDomainName` UnicodeString	Subject's domain or computer name.
`SubjectLogonId` HexInt64	Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "4624: An account was successfully logged on."
`DeviceId` UnicodeString	"Device instance path" attribute of device.
`DeviceDescription` UnicodeString	"Device description" attribute of device.
`ClassId` GUID	"Class Guid" attribute of device.
`ClassName` UnicodeString	Class Name.
`HardwareIds` UnicodeString	"Hardware Ids" attribute of device.
`CompatibleIds` UnicodeString	"Compatible Ids" attribute of device.
`LocationInformation` UnicodeString	"Location information" attribute of device.

Detection Rules #