There is a significant number of Windows Event Log types available to IT and security professionals. This Appendix includes the most critical events that pertain to security and incident investigations and have been provided as a reference.
|
Event ID |
Event type |
Primary use |
Event log |
|
21 |
Remote desktop services: session logon succeeded. |
Event correlation, lateral movement, scoping |
TerminalServices-LocalSessionManager/Operational |
|
25 |
Remote desktop services: session reconnection succeeded. |
Event correlation, lateral movement, scoping |
TerminalServices-LocalSessionManager/Operational |
|
102 |
This event is logged when the terminal services gateway service requires a valid Secure Sockets Layer (SSL) certificate to accept connections. |
Event correlation, lateral movement, scoping |
Microsoft-Windows-TerminalServices-Gateway |
|
106 |
A user registered a scheduled task. |
Execution, persistence |
Windows task scheduler |
|
107 |
Task scheduler launched a task due to a time trigger. |
Execution, persistence |
Windows task scheduler |
|
131 |
The RDP server accepted a new TCP connection. |
Event correlation, lateral movement, scoping |
Remote desktop services RdpCoreTs |
|
140 |
A user updated a scheduled task. |
Execution, persistence |
Windows task scheduler |
|
141 |
A user deleted a scheduled task. |
Execution, persistence |
Windows task scheduler |
|
200 |
Task scheduler launched the action in the instance of the task. |
Execution, persistence |
Windows task scheduler |
|
201 |
Task scheduler successfully completed a task. |
Execution, persistence |
Windows task scheduler |
|
800 |
Pipeline execution details. |
Event correlation, lateral movement, execution |
PowerShell |
|
4103 |
Executing pipeline. |
Event correlation, lateral movement, execution |
PowerShell |
|
1024 |
RDP ClientActiveX is trying to connect to a server. |
Event correlation, lateral movement, scoping |
Microsoft-Windows-TerminalServices-RDPClient/Operational |
|
4624 |
An account was successfully logged on. |
Event correlation (event to user), scoping, user location identification |
Security |
|
4625 |
An account failed to log on. |
Event correlation (event to user), scoping, user location identification |
Security |
|
4634 |
An account was logged off. |
Event correlation (event to user), scoping, user location identification |
Security |
|
4647 |
User initiated log off. |
Event correlation (event to user), scoping, user location identification |
Security |
|
4648 |
A login was attempted using explicit credentials. |
Event correlation, lateral movement, scoping |
Security |
|
4672 |
Special privileges assigned to new login. |
Escalation of privilege |
Security |
|
4698 |
A scheduled task was created. |
Persistence |
Security |
|
4727 |
A security-enabled global group was created. |
Escalation of privilege, lateral movement, persistence |
Security |
|
4728 |
A member was added to a security-enabled global group. |
Escalation of privilege, lateral movement |
Security |
|
4737 |
A security-enabled global group was changed. |
Escalation of privilege, lateral movement, persistence |
Security |
|
4706 |
A new domain trust was created. |
Validation of controls |
Security |
|
4720 |
A user account was created. |
Escalation of privilege, lateral movement, persistence |
Security |
|
4729 |
A member was removed from a security-enabled global group. |
Validation of controls |
Security |
|
4754 |
A security-enabled universal group was created. |
Escalation of privilege, lateral movement, persistence |
Security |
|
4755 |
A security-enabled universal group was changed. |
Escalation of privilege, lateral movement, persistence |
Security |
|
4776 |
A user account was unlocked. |
Escalation of privilege, persistence |
Security |
|
5140 |
A network share object was accessed. |
Lateral movement |
Security |
|
5145 |
A network share object was checked to see whether client can be granted desired access. |
Lateral movement |
Security |
|
7045 |
A new service was installed by a user. |
Execution, lateral movement |
Security |