event IDs for detecting badness
general events
| Event ID | Event Log | Summary |
|---|---|---|
| 4624, 4625 | Security | Non-Kerberos logon activity |
| 1000 | Application | Application crash |
| 3001 - 3004, 3023 | Microsoft-Windows-CodeIntegrity/Operational | Windows integrity error |
| 219 | System | Failed kernel driver load |
| 1-7, 9 - 10, 13 - 17 | System | File protection errors |
| 865, 8003, 8004, 8006, 8007 | Application | AppLocker and SRP logs |
| 5038, 6281 | Security | Invalid hash of file |
| 7000 - 7001, 7022 - 7024, 7026, 7031, 7032, 7034 | System | Windows service failures/crashes |
| 25, 31 | Microsoft-Windows-WindowsUpdateClient/Operational | Windows Update failure |
| 1100 | Security | Event logging service stopped |
| 4657 | Security | Registry value modified |
| 4697 | Security | Service installed on system |
| 4698 | Security | Scheduled task was created |
| 4699 | Security | Scheduled task was deleted |
| 4700 | Security | Scheduled task was enabled |
| 4701 | Security | Scheduled task was disabled |
| 4702 | Security | Scheduled task was updated |
| 4719 | Security | System audit policy changed |
| 4739 | Security | Domain policy changed |
| 4741 | Security | Computer account created |
firewall/network events
| Event ID | Event Log | Summary |
|---|---|---|
| 4950 | Security | Windows Firewall setting has changed |
| 4946 | Security | Change made to Windows Firewall exception list; rule added |
| 4947 | Security | Change made to Windows Firewall exception list; rule modified |
| 4948 | Security | Change made to Windows Firewall exception list; rule deleted |
| 5025 | Security | Windows Firewall service stopped |
| 5031 | Security | Windows Firewall blocked application from accepting incoming connections |
user events
| Event ID | Event Log | Summary |
|---|---|---|
| 4782 | Security | A password hash was accessed |
| 4798 | Security | User’s local group membership was enumerated |
| 4799 | Security | Security-enabled local group membership was enumerated |
| 4720 | Security | User account created |
| 4722 | Security | User account enabled |
| 4726 | Security | User account deleted |
| 4725 | Security | User account disabled |
| 4767 | Security | user account unlocked |
| 4624 with LogonType == 10 | Security | RDS session created |
| 4672 | Security | Admin logged on |
| 4740 | Security | Account locked out |
| 4728, 4732, 4756 | Security | User added to privileged group |
| 4735 | Security | Security-enabled group modified |
| 4723, 4724 | Security | Attempt made to change password |
| 4738 | Security | User account modified |
| 4624 | Security | User login successful |
| 4625 | Security | User login unsuccessful |
| 4648 | Security | Account login with alternate credentials |
especially interesting
| Event ID | Event Log | Summary |
|---|---|---|
| 104 | System | Event log was cleared |
| 102 | System | Audit log was cleared |
| 1102 | Security | Audit log was cleared |
| 6 | System | New kernel filter driver |
| 7045 | System | New Windows service |
| 1022, 1033 | System | MSI installed |
| 4649 | Security | Replay attack detected |