Views: 22
🛡️ For Cybersecurity Defensive Operations and IR/Threat Hunting
🔐 Authentication Events
🗝️ Account Management Events
📂 Object Access Events
✅ Note: Requires enabling object auditing via GPO and SACLs.
🧰 Privilege Use and Logon Types
PRO Tip: Use Logon Type + Event 4624/4625 to spot RDP logins, scheduled tasks, or lateral movement attempts.
⚙️ System and Service Events
🧠 Key Hunting & Investigation Tips
- 🔍 Look for Logon Type 10 (RDP) with Event ID 4624 to detect potential RDP access.
- 🧪 Failed logons (4625) with high volume or unusual usernames may indicate brute force.
- 🛠️ 4720 + 4728 (Account created + added to group) in quick succession → potential admin backdoor.
- 🧼 1102 + cleared logs → possible anti-forensics.
- 🚩 4663 with Delete or WriteData access on sensitive files = possible data tampering or exfiltration.
⚙️ Suggested Audit Policy Configuration
To fully benefit from this log reference, enable these audit policies via GPO:
📁 Local Policies → Audit Policy
- Audit account logon events ✅ Success/Failure
- Audit logon events ✅ Success/Failure
- Audit object access ✅ Success/Failure
- Audit privilege use ✅ Success
- Audit account management ✅ Success/Failure
🧩 Advanced Audit Policy Configuration
- Audit Credential Validation
- Audit Logon
- Audit Account Lockout
- Audit Special Logon
- Audit Detailed File Share
- Audit Security Group Management
