Windows events logs are rich source of information on the occurrence of any incidents , proactive motioning of specific events will provide you more information on the clients environment. Investigate such events to stop threats before it reaches your network and keep monitoring a important events of active directory and improve insights on specific event actions apart from correlated rules.
| Event ID |
Threat Actor Behavior |
| 5447 |
Windows Filtering Platform Policy was Changed |
| 5147 |
Suspicious activity detected for which Windows Filtering Platform Blocked a packet |
| 5447 |
Windows Filtering Platform Policy was Changed |
| 5447 |
Windows Filtering Platform Policy was Changed |
| 5155 |
Suspicious incoming connection for specific application or service listening on a port ,Windows Filtering Platform has blocked |
| 5153 |
WAttacker tried to access a network,user, a group, a computer, an application, a printer, or a shared folder for which Windows Filtering Platform has dropped a packet and blocked |
| 5152 |
Suspicious incoming connection for specific application or service listening on a port ,Windows Filtering Platform has blocked |
| 5031 |
Specific application or service on windows trying to get suspicious packets as inbound packets to the system for which Windows Filtering Platform has blocked |
| 5025 |
Windows firewall service has been stopped
|
| 4954 |
Windows Firewall Group Policy settings has been changed. The new settings have been applied |
| 4950 |
Windows firewall settings has been changed |
| 4947 |
Windows Firewall Exception list was updated successfully which may allow a new connection which will bypass the windows firewall policies |
| 4946 |
Windows Firewall Exception list was updated successfully which may allow a new connection which will bypass the windows firewall policies |
| 4698 |
Scheduled task has been created to run specific jobs
|
| 4699 |
Previously Scheduled task was deleted successfully
|
| 4700 |
Scheduled task was enabled successfully |
| 4701 |
Previously Scheduled task was deleted successfully |
| 4702 |
Scheduled task was updated successfully |
| 4697 |
Suspicious service was installed by Threat actor or Legitimate service installed by windows admin |
| 4657 |
Possible changes made in registry to be persistence on system |
| 4616 |
System time was changed |
| 4782 |
Suspicious access of the password hash of an account |
| 4777 |
The domain controller failed to validate the credentials for an account |
| 4772 |
A Kerberos authentication ticket request failed
|
| 4755 |
Access granted under universal group to trust domain
|
| 4737 |
Access granted under global to access in any trusting domain but it should have members from its own domain.
|
| 4735 |
Access granted under domain local group means the group can only be granted access to objects within its domain but can have members from any trusted domain. |
| 4767 |
A user account was unlocked |
| 4740 |
A user account was locked out |
| 4738 |
User account ACL ( Access Control List ) changed |
| 4725 |
A user account was disabled |
| 4723 |
An attempt was made to change the password of an account |
| 4722 |
A user account was enabled |
| 4720 |
A user account was created |
| 1102 |
Audit logs was cleared |
| 4648 |
User account logged in with domain credentials and another programs was accessed using different credentials., Example : Sharepoint |
| 4625 |
Failed account log on |
Monitor such events with high priority as this may be the critical indicator of attacks which may compromise your organization in next few minutes !
0 Comments