Windows Events to Monitor
Windows Events to Monitor
Event ID
The following table lists the event you should monitor on an Active Directory to detect an attacks.
| Event ID | Summary |
|---|---|
| 4618 | A monitored security event pattern has occurred. |
| 4624 | An account was successfully logged on. |
| 4625 | An account failed to log on. |
| 4648 | A logon was attempted using explicit credentials. |
| 4649 | A replay attack was detected. May be a harmless false positive due to misconfiguration error. |
| 4662 | An operation was performed on an object. |
| 4692 | Backup of data protection master key was attempted. |
| 4706 | A new trust was created to a domain. |
| 4707 | A trust to a domain was removed. |
| 4716 | Trusted domain information was modified. |
| 4719 | System audit policy was changed. |
| 4738 | A user account was changed. |
| 4765 | SID History was added to an account. |
| 4766 | An attempt to add SID History to an account failed. |
| 4768 | A Kerberos authentication ticket (TGT) was requested. |
| 4769 | A Kerberos service ticket was requested. |
Detection Rules
Brute force attack on one account
- Event ID: 4625
- Rule:
Xnumber of failed logins inYminutes with the same username
Non allowed accounts logon
- Event ID: 4624
- Rule: Check the LogonType (
2or10) and the username
SID History modification
- Event ID: 4765, 4766
- ANSSI: sidhistory_dangerous
An account primaryGroupId was changed with value lower than 1000
- Event ID: 4738
- ANSSI: primary_group_id_1000
Kerberoasting detection
- Event ID: 4769
- Rule:
- Filter out
Ticket Options: 0x40810000orTicket Encryption: 0x01,0x02,0x03or0x17 XKerberos service ticket requests withingYminutes with the same username
- Filter out
Logon on a Domain Controller
- Event ID: 4624
- Rule:
- Check the LogonType (
2) - Check the LogonTarget
- Check the username or user groups
- Check the LogonType (
Domain structure modification
- Event ID:
- 4706: Trust added
- 4707: Trust removed
- 4716: Trust modified
DPAPI key
DPAPI backup key extraction
- Event ID: 4662
- Rule:
- Check the ObjectType:
SecretObject - Check AccessMask:
0x02 - Check ObjectName:
BCKUPKEY
- Check the ObjectType:
- ANSSI: permissions_dpapi
DPAPI backup key backup
- Event ID: 4692
- ANSSI: permissions_dpapi