Press ESC to clear
ADVERTISEMENT / SPONSORED RESERVATION (728x90)
| Event ID | Event Definition & Root Cause Analysis (Primary Hierarchy) | Category & Applicability (Secondary Hierarchy) | Inspect Details |
|---|---|---|---|
| 307 | Windows Defender Application Control (`WDAC` / Code Integrity) blocked or audited an unsigned/unapproved driver or DLL. // Failure Reason / Root Cause:Driver/DLL failed digital signature or WDAC policy check (`FileName` & `SHA256 Hash`). | Category:Code Integrity Audit Type:Failure Audit Severity:Critical OS:Windows Server / Client | |
| 400 | The PowerShell host engine (`powershell.exe` or runspace host) initialized and started execution. // Failure Reason / Root Cause:PowerShell runspace engine initialization (`HostApplication` command line shown). | Category:PowerShell Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 800 | A PowerShell command pipeline began execution (`Windows PowerShell` log). // Failure Reason / Root Cause:Pipeline execution initiated (`HostApplication` & command summary captured). | Category:PowerShell Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 1006 | Windows Defender Antivirus real-time protection detected malware, trojans, or exploit artifacts on the endpoint. // Failure Reason / Root Cause:Malware signature or behavioral detection triggered by Windows Defender real-time scanner. | Category:Windows Defender Audit Type:Failure Audit Severity:High OS:Windows Server / Client | |
| 1100 | The event logging service has shut down normally or unexpectedly. // Failure Reason / Root Cause:System shutdown, scheduled reboot, or malicious tampering attempting to terminate logging pipelines prior to lateral movement. | Category:Event Log Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 1101 | Audit events have been dropped by the real-time event log backup or transport pipeline. // Failure Reason / Root Cause:Log storage disk saturation, extreme event flooding by an adversary or malfunctioning service, or slow SIEM agent ingestion. | Category:Event Log Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 1102 | The audit log was cleared. Indicates that the Windows Security Event Log was wiped clean. // Failure Reason / Root Cause:Legitimate IT maintenance during re-baselining, or malicious anti-forensics defense evasion by an adversary covering tracks. | Category:Event Log Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 1104 | The security log is now full. When the security log reaches maximum capacity and is configured to 'Do not overwrite events', no new security events can be recorded. // Failure Reason / Root Cause:Improper event log retention policy configuration, log storage capacity limits reached, or intentional log flooding by an adversary. | Category:Event Log Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 1105 | The security event log was automatically archived and cleared based on retention policy. // Failure Reason / Root Cause:Standard automated log rotation and archiving behavior configured via Group Policy. | Category:Event Log Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 1108 | The event logging service encountered a critical error processing telemetry. // Failure Reason / Root Cause:Corrupt event manifest registration, disk I/O errors, or malformed third-party provider events. | Category:Event Log Audit Type:Failure Audit Severity:Medium OS:Windows Server / Client | |
| 1116 | Windows Defender detected malware and started automatic remediation (`Quarantine` / `Remove`). // Failure Reason / Root Cause:Antivirus detection remediation process initiated against `Threat Name`. | Category:Windows Defender Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 1117 | Windows Defender successfully quarantined, cleaned, or deleted detected malware. // Failure Reason / Root Cause:Successful execution of antivirus remediation action on detected threat. | Category:Windows Defender Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4103 | PowerShell Module Logging recorded command invocation and parameter binding within a pipeline. // Failure Reason / Root Cause:PowerShell pipeline execution inside an audited module (`ScriptBlock ID` & `CommandInvocation`). | Category:PowerShell Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4104 | PowerShell Script Block Logging recorded the complete, un-obfuscated code block of an executing script. // Failure Reason / Root Cause:Execution of PowerShell script block (`ScriptBlock ID` & `ScriptBlockText` captured). | Category:PowerShell Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4608 | Windows is starting up. Indicates initialization of the Local Security Authority (LSASS). // Failure Reason / Root Cause:Normal operating system startup, hardware power cycle, or reboot after updates or unauthorized modifications. | Category:System Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4609 | Windows is shutting down. Documents termination of the Local Security Authority LSASS. // Failure Reason / Root Cause:Admin-initiated reboot, automated patch management reboot, or attacker-initiated system restart. | Category:System Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4610 | An authentication DLL/package was loaded into the LSA space during boot or runtime. // Failure Reason / Root Cause:Custom authentication package registration or security provider injection (`SSP/AP`). | Category:System Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4611 | A process registered with LSA as a trusted logon process (`SeTcbPrivilege`). // Failure Reason / Root Cause:Trusted logon process registration with the LSA (`SeTcbPrivilege` exercised). | Category:System Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4614 | A password filter DLL (`Notification Package`) was loaded by the SAM. // Failure Reason / Root Cause:Password filter notification DLL loaded by LSA/SAM during service startup. | Category:System Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4616 | The system time was changed manually or via NTP synchronization. // Failure Reason / Root Cause:Normal NTP time synchronization (`w32time`), CMOS battery failure, or malicious clock tampering to confuse forensic timeline analysis. | Category:System Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4621 | An administrator recovered the system from the CrashOnAuditFail state. // Failure Reason / Root Cause:Recovery procedure after strict high-security audit capacity limits caused an intentional kernel panic. | Category:System Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4622 | A security package (SSP/AP) was loaded by LSASS. // Failure Reason / Root Cause:Normal operating system boot loading core providers, or attacker credential dumping via malicious SSP injection. | Category:System Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4624 | An account was successfully logged on. Indicates a successful authentication and session creation on the target machine. // Failure Reason / Root Cause:Normal user or service logon activity, scheduled task execution, system startup, or remote desktop (RDP) session initiation. | Category:Logon/Logoff Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4625 | An account failed to log on. Documents unsuccessful authentication attempts along with the failure reason code (e.g., 0xC000006D / 0xC000006A for incorrect password). // Failure Reason / Root Cause:Expired or invalid credentials, brute-force or password spraying attacks, or misconfigured automated service accounts. | Category:Logon/Logoff Audit Type:Failure Audit Severity:High OS:Windows Server / Client | |
| 4634 | An account was logged off. Indicates that an existing authentication session was terminated or destroyed. // Failure Reason / Root Cause:User explicit logoff, RDP disconnection, automated service completion, or system shutdown. | Category:Logon/Logoff Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4635 | A user session encountered an error or access denied condition when attempting to terminate. // Failure Reason / Root Cause:Authentication package teardown error or handle retention failure during logoff. | Category:Logon/Logoff Audit Type:Failure Audit Severity:Low OS:Windows Server / Client | |
| 4647 | A user explicitly initiated a logoff sequence from the console or remote desktop. // Failure Reason / Root Cause:User console logout or interactive RDP logoff action. | Category:Logon/Logoff Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4648 | A logon was attempted using explicit credentials (e.g., RunAs command or network authentication with alternate account). // Failure Reason / Root Cause:IT administrative `RunAs` actions, scheduled tasks with stored passwords, or attacker lateral movement using stolen credentials. | Category:Logon/Logoff Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4649 | Kerberos or NTLM authentication detected a replayed authenticator or ticket. // Failure Reason / Root Cause:Duplicate Kerberos ticket/authenticator detected by domain controller replay cache. | Category:Logon/Logoff Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4656 | A process requested access rights to a file, registry key, kernel object, or service. // Failure Reason / Root Cause:File server access, registry modification attempts, or attacker attempting to open handles to critical system files (`SAM`, `SYSTEM` hives). | Category:Object Access Audit Type:Success / Failure Audit Severity:Medium OS:Windows Server / Client | |
| 4657 | A registry key value was created, altered, or deleted within an audited registry path. // Failure Reason / Root Cause:Registry modification on an audited key (e.g., Run keys, LSA configurations, Service keys). | Category:Object Access Audit Type:Success / Failure Audit Severity:High OS:Windows Server / Client | |
| 4658 | An open handle to a file, registry key, kernel object, or process was released. // Failure Reason / Root Cause:Object handle closure following read, write, or access completion. | Category:Object Access Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4660 | An object (file, registry key) was deleted from the filesystem or registry. // Failure Reason / Root Cause:File deletion, temporary installer cleanup, or ransomware/attacker deleting logs and shadow copies. | Category:Object Access Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4662 | Access or replication operation performed against an Active Directory directory object (`DS-Replication-Get-Changes`). // Failure Reason / Root Cause:Normal domain controller replication between authorized DCs, or **DCSync** attack executed by a compromised user/computer identity (`mimikatz lsadump::dcsync`). | Category:Directory Service Access Audit Type:Success / Failure Audit Severity:Critical OS:Windows Server / Client | |
| 4663 | Specific access (Read, Write, Delete) was performed on a file, registry key, or pipe. // Failure Reason / Root Cause:User opening/editing files on network shares, or unauthorized exfiltration/encryption of sensitive financial folders. | Category:Object Access Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4664 | A process attempted to create an NTFS hard link between two file paths. // Failure Reason / Root Cause:NTFS hard link creation attempt (`LinkName` pointing to `ObjectName`). | Category:Object Access Audit Type:Success / Failure Audit Severity:Medium OS:Windows Server / Client | |
| 4670 | SACLs or DACLs on a file, registry key, or system object were modified. // Failure Reason / Root Cause:IT permission adjustments, or attacker weakening DACLs on `C:\Windows\System32\` files to replace system executables. | Category:Object Access Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4672 | Special privileges assigned to new logon. Indicates that an account logged on with administrative or high-level system privileges. // Failure Reason / Root Cause:Administrator interactive/network logon, service execution with `LocalSystem` or `NetworkService` rights, or attacker credential exploitation. | Category:Privilege Use Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4673 | A process requested and exercised a sensitive privilege (e.g., `SeBackupPrivilege`, `SeTcbPrivilege`). // Failure Reason / Root Cause:Sensitive token privilege exercised during API call (`PrivilegeList`). | Category:Privilege Use Audit Type:Success / Failure Audit Severity:High OS:Windows Server / Client | |
| 4674 | An operation requiring sensitive privileges was attempted on a secured kernel object. // Failure Reason / Root Cause:Privileged operation attempted on secured system or process object. | Category:Privilege Use Audit Type:Success / Failure Audit Severity:High OS:Windows Server / Client | |
| 4688 | A new process has been created on the system. Tracks process execution, creator process ID (parent process), and full command-line arguments when enabled. // Failure Reason / Root Cause:Standard operating system process launches, application execution, script execution (`powershell.exe`, `cmd.exe`), or malicious payload detonation. | Category:Process Tracking Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4689 | A process terminated normally or was killed. // Failure Reason / Root Cause:Application closure, script termination, or process kill commands (`taskkill.exe`). | Category:Process Tracking Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4692 | DPAPI backup master key recovery attempted. // Failure Reason / Root Cause:DPAPI key extraction. | Category:Data Protection (DPAPI) Audit Type:Success / Failure Audit Severity:Info OS:Windows Server / Client | |
| 4693 | An attempt was made to recover a DPAPI backup protection master key. // Failure Reason / Root Cause:DPAPI backup master key retrieval request executed against Domain Controller. | Category:Credential Management Audit Type:Success / Failure Audit Severity:Critical OS:Windows Server / Client | |
| 4697 | A service was installed in the system. Logs the service name, service file name (binary path), and service start type. // Failure Reason / Root Cause:Standard software installation, IT remote administration tools (e.g., PsExec), or attacker persistence and lateral movement service creation. | Category:System Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4698 | A scheduled task was created on the system. Contains the full XML task definition including actions, triggers, and execution account. // Failure Reason / Root Cause:System software updates, automated backup tasks, or attacker persistence mechanism establishing scheduled code execution. | Category:Object Access / Task Scheduler Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4699 | An existing scheduled task was deleted from Task Scheduler. // Failure Reason / Root Cause:Task expiration, uninstaller cleanup, or attacker covering tracks. | Category:Object Access / Task Scheduler Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4700 | A disabled scheduled task was enabled (`schtasks /change /enable`). // Failure Reason / Root Cause:Task activation. | Category:Object Access / Task Scheduler Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4701 | A scheduled task was disabled (`schtasks /change /disable`). // Failure Reason / Root Cause:Task deactivation or attacker disabling security scanning cron jobs. | Category:Object Access / Task Scheduler Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4702 | An existing scheduled task definition was modified (`schtasks /change`). // Failure Reason / Root Cause:Software update modifying task schedules, or attacker hijacking trusted scheduled tasks (`task hijacking`). | Category:Object Access / Task Scheduler Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4703 | Privileges were enabled or disabled inside an existing access token. // Failure Reason / Root Cause:Token privilege modification (`AdjustTokenPrivileges` called by `ProcessName`). | Category:Privilege Use Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4704 | A user right was assigned to an account or group via Local Security Policy or Group Policy. // Failure Reason / Root Cause:Group Policy rollout, database/service account configuration, or malicious local policy tampering for privilege escalation. | Category:Policy Change Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4705 | A user right was revoked or removed from an account or group. // Failure Reason / Root Cause:Security policy re-hardening or compliance audit cleanup. | Category:Policy Change Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4713 | Domain Kerberos ticket lifetime, renewal, or clock skew settings were altered. // Failure Reason / Root Cause:Modification of domain Kerberos policy values via domain security policy. | Category:Policy Change Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4716 | Active Directory trust properties, SID filtering, or direction settings were updated. // Failure Reason / Root Cause:Modification of domain trust object (`TrustedDomainName` properties updated). | Category:Policy Change Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4717 | An account was granted a User Right Assignment (`Logon right` or `Privilege`) across local or domain policy. // Failure Reason / Root Cause:User right assignment granted (`Access Right` granted to `TargetSid`). | Category:Policy Change Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4718 | An account had a User Right Assignment (`Logon right` or `Privilege`) revoked. // Failure Reason / Root Cause:User right assignment revoked from `TargetSid`. | Category:Policy Change Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4719 | System audit policy was changed on the machine. Documents enabling or disabling of specific audit categories. // Failure Reason / Root Cause:Group Policy audit policy updates, administrative re-configuration, or attacker defense evasion turning off auditing. | Category:Policy Change Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4720 | A user account was created in Active Directory or the local Security Accounts Manager (SAM). // Failure Reason / Root Cause:Routine administrative onboarding, automated provisioning scripts, or unauthorized persistence establishment by a malicious actor creating a backdoor account. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4722 | A previously disabled user account was enabled in Active Directory or local SAM. // Failure Reason / Root Cause:HR employee re-activation, IT troubleshooting, or attacker activating dormant/backdoor accounts. | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4723 | A user attempted to change their own password. // Failure Reason / Root Cause:Routine password rotation by user. | Category:Account Management Audit Type:Success / Failure Audit Severity:Info OS:Windows Server / Client | |
| 4724 | An administrator attempted to reset the password for another user account. // Failure Reason / Root Cause:Helpdesk password reset request, or unauthorized administrative takeover of accounts via forced password reset. | Category:Account Management Audit Type:Success / Failure Audit Severity:High OS:Windows Server / Client | |
| 4725 | A user account was disabled in Active Directory or local SAM. // Failure Reason / Root Cause:HR termination offboarding, compliance lockout, or administrative cleanup. | Category:Account Management Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4726 | A user account was permanently deleted from Active Directory or local SAM. // Failure Reason / Root Cause:Routine directory cleanup, or malicious account destruction and anti-forensics. | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4728 | A member was added to a security-enabled global group in Active Directory (e.g., Domain Admins, Enterprise Admins). // Failure Reason / Root Cause:Authorized IT administrative role assignment, privileged access management workflows, or attacker privilege escalation. | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4729 | A member was removed from an Active Directory global security group. // Failure Reason / Root Cause:Role revocation, offboarding, or administrative cleanup. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4730 | A user or computer account was removed from an AD Global Security Group (`Domain Admins`, etc.). // Failure Reason / Root Cause:Removal of `MemberName` from global group `TargetUserName` by `SubjectUserName`. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4731 | A new local security group or AD Domain Local group was created. // Failure Reason / Root Cause:Creation of new security local group (`TargetUserName`). | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4732 | A member was added to a security-enabled local group (e.g., local Administrators, Remote Desktop Users). // Failure Reason / Root Cause:Endpoint administrative support actions, domain group policy deployment, or malicious local privilege elevation. | Category:Account Management Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4733 | A member was removed from a local security group (e.g., local Administrators). // Failure Reason / Root Cause:Administrative access revocation or Group Policy enforcement removing unauthorized local administrators. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4734 | An existing local security group or AD Domain Local group was deleted. // Failure Reason / Root Cause:Deletion of security local group (`TargetUserName`) by `SubjectUserName`. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4735 | Properties of a local security group or AD Domain Local group (`SAM Account Name`, `Description`, `Group Type`) were altered. // Failure Reason / Root Cause:Modification of local/domain local group attributes (`TargetUserName`). | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4737 | Properties of an AD Global Security Group (`Domain Admins`, etc.) were modified. // Failure Reason / Root Cause:Modification of AD global security group properties (`TargetUserName`). | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4738 | User account attributes (`UserAccountControl`, SPN, logon hours, profile paths) were modified. // Failure Reason / Root Cause:Helpdesk profile updates, or attacker setting `DONT_EXPIRE_PASSWORD` / adding SPNs to backdoor accounts. | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4739 | Domain password policy, account lockout thresholds, or Kerberos settings were modified. // Failure Reason / Root Cause:Modification of domain account/lockout security policy (`Domain Policy`). | Category:Policy Change Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4740 | A user account was locked out after exceeding the configured threshold of consecutive failed logon attempts. // Failure Reason / Root Cause:Repeated authentication failures from cached old passwords on mobile/remote devices, aggressive brute-force attacks, or credential stuffing. | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4754 | A new AD Universal Security Group was created across the forest. // Failure Reason / Root Cause:Creation of universal security group (`TargetUserName`) by `SubjectUserName`. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4755 | Properties of an AD Universal Security Group (`GroupType`, `SAM Account Name`) were altered. // Failure Reason / Root Cause:Modification of AD universal security group attributes (`TargetUserName`). | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4756 | A member was added to a security-enabled universal group within Active Directory. // Failure Reason / Root Cause:Cross-domain forest administration, enterprise restructuring, or attacker forest-wide lateral movement preparation. | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4757 | A user, group, or computer was removed from an AD Universal Security Group (`Enterprise Admins`, etc.). // Failure Reason / Root Cause:Removal of `MemberName` from universal group `TargetUserName` by `SubjectUserName`. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4758 | An existing AD Universal Security Group was deleted. // Failure Reason / Root Cause:Deletion of universal security group (`TargetUserName`) by `SubjectUserName`. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4764 | The scope or classification (`GroupType`) of an AD group was converted (e.g., Security to Distribution, Global to Universal). // Failure Reason / Root Cause:Conversion of AD group type (`GroupType` changed on `TargetUserName`). | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4767 | A previously locked-out user account was unlocked by an administrator or self-service portal. // Failure Reason / Root Cause:Helpdesk unlocking account following false-positive lockout or user verification. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4768 | A Kerberos Ticket Granting Ticket (TGT) was requested from the Domain Controller KDC. // Failure Reason / Root Cause:Initial user domain login, or Kerberos password spraying (`Result Code: 0x18`). | Category:Kerberos Audit Type:Success / Failure Audit Severity:Medium OS:Windows Server / Client | |
| 4769 | A Kerberos service ticket (TGS) was requested from the Domain Controller Key Distribution Center (KDC). // Failure Reason / Root Cause:Normal domain resource authentication, or Kerberoasting attacks targeting Service Principal Names (SPNs) for offline password cracking. | Category:Kerberos Audit Type:Success / Failure Audit Severity:High OS:Windows Server / Client | |
| 4770 | A Kerberos service ticket (TGS) was renewed by the KDC prior to expiration. // Failure Reason / Root Cause:Standard Kerberos ticket lifecycle renewal for long-running sessions. | Category:Kerberos Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4771 | Kerberos pre-authentication verification failed (`bad password or AS-REP Roasting attempt`). // Failure Reason / Root Cause:User mistyping domain password, brute-force attacks, or AS-REP Roasting attempts against vulnerable accounts. | Category:Kerberos Audit Type:Failure Audit Severity:High OS:Windows Server / Client | |
| 4776 | The computer attempted to validate credentials using NTLM authentication package via domain or local accounts. // Failure Reason / Root Cause:Legacy application authentication, SMB/file share access over NTLM, or active NTLM credential stuffing / Pass-the-Hash attacks. | Category:Logon/Logoff Audit Type:Success / Failure Audit Severity:Medium OS:Windows Server / Client | |
| 4778 | An existing Remote Desktop (RDP) or Fast User Switching session was reconnected. // Failure Reason / Root Cause:User resuming an RDP session after network drop or lock screen, or attacker reconnecting to a hijacked RDP session. | Category:Logon/Logoff Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4779 | An existing Remote Desktop (RDP) or terminal session was disconnected without logging off. // Failure Reason / Root Cause:User closing RDP window without explicit logoff or network interruption. | Category:Logon/Logoff Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4781 | A user account or computer account (`sAMAccountName`) was renamed. // Failure Reason / Root Cause:Account rename operation (`OldTargetUserName` renamed to `NewTargetUserName`). | Category:Account Management Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4798 | A process enumerated the local security groups to which a specific user belongs. // Failure Reason / Root Cause:Local user group membership enumeration API call executed by `ProcessName`. | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4799 | A process enumerated the members of a local security group (`Administrators`, `Remote Desktop Users`, etc.). // Failure Reason / Root Cause:Local group membership listing API call executed against `TargetUserName` (e.g., `Administrators`). | Category:Account Management Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4800 | The workstation screen was locked (`Win+L` or timeout). // Failure Reason / Root Cause:User pressing `Win+L`, screensaver timeout, or automated security inactivity enforcement. | Category:Logon/Logoff Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4801 | The workstation screen was unlocked following successful authentication. // Failure Reason / Root Cause:User unlocking screen after entering password/PIN/smartcard. | Category:Logon/Logoff Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4802 | The screensaver was activated on the workstation. // Failure Reason / Root Cause:Screensaver activation policy. | Category:Logon/Logoff Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4803 | The screensaver was dismissed by user mouse movement or keyboard input. // Failure Reason / Root Cause:User resuming activity. | Category:Logon/Logoff Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 4817 | A System Access Control List (SACL) on an object (`File`, `Registry`, `Service`) was modified. // Failure Reason / Root Cause:Modification of SACL security descriptor on `ObjectName`. | Category:Policy Change Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4886 | A user, computer, or process submitted a certificate enrollment request to AD CS (`PKI`). // Failure Reason / Root Cause:Certificate enrollment request (`Request ID`) submitted to AD CS Certificate Authority. | Category:Active Directory Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4887 | AD CS approved and issued an X.509 certificate based on a submitted template request. // Failure Reason / Root Cause:X.509 certificate issued (`Request ID`) by Certificate Authority service. | Category:Active Directory Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4888 | AD CS rejected a certificate enrollment request due to policy or template restriction. // Failure Reason / Root Cause:Certificate enrollment request denied by CA policy or permission check (`Disposition message`). | Category:Active Directory Audit Type:Failure Audit Severity:Medium OS:Windows Server / Client | |
| 4898 | AD CS loaded an updated or newly created certificate template into the CA. // Failure Reason / Root Cause:Certificate template loaded into AD CS memory/configuration during CA operation. | Category:Active Directory Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4902 | A per-user audit policy (`AuditPol /set /user:...`) was established or initialized. // Failure Reason / Root Cause:Initialization of per-user audit policy (`AuditPol` per-user table created). | Category:Policy Change Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4907 | A System Access Control List (SACL) security descriptor on an audited object was updated. // Failure Reason / Root Cause:SACL security descriptor modification (`Security Descriptor` updated on `ObjectName`). | Category:Policy Change Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4912 | A per-user audit policy setting was altered (`AuditPol /set /user:...`). // Failure Reason / Root Cause:Modification of per-user audit policy (`TargetSid` policy altered by `SubjectSid`). | Category:Policy Change Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4944 | A new local or Group Policy firewall rule was added to the Windows Filtering Platform (`WFP`). // Failure Reason / Root Cause:Windows Firewall rule creation (`RuleName` added allowing/blocking traffic). | Category:Windows Firewall Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4946 | A rule was added to the Windows Firewall exception list allowing specific applications or ports. // Failure Reason / Root Cause:Firewall exception rule added (`Application Path` / `Port` allowed through firewall). | Category:Windows Firewall Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 4948 | An existing firewall rule or exception was removed from the Windows Firewall configuration. // Failure Reason / Root Cause:Deletion of Windows Firewall rule (`RuleName` removed by `SubjectUserName`). | Category:Windows Firewall Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 4950 | Global Windows Firewall profile behavior (`Domain`, `Private`, `Public` profiles enabled/disabled) was altered. // Failure Reason / Root Cause:Windows Firewall profile configuration changed (`EnableFirewall` toggled). | Category:Windows Firewall Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 4964 | Special groups (`Auditpol Special Groups`) were assigned to an authenticating session. // Failure Reason / Root Cause:High-value identity authentication tracked via Special Groups monitoring. | Category:Logon/Logoff Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 5001 | Real-time virus and threat protection scanning was turned off (`DisableRealtimeMonitoring`). // Failure Reason / Root Cause:Disabling of Defender real-time protection engine (`DisableRealtimeMonitoring`). | Category:Windows Defender Audit Type:Failure Audit Severity:Critical OS:Windows Server / Client | |
| 5004 | Configuration parameters for real-time threat scanning were altered. // Failure Reason / Root Cause:Modification of real-time protection configuration parameters (`New Value` shown). | Category:Windows Defender Audit Type:Failure Audit Severity:High OS:Windows Server / Client | |
| 5007 | General Windows Defender settings, exclusion paths, or scanning schedules were modified. // Failure Reason / Root Cause:Modification of Windows Defender preferences (e.g., path/process exclusion added). | Category:Windows Defender Audit Type:Failure Audit Severity:Critical OS:Windows Server / Client | |
| 5136 | An Active Directory object attribute (`LDAP Display Name`, `Value`) was modified. // Failure Reason / Root Cause:Administrative AD management, or attacker injecting `sIDHistory` / configuring RBCD (`Resource-Based Constrained Delegation`) for domain privilege escalation. | Category:Directory Service Access Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 5137 | A new directory object (OU, container, GPO, custom object) was created in Active Directory. // Failure Reason / Root Cause:Domain structure provisioning or rogue GPO container creation. | Category:Directory Service Access Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 5138 | An Active Directory object previously marked as deleted (`isDeleted=TRUE`) was restored from the AD Recycle Bin. // Failure Reason / Root Cause:Undelete API operation performed on AD object (`ObjectDN`). | Category:Directory Service Access Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 5140 | A user connected to an SMB network share (`\\Server\Share`). // Failure Reason / Root Cause:Normal file server drive mapping, or lateral movement accessing administrative SMB shares (`ADMIN$`, `IPC$`). | Category:Object Access Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 5141 | An Active Directory object was deleted from the domain directory tree. // Failure Reason / Root Cause:Directory maintenance or cleanup of staged AD persistence containers. | Category:Directory Service Access Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 5142 | A new SMB network share (`net share`) was created on the server. // Failure Reason / Root Cause:Server administration setting up file shares, or attacker creating unauthorized exfiltration shares (`net share staging$=C:\...`). | Category:Object Access Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 5143 | A network share (`SMB/CIFS Share`) had its permissions, path, or configuration modified. // Failure Reason / Root Cause:SMB network share modification (`ShareName` settings updated by `SubjectUserName`). | Category:Object Access Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 5144 | An existing network share (`net share /delete`) was removed. // Failure Reason / Root Cause:Share decommissioning or temporary exfiltration share cleanup. | Category:Object Access Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 5145 | Detailed file access check over SMB (`Relative Target Name` filename accessed on share). // Failure Reason / Root Cause:Remote file reads over SMB, or named pipe access (`svcctl`, `samr`, `lsarpc`, `srvsvc`) during lateral movement reconnaissance. | Category:Object Access Audit Type:Success / Failure Audit Severity:High OS:Windows Server / Client | |
| 5148 | The Windows Filtering Platform (`WFP`) detected and dropped network packets exceeding Denial of Service thresholds. // Failure Reason / Root Cause:High-volume network flood or malformed traffic triggering WFP DoS defense thresholds. | Category:Windows Firewall Audit Type:Failure Audit Severity:High OS:Windows Server / Client | |
| 5156 | A network connection (`TCP/UDP`) was permitted by Windows Filtering Platform rules (`Application Name`, `Source/Dest IP & Port`). // Failure Reason / Root Cause:Network connection permitted by WFP filter rule (`Application Name` connecting to `Destination Address`). | Category:Windows Firewall Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 5157 | A network connection attempt was blocked by Windows Filtering Platform or host firewall rules. // Failure Reason / Root Cause:Network connection attempt dropped by WFP filter rule (`Filter Run-Time ID`). | Category:Windows Firewall Audit Type:Failure Audit Severity:High OS:Windows Server / Client | |
| 5158 | A process (`Application Name`) successfully bound and opened a local listening port (`TCP/UDP`). // Failure Reason / Root Cause:Local port bind operation permitted (`Application Name` binding to `Source Port`). | Category:Windows Firewall Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 5378 | Credential delegation (`CredSSP` / `WinRM` / `RDP`) blocked by restricted delegation policies (`Remote Credential Guard`). // Failure Reason / Root Cause:Security policy preventing credential exposure on untrusted jump boxes. | Category:Credential Management Audit Type:Failure Audit Severity:Medium OS:Windows Server / Client | |
| 5857 | A Windows Management Instrumentation (`WMI`) provider DLL started execution inside `wmiprvse.exe`. // Failure Reason / Root Cause:Initialization of WMI provider (`ProviderName`) within `wmiprvse.exe` host process. | Category:WMI Activity Audit Type:Success Audit Severity:Medium OS:Windows Server / Client | |
| 5861 | A WMI Event Consumer (`__EventConsumer`) was registered in the WMI repository for event-triggered execution. // Failure Reason / Root Cause:Permanent WMI event consumer registration (`Consumer:` name and `PossibleCause:` string shown). | Category:WMI Activity Audit Type:Success Audit Severity:Critical OS:Windows Server / Client | |
| 7045 | A service was installed in the system (logged in the System Event Log by Service Control Manager). // Failure Reason / Root Cause:Software installation, `sc create` execution, or lateral movement (`PsExec` service creation). | Category:System Audit Type:Success Audit Severity:High OS:Windows Server / Client | |
| 8003 | An executable or DLL binary was permitted to execute by AppLocker application control policy. // Failure Reason / Root Cause:Binary execution allowed by matching AppLocker rule (`RuleName`). | Category:AppLocker Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 8004 | An executable or DLL binary was blocked from execution by AppLocker application control rules. // Failure Reason / Root Cause:Binary execution blocked by AppLocker enforcement (`FilePath` denied by rule). | Category:AppLocker Audit Type:Failure Audit Severity:High OS:Windows Server / Client | |
| 8006 | A script (`VBS`, `JS`, `PS1`, `BAT`) or Windows Installer (`MSI`) was allowed to run by AppLocker policy. // Failure Reason / Root Cause:Script or MSI allowed to run by AppLocker script policy rule (`RuleName`). | Category:AppLocker Audit Type:Success Audit Severity:Info OS:Windows Server / Client | |
| 8007 | A script (`VBS`, `JS`, `PS1`, `BAT`) or Windows Installer (`MSI`) was blocked by AppLocker application control. // Failure Reason / Root Cause:Script or MSI execution blocked by AppLocker rule (`FilePath` denied). | Category:AppLocker Audit Type:Failure Audit Severity:High OS:Windows Server / Client |
ADVERTISEMENT / SPONSORED RESERVATION (728x90)