Views: 3
๐ก๏ธ For Cybersecurity Defensive Operations and IR/Threat Hunting
๐ Authentication Events
๐๏ธ Account Management Events
๐ Object Access Events
โ Note: Requires enabling object auditing via GPO and SACLs.
๐งฐ Privilege Use and Logon Types
PRO Tip: Use Logon Type + Event 4624/4625 to spot RDP logins, scheduled tasks, or lateral movement attempts.
โ๏ธ System and Service Events
๐ง Key Hunting & Investigation Tips
- ๐ Look for Logon Type 10 (RDP) with Event ID 4624 to detect potential RDP access.
- ๐งช Failed logons (4625) with high volume or unusual usernames may indicate brute force.
- ๐ ๏ธ 4720 + 4728 (Account created + added to group) in quick succession โ potential admin backdoor.
- ๐งผ 1102 + cleared logs โ possible anti-forensics.
- ๐ฉ 4663 with Delete or WriteData access on sensitive files = possible data tampering or exfiltration.
โ๏ธ Suggested Audit Policy Configuration
To fully benefit from this log reference, enable these audit policies via GPO:
๐ Local Policies โ Audit Policy
- Audit account logon events โ Success/Failure
- Audit logon events โ Success/Failure
- Audit object access โ Success/Failure
- Audit privilege use โ Success
- Audit account management โ Success/Failure
๐งฉ Advanced Audit Policy Configuration
- Audit Credential Validation
- Audit Logon
- Audit Account Lockout
- Audit Special Logon
- Audit Detailed File Share
- Audit Security Group Management
