Post

Introduction to Windows Event Monitoring: Key Event IDs for Security

In today’s digital landscape, maintaining a secure IT environment is paramount for organizations of all sizes. Windows Event Logs serve as a critical source of information for detecting, investigating, and responding to security incidents. These logs provide detailed insights into activities occurring within your systems, helping security teams identify anomalies, unauthorized access, and potential threats.

Monitoring specific Windows Event IDs is an effective way to streamline your security operations. By focusing on key events such as failed login attempts, account changes, privileged account usage, and unusual network connections, you can enhance your ability to detect and respond to malicious activities before they escalate.

This blog highlights a curated list of essential Windows Event IDs that every security team should monitor. From user logon patterns to registry changes, file access, and network activity, these events provide a comprehensive overview of activities that could indicate a security breach or policy violation. Whether you’re setting up a Security Information and Event Management (SIEM) system or manually reviewing logs, this guide will help you prioritize what to watch for, ensuring you stay ahead of potential threats.

Dive in to explore these critical event IDs, understand their significance, and learn how to leverage them for robust security monitoring.

CategoryDescriptionEvent ID(s)
Failed Login AttemptsFailed user logon attempts4625
Account LockoutsAccount lockout events4740
Successful Login Outside HoursLogon events outside business hours4624
New User CreationNew user account creation4720
Privileged Account UsageUse of privileged accounts4672
User Account ChangesModifications to user accounts4722, 4723, 4724, 4725, 4726
Logon from Unusual LocationsGeolocated anomalous logon events4624
Password ChangesPassword change attempts and resets4723, 4724
Group Membership ChangesGroup membership modifications4727, 4731, 4735, 4737
Suspicious Logon PatternsAnomalous logon patterns4624
Excessive Logon FailuresRepeated failed logon attempts4625
Disabled Account ActivityActivity on disabled accounts4725
Dormant Account UsageRarely used accounts being accessed4624
Service Account ActivityService account logons and privileges4624, 4672
RDP Access MonitoringRDP-specific logon events4624
Lateral Movement DetectionNetwork logons indicative of lateral movement4648
File and Folder AccessAccess to files and folders4663
Unauthorised File SharingFile sharing without authorization5140, 5145
Registry ChangesRegistry modifications4657
Application Installation/RemovalSoftware installation or removal11707, 1033
USB Device UsageUsage of USB devices20001, 20003
Windows Firewall ChangesFirewall rule changes4946, 4947, 4950, 4951
Scheduled Task CreationCreation of scheduled tasks4698
Process Execution MonitoringMonitoring process creation4688
System Restart/ShutdownSystem restart or shutdown events6005, 6006, 1074
Event Log ClearingClearing of event logs1102
Malware Execution/IndicatorsIndicators of malware execution4688, 1116
Active Directory ChangesChanges to Active Directory objects5136, 5141
Shadow Copy DeletionShadow copy deletion events524
Network Configuration ChangesChanges to network settings4254, 4255, 10400
Suspicious Script ExecutionExecution of scripts with interpreters4688
Service Installation/ModificationService installation or modification4697
Clearing of Audit LogsAudit log clearing1102
Software Restriction ViolationSoftware restriction policy violations865
Excessive Account EnumerationRepeated account enumeration attempts4625, 4776
Attempt to Access Sensitive FilesAttempts to access sensitive files4663
Unusual Process InjectionProcess injection detected4688
Driver InstallationInstallation of drivers7045
Scheduled Task ModificationChanges to scheduled tasks4699
Unauthorized GPO ChangesUnauthorized Group Policy Object changes5136
Suspicious PowerShell ActivitySuspicious PowerShell commands executed4104
Unusual Network ConnectionsAnomalous network traffic patterns5156
Unauthorized Shared File AccessUnpermitted access to shared files5145
DNS Query for Malicious DomainsQueries to malicious domains5158
LDAP Search AbuseSuspicious LDAP search queries4662
Process Termination MonitoringMonitoring terminated processes4689
Failed Service Start AttemptsFailed attempts to start services7041
Audit Policy ChangesChanges to audit policies4719, 1102
Time Change MonitoringMonitoring system time changes4616, 520

Monitoring Windows Event IDs is an important part of keeping your systems secure. By focusing on key events, you can quickly spot unusual activity, respond to threats, and protect your organization. Regularly checking these logs helps you stay prepared and keep your systems safe.

Happy Hacking

This post is licensed under CC BY 4.0 by the author.