Windows Event Logs and IDs

Types of Windows Event Logs

  • Application: Events logged by specific programs and applications.

  • Security: Tracks security-related events like logins, logoffs, privilege use, and policy changes. This is a critical log for threat hunting.

  • Setup: Events related to software installation and setup processes.

  • System: Logs events from Windows system components (e.g., drivers, services).

  • Forwarded Events: Consolidates events from remote systems.

Key Event IDs for Threat Hunters

(Note: This is not an exhaustive list, but some particularly valuable IDs)

Security Log

  • 4624: Successful Logon: Tracks all successful login attempts, both local and network-based.

    • Threat Hunting Value: Establish a baseline of normal logins, track user activity, and look for anomalous logins or brute-force attacks.

  • 4625: Failed Logon: Records unsuccessful logins.

    • Threat Hunting Value: Identifies brute-force attempts, unauthorized access attempts, or accidental mistyping of credentials.

  • 4672: Special privileges assigned to new logon: Indicates when a user has been granted administrator or other elevated privileges.

    • Threat Hunting Value: Monitor for privilege escalation and unauthorized changes.

  • 4720: A user account was created: Tracks the creation of new accounts.

    • Threat Hunting Value: Detects threat actors attempting to create backdoors or additional accounts.

  • 4798: A user's local group membership was enumerated: Shows when someone investigates user groups on a system.

    • Threat Hunting Value: Can indicate reconnaissance activity by a threat actor to learn about the compromised machine.

System Log

  • 7045: A new service was installed: Indicates the installation of new services.

    • Threat Hunting Value: Detecting new, potentially malicious services.

  • 104, 1102: Event log cleared, Security log full:

    • Threat Hunting Value: Can indicate an attacker covering their tracks by deleting logs.

Additional Considerations

  • Log Volume: Some Event IDs are noisier than others (like successful logins). Balance importance with log volume.

  • Event Context: Event IDs alone aren't always conclusive. Correlate events for a clearer picture. Example: Multiple failed logins (4625) followed by one successful (4624) might indicate a breach.

  • Threat Intelligence: Incorporate threat intelligence feeds to gain context about newly documented Event IDs related to specific attacks or malware.

  • Log Collection and Analysis: Use SIEM tools or similar solutions to centralize logs from multiple systems to make analysis effective.

PreviousWindows system callsNextWindows UAC

Last updated