Windows event ID 4624

Top Windows Events ID Security Operation Teams should know

Every second, they are thousands of logs being generated from different sources (Proxy, Firewall, End Point, servers, Router, Switch, Email server, Active Directory, IDS/IPS …) and store in a log management tool or SIEM. As an analyst, without a proper way of filtering the events it is almost not possible to detect a threat.

The easiest and most efficient way to analyze the events in windows environment is to look for the proper event id that matches to the alert. The event ID will help you to find faster and accurately the proper event you are looking for and make you investigation much easier.

Below, we share with you the Windows events ID that have the highest percentage of occurrence in the network.

WINDOWS event ID 4624 An account was successfully logged on:
The event is generated when a user’s account logged onto the local computer (can be generated after one or more log on failed attempt followed by one successful attempt). It is used to detect different attacks unauthorized log on in the network.

WINDOWS event ID 4625 An account failed to log on:

The event is generated when a user account’s failed to log on (can be generated after one or more log on failed attempt). It is used to detect different attacks unauthorized log on failed in the network.

WINDOWS event ID 1102 The audit log was cleared:

The audit log can be cleared by the admin or by a threat actor to remove the trace, this technic is often used by threat actor as anti-forensic technic to make to investigation more complex.

WINDOWS event ID 4688 A new process has been created:

The event is generated when a process is created, Windows OS has many processes so seeing a process being created does not mean that you are under attack but most of the threat actor used the Windows processes or mimic the Windows processes to perform an attack. Monitoring a new process being created is crucial.

WINDOWS event ID 4698 A scheduled task was created:

Similarly, to the event ID 4688, the event ID 4698 could be used by the admin to perform a specific task regularly or used by a threat actor for persistency or privilege escalation. Monitoring a scheduled task being created is crucial.

WINDOWS event ID 4657 A registry value was modified:

Always when a new file, process, scheduled task or any other activity is performed in the network, it is recorded in the registry. A threat actor after running a malicious process, file or scheduled task, can use the registry to add a key that will allow him or her to maintain the persistency. Monitoring any key added in the registry is crucial.

WINDOWS event ID 4704 and event ID 4705 A (A user right was assigned and A user right was removed)

This activity is often performed by the admin when the new user is created, but a threat actor can leverage it to perform an attack such as impersonation or privilege escalation.

WINDOWS event ID 4719 A system audit policy was changed:

This may happen when a threat actor does want to hide the activities that he had perform to compromise the system. It worth monitoring to detect when an unauthorized user disables to system audit policy.

 

WINDOWS event ID 4720 A user account was created, WINDOWS event ID 4740 A user account was locked, WINDOWS event ID 4741 A computer account was created:

The following events IDs mentioned above are quite important, any activity on an account such as account creation, changed, locked, deleted should be monitored. The threat actor can create a new account as a backdoor and delete after performing the attack.

 

Windows event ID 4723 An attempt was made to change an account's password and Windows event ID 4724 An attempt was made to reset an accounts password:

An unauthorized password change should not be accepted in the environment. This issue can lead to further damage such as privilege escalation, data loss and others.

Windows event ID 4768 A Kerberos authentication ticket (TGT) was requested, Windows event ID 4769 A Kerberos service ticket was requested, Windows event ID 4771 Kerberos pre-authentication failed:

A Kerberos protocol is used to access to the network. The protocol can be abuse by threat actor to connect to the network and perform malicious activities. For example, in Windows environment, Kerberos is used to authenticate and authorized the users to connect in Active Directory.

The threat actor after the initial compromise phase, can abuse Kerberos to perform attack such as kerberoasting or pass the ticket to escalate from one privilege to another. The events ID related to Kerberos should be monitored.

 

Windows event ID 4787 A non-member was added to a basic application group, Windows event ID 4788 A non-member was removed from a basic application group:

A non-member added or removed to another group could be a sign of administrative activity or attack, a threat actor can add a new user in a group to maintain a foothold. A that actor can remove a member added previously to remove the foothold. Any new member added or removed should be monitored. If the activity is not allowed, further investigation should be provided.

Windows event ID 4946 A change has been made to Windows Firewall exception list. A rule was added:

Any new rule created should be verified if allowed or not. A threat actor can create a rule to redirect a connection to a malicious server or to connect to a specific target such as AD, Database and others.

For example, if a threat actor compromises a web server, he or she can make a change to the firewall to connect to the database server.

Windows event ID 5140 A network share object was accessed and Windows event ID 5142 A network share object was added:

It is common to see a threat actor accessing a network share and execute a malicious command to get high privilege or exfiltrate data. Monitoring the network share is worthy.

Windows event ID 4663 An attempt was made to access an object:

A threat actor can enumerate an object with “write” right to access to the object. This is done to get higher privilege. 

Windows event ID 4608 Windows is starting up:

At the time of starting, a threat actor can corrupt the system by uploading a malicious payload. A system booting or starting should be a good point to monitor.

 Windows Security Log Encyclopedia (ultimatewindowssecurity.com)

Sysmon - Sysinternals | Microsoft Learn

windows 10 - How to find specifics of what Defender detected in real time protection? - Super User