Security Event IDs for Threat Hunters

Estimated read time 63 min read

Join us as we unravel the secrets of threat hunting, diving deep into various event IDs that expose hidden risks and potential cyber threats. From unauthorized service installations to account changes and network policy denials. Discover the power of security event IDs and gain the knowledge to stay one step ahead of adversaries. Get ready to uncover the truth and protect what matters most.

Table of Contents


Event 4618 – A monitored security event pattern has occurred.

Event 4618 indicates the detection of a monitored security event pattern. It serves as an alert for potential security incidents that require investigation. Analyzing the event details helps identify security breaches, unauthorized access attempts, or suspicious activities.

Potential risks: The risks associated with Event 4618 depend on the specific security event pattern triggered. Threat hunters must assess the event details to identify potential security breaches, unauthorized access attempts, or suspicious activities that could pose a risk to the system or network.

Event 4649 – A replay attack was detected.

Event 4649 signifies the identification of a replay attack. It involves capturing and re-transmitting network traffic or data to impersonate a legitimate user or gain unauthorized access. However, it could also be a harmless false positive caused by a misconfiguration error (Read the RFC here RFC1510).

Potential risks: If Event 4649 is a genuine replay attack, it could compromise system or network confidentiality, integrity, or availability. Replay attacks can bypass authentication, gain unauthorized access, or manipulate data, posing significant risks.

Event 4719 – System audit policy was changed.

Event 4719 reports a modification to the system audit policy. It signifies changes made to the configuration settings that govern the auditing and logging of security-related activities on the system.

Potential risks: Unauthorized changes to the system audit policy may indicate an attempt to evade detection or cover tracks. Such modifications can disable or weaken security controls, impeding effective identification and response to security incidents.

Event 4765 – SID History was added to an account.

Event 4765 indicates the addition of SID History to an account. This feature is used during domain migration or trust relationship setup to enable migrated accounts to access resources from the source domain.

Potential risks: While adding SID History is typically legitimate, threat hunters should remain vigilant to ensure it is not exploited maliciously. Unauthorized or suspicious additions could be indicative of attempts to escalate privileges or gain unauthorized access.

Event 4766 – An attempt to add SID History to an account failed.

Event 4766 signifies a failed attempt to add SID History to an account. This event indicates that an action was taken to add SID History but did not succeed.

Potential risks: While a single failed attempt may not pose an immediate risk, it could suggest an unauthorized or suspicious activity. Threat hunters should investigate further to determine the intentions behind the failed attempt and whether it is part of a broader attack or misconfiguration.

Event 4794 – An attempt was made to set the Directory Services Restore Mode.

Event 4794 indicates an attempt to set the Directory Services Restore Mode. This mode allows for the restoration of Active Directory in the event of system failure or other critical scenarios.

Potential risks: Unauthorized attempts to set the Directory Services Restore Mode may indicate malicious intent. Attackers could potentially gain unauthorized access, modify critical system settings, or disrupt the normal operation of the Active Directory environment.

Event 4897 – Role separation enabled:

Event 4897 signifies the enabling of role separation. Role separation involves dividing administrative privileges among multiple accounts or individuals to enhance security.

Potential risks: While enabling role separation is generally a security best practice, threat hunters should ensure that it is implemented correctly. Improper configuration or misuse of separated roles could lead to privilege escalation, unauthorized access, or administrative control compromises.

Event 4964 – Special groups have been assigned to a new logon.

Event 4964 indicates the assignment of special groups to a new logon. Special groups typically possess elevated privileges or specific access rights.

Potential risks: Assigning special groups to a new logon requires scrutiny to prevent unauthorized privilege escalation. Threat hunters should investigate the event to determine if the assignment aligns with security policies and user roles, or if it indicates an attempt to gain unauthorized access or misuse privileges.

Event 5124 – A security setting was updated on the OCSP Responder Service.

Event 5124 reports the update of a security setting on the Online Certificate Status Protocol (OCSP) Responder Service. The OCSP Responder Service provides real-time certificate validation.

Potential risks: Updates to security settings on critical services such as the OCSP Responder should be closely monitored. Unauthorized or improper modifications can lead to certificate validation issues, compromise the integrity of the service, or open avenues for certificate-based attacks. Threat hunters should assess the nature and impact of the security setting update to ensure proper security configurations are maintained.

Event 1102 – The audit log was cleared.

Event 1102 indicates that the audit log has been cleared. This action involves erasing the existing audit trail of security events.

Potential risks: Clearing the audit log can hinder the ability to investigate and detect security incidents. Malicious actors may attempt to cover their tracks by deleting important evidence or hiding unauthorized activities. Threat hunters should investigate the event to determine the reasons behind the log clearance and assess the potential impact on security monitoring and incident response.

Event 4621 – Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Event 4621 reports that the system administrator recovered the system from CrashOnAuditFail. This recovery action allows non-administrator users to log on, but it may result in the loss of certain auditable activities.

Potential risks: Enabling non-administrator users to log on without auditing all activities can reduce the visibility of potential security incidents. Threat hunters should evaluate the impact of this recovery action on the system’s security posture and consider whether it introduces any vulnerabilities or compliance gaps.

Event 4675 – SIDs were filtered.

Event 4675 indicates that Security Identifiers (SIDs) have been filtered. Filtering SIDs involves restricting or limiting access permissions based on the assigned SIDs.

Potential risks: The filtering of SIDs can impact access control and permissions. Threat hunters should investigate the event to understand the reasoning behind the SID filtering and evaluate whether it aligns with security policies and least privilege principles. Improperly filtered SIDs may result in unauthorized access or privilege escalation.

Event 4692 – Backup of data protection master key was attempted.

Event 4692 signifies an attempt to back up the data protection master key. The data protection master key is a critical component used for encrypting sensitive data.

Potential risks: Attempts to back up the data protection master key should be carefully monitored as they may indicate potential security risks. Threat hunters should assess the event details to ensure that backup attempts are conducted by authorized personnel and comply with data protection policies. Unauthorized or suspicious backup attempts may indicate an attempt to compromise sensitive data.

Event 4693 – Recovery of data protection master key was attempted.

Event 4693 indicates an attempted recovery of the data protection master key. Recovery involves regaining access to the master key for data decryption purposes.

Potential risks: Recovery attempts on the data protection master key should be closely scrutinized. Threat hunters should investigate the event to ensure that recovery activities are conducted by authorized individuals and align with data protection policies. Unauthorized or suspicious recovery attempts may indicate potential security breaches or unauthorized access to encrypted data.

Event 4706 – A new trust was created to a domain.

Event 4706 reports the creation of a new trust relationship with a domain. Trust relationships establish connections between domains to enable resource access and authentication.

Potential risks: The creation of new trust relationships should be monitored to ensure they are authorized and align with the organization’s security policies. Unauthorized or malicious trust relationships can introduce security vulnerabilities, such as unauthorized access or privilege escalation. Threat hunters should investigate the event details to validate the legitimacy and potential risks associated with the new trust relationship.

Event 4713 – Kerberos policy was changed.

Event 4713 signifies a change in the Kerberos policy. Kerberos is a network authentication protocol used to verify the identities of users and services.

Potential risks: Modifications to Kerberos policy can impact authentication mechanisms and introduce security vulnerabilities. Unauthorized or misconfigured changes can weaken security controls, leading to potential authentication bypass or unauthorized access. Threat hunters should investigate the event to assess the impact of the policy change on the system’s security posture.

Event 4714 – Encrypted data recovery policy was changed.

Event 4714 reports a change in the encrypted data recovery policy. The encrypted data recovery policy governs the processes and procedures for recovering encrypted data.

Potential risks: Changes to the encrypted data recovery policy can have implications for data protection and access control. Unauthorized or improperly configured policy changes may impact the ability to recover encrypted data in case of emergencies or authorized access requests. Threat hunters should investigate the event to assess the impact on data security and ensure compliance with data recovery policies and procedures.

Event 4715 – The audit policy (SACL) on an object was changed.

Event 4715 indicates that the audit policy (SACL) on an object has been changed. The System Access Control List (SACL) defines which security events are audited for a particular object.

Potential risks: Modifications to the audit policy (SACL) can impact security monitoring and incident detection. Unauthorized or improper changes may result in inadequate or inappropriate auditing, hindering the ability to identify and respond to security incidents effectively. Threat hunters should investigate the event to evaluate the impact of the SACL changes on security controls and incident response capabilities.

Event 4716 – Trusted domain information was modified.

Event 4716 signifies the modification of trusted domain information. Trusted domains establish relationships between different domains to enable trust-based authentication and resource access.

Potential risks: Modifications to trusted domain information should be monitored to ensure they are authorized and aligned with the organization’s security policies. Unauthorized or malicious modifications to trusted domain information can lead to unauthorized access, privilege escalation, or compromised trust relationships. Threat hunters should investigate the event to assess the legitimacy and potential risks associated with the modified trusted domain information.

Event 4724 – An attempt was made to reset an account’s password.

Event 4724 indicates an attempt to reset the password of an account. Resetting an account’s password involves changing the authentication credentials associated with the account.

Potential risks: Password reset attempts should be closely monitored to verify their legitimacy and adherence to security policies. Unauthorized or suspicious password reset attempts may indicate unauthorized access attempts or potential credential compromise. Threat hunters should investigate the event to assess the intentions behind the password reset attempt and mitigate any associated risks.

Event 4727 – A security-enabled global group was created.

Event 4727 indicates the creation of a security-enabled global group. Security-enabled global groups are used to manage access control within a domain.

Potential risks: The creation of a security-enabled global group should be monitored to ensure that it aligns with security policies and follows proper authorization procedures. Unauthorized or malicious creation of such groups can introduce security vulnerabilities, such as unauthorized access or privilege escalation. Threat hunters should investigate the event to validate the legitimacy and potential risks associated with the newly created group.

Event 4735 – A security-enabled local group was changed.

Event 4735 signifies a change in a security-enabled local group. Security-enabled local groups are used to manage access control on a local system.

Potential risks: Changes to security-enabled local groups should be closely monitored to ensure they are authorized and comply with security policies. Unauthorized or improper modifications to these groups can result in unauthorized access or privilege escalation on the local system. Threat hunters should investigate the event to evaluate the impact of the group changes on the system’s security posture.

Event 4739 – Domain Policy was changed.

Event 4739 indicates a change in the Domain Policy. The Domain Policy defines security settings and configurations for a domain.

Potential risks: Changes to the Domain Policy should be closely monitored to ensure they are authorized and comply with security standards. Unauthorized or improper modifications to the policy can weaken security controls and expose the domain to various risks, such as unauthorized access or data breaches. Threat hunters should investigate the event to evaluate the impact of the policy changes on the domain’s security posture.

Event 4754 – A security-enabled universal group was created.

Event 4754 signifies the creation of a security-enabled universal group. Security-enabled universal groups are used to manage access control across multiple domains in a forest.

Potential risks: The creation of a security-enabled universal group should be monitored to ensure it is authorized and aligns with security policies. Unauthorized or malicious creation of such groups can introduce security vulnerabilities, such as unauthorized access or privilege escalation across multiple domains. Threat hunters should investigate the event to validate the legitimacy and potential risks associated with the newly created group.

Event 4755 – A security-enabled universal group was changed.

Event 4755 reports a change in a security-enabled universal group. Security-enabled universal groups are used to manage access control across multiple domains in a forest.

Potential risks: Modifications to security-enabled universal groups should be monitored to ensure they are authorized and align with security policies. Unauthorized or suspicious changes to these groups can introduce security vulnerabilities, such as unauthorized access or privilege escalation across multiple domains. Threat hunters should investigate the event to assess the nature and potential risks associated with the group changes.

Event 4764 – A security-disabled group was deleted / A group’s type was changed.

Event 4764 indicates the deletion of a security-disabled group or a change in the group’s type. Security-disabled groups are groups with restricted access and privileges.

Potential risks: The deletion of a security-disabled group or changes in the group’s type should be monitored to ensure they are authorized and comply with security policies. Unauthorized or suspicious modifications to these groups can lead to unauthorized access, loss of privileges, or improper group management. Threat hunters should investigate the event to evaluate the impact of the group deletion or type change on the system’s security.

Event 4780 – The ACL was set on accounts which are members of administrators groups.

Event 4780 reports the setting of the Access Control List (ACL) on accounts that are members of administrators groups. The ACL defines the permissions and access rights assigned to user accounts.

Potential risks: Setting the ACL on accounts within administrators groups should be closely monitored to ensure it aligns with security policies. Unauthorized or improper ACL configurations can result in unauthorized access, privilege escalation, or compromised system security. Threat hunters should investigate the event to assess the legitimacy and potential risks associated with the ACL settings.

Event 4816 – RPC detected an integrity violation while decrypting an incoming message.

Event 4816 indicates that Remote Procedure Call (RPC) detected an integrity violation while decrypting an incoming message. RPC is a communication protocol used between networked computers.

Potential risks: An integrity violation detected during RPC decryption suggests potential tampering or unauthorized modifications to network communications. Threat hunters should investigate the event to identify the source and nature of the integrity violation. Unauthorized modifications to RPC communications can compromise the confidentiality, integrity, and availability of networked systems and data.

Event 4865 – A trusted forest information entry was added.

Event 4865 signifies the addition of a trusted forest information entry. Trusted forest information entries establish trust relationships between forests.

Potential risks: The addition of trusted forest information entries should be monitored to ensure they are authorized and align with security policies. Unauthorized or malicious additions of such entries can introduce security vulnerabilities, such as unauthorized access or compromise of trust relationships. Threat hunters should investigate the event to assess the legitimacy and potential risks associated with the added trusted forest information entry.

Event 4866 – A trusted forest information entry was removed.

Event 4866 indicates the removal of a trusted forest information entry. Trusted forest information entries establish trust relationships between forests.

Potential risks: The removal of trusted forest information entries should be monitored to ensure they are authorized and align with security policies. Unauthorized or suspicious removals of such entries can disrupt trust relationships, leading to potential security vulnerabilities or access restrictions. Threat hunters should investigate the event to assess the legitimacy and potential risks associated with the removed trusted forest information entry.

Event 4867 – A trusted forest information entry was modified.

Event 4867 reports a modification in a trusted forest information entry. Trusted forest information entries establish trust relationships between forests.

Potential risks: Modifications to trusted forest information entries should be monitored to ensure they are authorized and align with security policies. Unauthorized or suspicious modifications of such entries can compromise trust relationships, potentially leading to unauthorized access or security breaches. Threat hunters should investigate the event to assess the nature and potential risks associated with the modified trusted forest information entry.

Event 4868 – The certificate manager denied a pending certificate request.

Event 4868 indicates that the certificate manager denied a pending certificate request. This event suggests that a request for a certificate, which was in the pending state, was not approved or granted.

Potential risks: The denial of a certificate request may have implications for secure communication and authentication. Threat hunters should investigate the event to understand the reasons behind the denial and ensure that it aligns with the organization’s certificate issuance policies. Unauthorized or suspicious denials of certificate requests could potentially indicate attempts to circumvent security controls or fraudulent activities.

Event 4870 – Certificate Services revoked a certificate.

Event 4870 reports the revocation of a certificate by Certificate Services. Certificate revocation occurs when a previously issued certificate is invalidated or deemed no longer trustworthy.

Potential risks: Certificate revocation is an essential security measure to mitigate risks associated with compromised or misused certificates. Threat hunters should investigate the event to understand the reasons behind the revocation. Unauthorized or suspicious certificate revocations could indicate attempts to disrupt communication, impersonation, or potential security breaches.

Event 4882 – The security permissions for Certificate Services changed.

Event 4882 signifies a change in the security permissions for Certificate Services. Security permissions determine who has access to manage and configure Certificate Services.

Potential risks: Changes in security permissions for Certificate Services should be monitored to ensure they are authorized and aligned with security policies. Unauthorized or improper modifications to security permissions can introduce security vulnerabilities, such as unauthorized access, privilege escalation, or compromise of the Certificate Services infrastructure. Threat hunters should investigate the event to evaluate the impact of the permission changes on the security posture of Certificate Services.

Event 4885 – The audit filter for Certificate Services changed.

Event 4885 reports a change in the audit filter for Certificate Services. The audit filter specifies which security events related to Certificate Services are recorded in the audit logs.

Potential risks: Modifications to the audit filter for Certificate Services should be closely monitored to ensure they are authorized and align with security requirements. Unauthorized or improper changes to the audit filter can impact the ability to detect and investigate security incidents effectively. Threat hunters should investigate the event to evaluate the impact of the filter changes on the audit trail and incident response capabilities.

Event 4890 – The certificate manager settings for Certificate Services changed.

Event 4890 indicates a change in the certificate manager settings for Certificate Services. The certificate manager settings define the configuration and behavior of the certificate management system.

Potential risks: Changes in the certificate manager settings should be closely monitored to ensure they are authorized and align with security policies. Unauthorized or improper modifications to the certificate manager settings can introduce security vulnerabilities, such as misconfiguration, weak security controls, or unauthorized certificate issuance. Threat hunters should investigate the event to assess the impact of the settings changes on the security and proper functioning of the certificate management system.

Event 4892 – A property of Certificate Services changed.

Event 4892 signifies a change in a property of Certificate Services. Properties define various aspects and configurations of the Certificate Services system.

Potential risks: Changes in the properties of Certificate Services should be monitored to ensure they are authorized and align with security requirements. Unauthorized or improper modifications to the properties can impact the functionality, security, and compliance of Certificate Services. Threat hunters should investigate the event to assess the nature and potential risks associated with the property changes.

Event 4896 – One or more rows have been deleted from the certificate database.

Event 4896 reports the deletion of one or more rows from the certificate database. The certificate database contains information about issued certificates.

Potential risks: Deletions from the certificate database should be closely monitored to ensure they are authorized and follow proper procedures. Unauthorized or suspicious deletions can lead to data loss, compromised trust, or the removal of vital certificate records. Threat hunters should investigate the event to assess the impact of the deletions on the integrity and availability of certificate-related information.

Event 4906 – The CrashOnAuditFail value has changed.

Event 4906 indicates a change in the CrashOnAuditFail value. CrashOnAuditFail is a setting that determines whether the system crashes upon encountering an audit failure.

Potential risks: Changes in the CrashOnAuditFail value should be monitored to ensure they are authorized and align with security policies. Improper configuration of this value can impact the system’s ability to log security events and detect potential breaches. Threat hunters should investigate the event to assess the impact of the value changes on the system’s auditing capabilities and security posture.

Event 4907 – Auditing settings on object were changed.

Event 4907 signifies a change in auditing settings on an object. Auditing settings define which security events related to an object are recorded in the audit logs.

Potential risks: Changes to auditing settings on objects should be closely monitored to ensure they are authorized and align with security requirements. Unauthorized or improper modifications to auditing settings can impact the ability to detect and investigate security incidents effectively. Threat hunters should investigate the event to evaluate the impact of the settings changes on the audit trail and incident response capabilities.

Event 4908 – Special Groups Logon table modified.

Event 4908 reports the modification of the Special Groups Logon table. The Special Groups Logon table defines special groups allowed to log on to the system.

Potential risks: Modifications to the Special Groups Logon table should be closely monitored to ensure they are authorized and align with security policies. Unauthorized or improper modifications can introduce security vulnerabilities, such as unauthorized access or privilege escalation. Threat hunters should investigate the event to assess the impact of the table modifications on the system’s security posture.

Event 4912 – Per User Audit Policy was changed.

Event 4912 indicates a change in the Per User Audit Policy. The Per User Audit Policy defines the auditing settings applied to individual user accounts.

Potential risks: Changes in the Per User Audit Policy should be monitored to ensure they are authorized and align with security requirements. Unauthorized or improper modifications to the audit policy can impact the ability to detect and investigate security incidents related to specific user accounts. Threat hunters should investigate the event to evaluate the impact of the policy changes on the system’s auditing capabilities and security posture.

Event 4960 – IPsec dropped an inbound packet that failed an integrity check.

Event 4960 indicates that IPsec dropped an inbound packet due to a failed integrity check. This error suggests that the integrity of the packet was compromised, indicating a potential network issue or modification of packets in transit. It may also indicate interoperability problems with other IPsec implementations.

Potential risks: Persistent failures in integrity checks can indicate network vulnerabilities or potential attacks, such as packet modification in transit. Threat hunters should investigate the event to identify the source and nature of the integrity failures. It is essential to verify that the packets sent from the remote computer match those received to ensure the integrity and security of network communications.

Event 4961 – IPsec dropped an inbound packet that failed a replay check.

Event 4961 signifies that IPsec dropped an inbound packet due to a failed replay check. This error suggests a potential replay attack against the computer.

Potential risks: Failed replay checks indicate an attempt to retransmit or replay network packets, which can lead to unauthorized access or compromise network integrity. Threat hunters should investigate the event to understand the nature and source of the replay attack. It is crucial to detect and prevent such attacks to ensure the security of network communications.

Event 4962 – IPsec dropped an inbound packet that failed a replay check.

Event 4962 indicates that IPsec dropped an inbound packet due to a failed replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

Potential risks: Failed replay checks due to low sequence numbers can indicate an attempt to replay previous network packets out of order. This can lead to security breaches or unauthorized access. Threat hunters should investigate the event to understand the intentions behind the failed replay check and identify potential security risks associated with packet manipulation.

Event 4963 – IPsec dropped an inbound clear text packet that should have been secured.

Event 4963 reports that IPsec dropped an inbound clear text packet that should have been secured. This error suggests that the remote computer changed its IPsec policy without informing the receiving computer, potentially indicating a spoofing attack attempt.

Potential risks: Dropping clear text packets that should have been secured can expose sensitive information to unauthorized access or compromise the integrity of network communications. Threat hunters should investigate the event to assess the potential spoofing attack or IPsec policy violation. It is crucial to ensure that IPsec policies are correctly configured and aligned between communicating systems to maintain the security of network traffic.

Event 4965 – IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).

Event 4965 indicates that IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This error is usually caused by malfunctioning hardware that corrupts packets. It may also indicate interoperability issues with other IPsec implementations.

Potential risks: Malfunctioning hardware that corrupts packets can result in data loss, compromised network connections, or potential security breaches. Threat hunters should investigate the event to evaluate the impact of the incorrect SPI and identify potential hardware or interoperability issues. It is crucial to ensure the integrity and compatibility of IPsec implementations to maintain a secure network environment.

Event 4976 – During Main Mode negotiation, IPsec received an invalid negotiation packet.

Event 4976 reports that IPsec received an invalid negotiation packet during Main Mode negotiation. This error suggests a potential network issue or an attempt to modify or replay the negotiation.

Potential risks: Invalid negotiation packets during Main Mode can indicate attempts to manipulate or disrupt IPsec communication or compromise the security of network connections. Threat hunters should investigate the event to assess the nature and source of the invalid negotiation packet. It is crucial to ensure the integrity and authenticity of IPsec negotiation processes to maintain secure communication channels.

Event 4977 – During Quick Mode negotiation, IPsec received an invalid negotiation packet.

Event 4977 signifies that IPsec received an invalid negotiation packet during Quick Mode negotiation. This error suggests a potential network issue or an attempt to modify or replay the negotiation.

Potential risks: Invalid negotiation packets during Quick Mode can indicate attempts to manipulate or disrupt IPsec communication or compromise the security of network connections. Threat hunters should investigate the event to assess the nature and source of the invalid negotiation packet. It is crucial to ensure the integrity and authenticity of IPsec negotiation processes to maintain secure communication channels.

Event 4978 – During Extended Mode negotiation, IPsec received an invalid negotiation packet.

Event 4978 reports that IPsec received an invalid negotiation packet during Extended Mode negotiation. This error suggests a potential network issue or an attempt to modify or replay the negotiation.

Potential risks: Invalid negotiation packets during Extended Mode can indicate attempts to manipulate or disrupt IPsec communication or compromise the security of network connections. Threat hunters should investigate the event to assess the nature and source of the invalid negotiation packet. It is crucial to ensure the integrity and authenticity of IPsec negotiation processes to maintain secure communication channels.

Event 5027 – The Windows Firewall Service was unable to retrieve the security policy from the local storage.

Event 5027 indicates that the Windows Firewall Service encountered an issue while attempting to retrieve the security policy from the local storage. However, the service will continue enforcing the current policy.

Potential risks: The inability to retrieve the security policy may lead to inconsistencies or outdated rules within the Windows Firewall. Threat hunters should investigate the event to identify the cause of the retrieval failure and assess the impact on the firewall’s effectiveness. It is crucial to ensure that the security policy is successfully retrieved to maintain proper network protection.

Event 5028 – The Windows Firewall Service was unable to parse the new security policy.

Event 5028 signifies that the Windows Firewall Service encountered difficulties parsing the new security policy. As a result, the service will continue with the currently enforced policy.

Potential risks: Parsing errors of the security policy can prevent the Windows Firewall from applying necessary rule changes or updates. Threat hunters should investigate the event to understand the cause of the parsing failure and assess any potential impact on the firewall’s effectiveness. It is crucial to resolve parsing issues to ensure that the intended security policy is properly enforced.

Event 5029 – The Windows Firewall Service failed to initialize the driver.

Event 5029 reports that the Windows Firewall Service was unable to initialize the driver responsible for enforcing the firewall policy. Despite this failure, the service will continue enforcing the current policy.

Potential risks: The failure to initialize the firewall driver may lead to the inability to apply or enforce firewall rules properly. Threat hunters should investigate the event to identify the cause of the driver initialization failure and assess any potential security gaps or impact on the firewall’s functionality. It is essential to ensure the successful initialization of the driver to maintain an effective firewall protection mechanism.

Event 5030 – The Windows Firewall Service failed to start.

Event 5030 indicates that the Windows Firewall Service failed to start. The failure to start the service prevents the enforcement of the firewall policy.

Potential risks: The inability to start the Windows Firewall Service leaves the system vulnerable to unauthorized network access or compromised security. Threat hunters should investigate the event to identify the reasons behind the service startup failure and take appropriate measures to address the issue promptly. It is crucial to ensure that the Windows Firewall Service starts successfully to provide necessary network protection.

Event 5035 – The Windows Firewall Driver failed to start.

Event 5035 reports that the Windows Firewall Driver failed to start. The failure to start the driver prevents the proper functioning of the Windows Firewall.

Potential risks: The inability to start the Windows Firewall Driver may leave the system vulnerable to network threats or unauthorized access attempts. Threat hunters should investigate the event to identify the reasons behind the driver startup failure and address the issue to restore the firewall’s functionality. It is crucial to ensure the successful startup of the Windows Firewall Driver to maintain effective network protection.

Event 5037 – The Windows Firewall Driver detected a critical runtime error. Terminating.

Event 5037 signifies that the Windows Firewall Driver encountered a critical runtime error, leading to its termination. The termination of the driver prevents the enforcement of firewall rules.

Potential risks: Critical runtime errors in the Windows Firewall Driver can result in the loss of firewall protection and leave the system exposed to potential network threats. Threat hunters should investigate the event to identify the nature and cause of the runtime error. It is crucial to address the runtime error promptly to restore the functionality and effectiveness of the Windows Firewall.

Event 5038 – Code integrity determined that the image hash of a file is not valid.

Event 5038 indicates that code integrity mechanisms have detected that the image hash of a file is not valid. This could be due to unauthorized modification or potential disk device errors.

Potential risks: Invalid image hashes of files can indicate unauthorized modification, tampering, or potential disk device errors that could compromise system integrity and security. Threat hunters should investigate the event to identify the affected file, assess the potential impact, and determine whether it is a result of malicious activity or hardware issues. It is crucial to address any unauthorized modifications or disk errors to maintain the integrity of the system.

Event 5120 – OCSP Responder Service Started

Event 5120 indicates that the OCSP (Online Certificate Status Protocol) Responder Service has started.

Potential risks: The start of the OCSP Responder Service is a normal operational event and does not pose inherent risks. However, threat hunters should monitor the service for any abnormal behavior or potential security incidents related to the OCSP Responder infrastructure.

Event 5121 – OCSP Responder Service Stopped

Event 5121 reports that the OCSP Responder Service has stopped.

Potential risks: The stopping of the OCSP Responder Service is a normal operational event and does not indicate immediate risks. However, threat hunters should monitor the service for any unexpected or unauthorized service stops, which may indicate potential security incidents or disruptions to certificate validation mechanisms.

Event 5122 – A configuration entry changed in OCSP Responder Service

Event 5122 signifies a change in a configuration entry within the OCSP Responder Service.

Potential risks: Changes in configuration entries should be monitored to ensure they are authorized and align with security policies. Unauthorized or improper modifications to the OCSP Responder Service’s configuration may lead to vulnerabilities or operational issues in certificate validation processes. Threat hunters should investigate the event to evaluate the impact of the configuration changes on the security and functionality of the OCSP Responder Service.

Event 5123 – A configuration entry changed in OCSP Responder Service

Event 5123 reports a change in a configuration entry within the OCSP Responder Service.

Potential risks: Changes in configuration entries should be monitored to ensure they are authorized and align with security policies. Unauthorized or improper modifications to the OCSP Responder Service’s configuration may lead to vulnerabilities or operational issues in certificate validation processes. Threat hunters should investigate the event to evaluate the impact of the configuration changes on the security and functionality of the OCSP Responder Service.

Event 5376 – Credential Manager credentials were backed up.

Event 5376 indicates that Credential Manager credentials were backed up. Credential Manager is a Windows component that stores and manages user credentials, such as usernames and passwords.

Potential risks: The backup of Credential Manager credentials is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the backup process to ensure it is performed securely and that the stored credentials are adequately protected. Unauthorized access to the backup files or compromise of the backup mechanism can lead to unauthorized use of stored credentials.

Event 5377 – Credential Manager credentials were restored from a backup.

Event 5377 reports the restoration of Credential Manager credentials from a backup. This event suggests that previously backed up credentials were restored to the Credential Manager.

Potential risks: The restoration of Credential Manager credentials is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the restoration process to ensure it is performed securely and that the restored credentials are legitimate and authorized. Unauthorized restoration of credentials or compromise of the restoration mechanism can lead to unauthorized access to sensitive accounts and information.

Event 5453 – An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

Event 5453 indicates that an IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. IKEEXT is a Windows service responsible for managing IPsec key exchange and authentication.

Potential risks: The failure to start the IKEEXT service prevents successful IPsec negotiations, which may compromise the confidentiality and integrity of network communications. Threat hunters should investigate the event to identify the reasons behind the service startup failure and take appropriate measures to address the issue promptly. It is crucial to ensure the IKEEXT service starts successfully to maintain the effectiveness of IPsec security mechanisms.

Event 5480 – IPsec Services failed to get the complete list of network interfaces on the computer.

Event 5480 reports that IPsec Services failed to retrieve the complete list of network interfaces on the computer. This failure poses a potential security risk as some network interfaces may not receive the protection provided by the applied IPsec filters.

Potential risks: The failure to obtain the complete list of network interfaces may result in incomplete or inadequate IPsec filtering, leaving certain interfaces vulnerable to unauthorized access or compromise. Threat hunters should investigate the event to identify the cause of the failure and take appropriate measures to ensure the proper configuration and protection of all network interfaces with IPsec filters.

Event 5483 – IPsec Services failed to initialize RPC server. IPsec Services could not be started.

Event 5483 signifies that IPsec Services failed to initialize the RPC (Remote Procedure Call) server, resulting in the inability to start IPsec Services.

Potential risks: The failure to initialize the RPC server prevents the proper functioning of IPsec Services, leaving the system vulnerable to network attacks or potential security risks. Threat hunters should investigate the event to identify the reasons behind the RPC server initialization failure and take appropriate measures to address the issue promptly. It is crucial to ensure the successful initialization of the RPC server to enable the effective operation of IPsec Services.

Event 5484 – IPsec Services has experienced a critical failure and has been shut down.

Event 5484 indicates that IPsec Services encountered a critical failure and has been shut down. The shutdown of IPsec Services increases the risk of network attacks and exposes the computer to potential security risks.

Potential risks: The critical failure and subsequent shutdown of IPsec Services remove the protective mechanisms provided by IPsec, leaving the system vulnerable to network threats and unauthorized access attempts. Threat hunters should investigate the event to identify the nature and cause of the critical failure. It is crucial to address the underlying issues and restore the functionality of IPsec Services to maintain network security.

Event 5485 – IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces.

Event 5485 reports that IPsec Services failed to process some IPsec filters during a plug-and-play event for network interfaces. This failure poses a potential security risk as some network interfaces may not receive the protection provided by the applied IPsec filters.

Potential risks: The failure to process IPsec filters during plug-and-play events can result in incomplete or inadequate IPsec protection for certain network interfaces. This can leave those interfaces vulnerable to unauthorized access or compromise. Threat hunters should investigate the event to identify the cause of the failure and take appropriate measures to ensure the proper configuration and protection of all network interfaces with IPsec filters.

Event 5827 – The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.

Event 5827 indicates that the Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account. Netlogon is a Windows service that manages the secure channel connection between domain-joined machines and domain controllers.

Potential risks: The denial of a vulnerable Netlogon secure channel connection indicates that the connection was identified as potentially insecure or compromised. This denial helps protect against attacks targeting vulnerable Netlogon connections. Threat hunters should investigate the event to understand the nature of the connection and assess any potential security risks or attempted unauthorized access.

Event 5828 – The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account.

Event 5828 indicates that the Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account. Netlogon is a Windows service responsible for authentication and secure communication between domain-joined machines and domain controllers.

Potential risks: The denial of a vulnerable Netlogon secure channel connection using a trust account suggests that the connection was identified as potentially insecure or compromised. This denial helps protect against attacks targeting vulnerable Netlogon connections. Threat hunters should investigate the event to understand the nature of the connection and assess any potential security risks or attempted unauthorized access involving trust accounts.

Event 6145 – One or more errors occurred while processing security policy in the Group Policy objects.

Event 6145 reports that one or more errors occurred while processing security policy in the Group Policy objects. Group Policy is a Windows feature that allows administrators to manage user and computer settings across a network.

Potential risks: Errors in processing security policies within Group Policy objects can lead to misconfigurations or gaps in security controls. Threat hunters should investigate the event to identify the specific errors encountered and their impact on the security posture of the affected systems. It is crucial to address the errors promptly to ensure the effective implementation of security policies.

Event 6273 – Network Policy Server denied access to a user.

Event 6273 indicates that the Network Policy Server (NPS) denied access to a user. NPS is a Windows Server role that provides authentication, authorization, and accounting for network access requests.

Potential risks: The denial of access to a user by the Network Policy Server may indicate authentication or authorization failures, potentially due to misconfigurations, policy violations, or suspicious activity. Threat hunters should investigate the event to identify the reasons behind the denial and assess any potential security risks or unauthorized access attempts.

Event 6274 – Network Policy Server discarded the request for a user.

Event 6274 signifies that the Network Policy Server (NPS) discarded the request for a user. NPS is a Windows Server role that handles network access requests and enforces network policies.

Potential risks: The discarding of a user request by the Network Policy Server can indicate authentication or authorization failures, policy violations, or suspicious activity. Threat hunters should investigate the event to identify the reasons behind the discarded request and assess any potential security risks or unauthorized access attempts.

Event 6275 – Network Policy Server discarded the accounting request for a user.

Event 6275 reports that the Network Policy Server (NPS) discarded the accounting request for a user. NPS is a Windows Server role responsible for accounting and logging network access requests.

Potential risks: The discarding of an accounting request by the Network Policy Server may indicate issues with logging or accounting processes, potentially leading to gaps in audit trails or non-compliance with regulatory requirements. Threat hunters should investigate the event to identify the reasons behind the discarded request and assess any potential impact on accountability, auditing, or security controls.

Event 6276 – Network Policy Server quarantined a user.

Event 6276 indicates that the Network Policy Server (NPS) quarantined a user. NPS is a Windows Server role that applies network access policies, including quarantine policies, to enforce security and compliance.

Potential risks: The quarantine of a user by the Network Policy Server suggests that the user’s system did not meet the defined health policy requirements. Quarantining helps prevent potentially compromised or non-compliant systems from accessing the network. Threat hunters should investigate the event to understand the reasons for quarantine and assess any potential security risks or non-compliance issues.

Event 6277 – Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

Event 6277 reports that the Network Policy Server (NPS) granted access to a user but put the user on probation due to the host’s failure to meet the defined health policy requirements. NPS applies network access policies, including health policies, to enforce security and compliance.

Potential risks: Placing a user on probation indicates that their system did not meet the defined health policy requirements. Probation allows limited access while encouraging the user to bring their system into compliance. Threat hunters should investigate the event to understand the reasons for probation and assess any potential security risks or non-compliance issues.

Event 6278 – Network Policy Server granted full access to a user because the host met the defined health policy.

Event 6278 signifies that the Network Policy Server (NPS) granted full access to a user because the user’s host system met the defined health policy requirements. NPS applies network access policies, including health policies, to enforce security and compliance.

Potential risks: Granting full access to a user indicates that their system successfully met the defined health policy requirements. However, threat hunters should still investigate the event to ensure that the health policy checks are properly configured and that no unauthorized access was granted. It is crucial to maintain the integrity of health policy checks to prevent compromised or non-compliant systems from accessing the network.

Event 6279 – Network Policy Server locked the user account due to repeated failed authentication attempts.

Event 6279 indicates that the Network Policy Server (NPS) locked a user account due to repeated failed authentication attempts. NPS is a Windows Server role that handles authentication and authorization for network access requests.

Potential risks: The locking of a user account due to repeated failed authentication attempts suggests potential malicious activity, such as brute-force attacks or credential guessing. Threat hunters should investigate the event to identify the source of the failed authentication attempts and assess any potential security risks or unauthorized access attempts. It is crucial to detect and respond to such incidents promptly to mitigate the risk of unauthorized access.

Event 6280 – Network Policy Server unlocked the user account.

Event 6280 reports that the Network Policy Server (NPS) unlocked a previously locked user account. NPS is a Windows Server role responsible for authentication and authorization for network access requests.

Potential risks: The unlocking of a user account indicates that the account’s lockout condition has been resolved or manually overridden. Threat hunters should investigate the event to ensure that the unlocking was authorized and conducted by legitimate administrators. Unauthorized unlocking of user accounts can lead to unauthorized access or compromise of sensitive information.

Event 4612 – Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

Event 4612 reports that the internal resources allocated for queuing audit messages have been exhausted, resulting in the loss of some audits.

Potential risks: The exhaustion of internal resources for queuing audit messages can lead to the loss of critical security event information. Threat hunters should investigate the event to identify the cause of resource exhaustion and take appropriate measures to prevent the loss of important audit data. It is crucial to ensure that the system can effectively queue and process audit messages for comprehensive security monitoring and incident response.

Event 4614 – A notification package has been loaded by the Security Account Manager.

Event 4614 signifies that a notification package has been loaded by the Security Account Manager (SAM). Notification packages handle events related to user accounts and security in the Windows operating system.

Potential risks: The loading of a notification package by the Security Account Manager is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the event for any unusual or unauthorized notification packages that may indicate potential security issues or unauthorized access attempts.

Event 4615 – Invalid use of LPC port.

Event 4615 indicates an invalid use of a Local Procedure Call (LPC) port. LPC is a mechanism used for interprocess communication in the Windows operating system.

Potential risks: The invalid use of an LPC port may indicate unauthorized or malicious activity attempting to exploit interprocess communication. Threat hunters should investigate the event to identify the source and nature of the invalid use and assess any potential security risks or attempts to compromise system integrity.

Event 4616 – The system time was changed.

Event 4616 reports a change in the system time.

Potential risks: Changes in system time can impact various system operations and may lead to issues with time-sensitive processes, event correlation, or authentication mechanisms. Threat hunters should investigate the event to identify the reasons for the system time change and assess any potential security risks or unauthorized modifications to system settings.

Event 4622 – A security package has been loaded by the Local Security Authority.

Event 4622 indicates that a security package has been loaded by the Local Security Authority (LSA). Security packages provide authentication and security services in the Windows operating system.

Potential risks: The loading of a security package by the Local Security Authority is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the event for any unusual or unauthorized security packages that may indicate potential security issues or unauthorized access attempts.

Event 4624 – An account was successfully logged on.

Event 4624 signifies a successful logon by an account.

Potential risks: Successful account logons are normal operational events, and while they do not inherently pose risks, threat hunters should monitor the event for any unauthorized or suspicious logon activity. It is important to identify and investigate any potential unauthorized access attempts or compromised accounts.

Event 4625 – An account failed to log on.

Event 4625 indicates a failed logon attempt by an account.

Potential risks: Failed logon attempts may indicate unauthorized access attempts, credential guessing, or other malicious activity. Threat hunters should investigate the event to identify the source and nature of the failed logon and assess any potential security risks or attempts to compromise user accounts or system integrity.

Event 4634 – An account was logged off.

Event 4634 reports that an account was logged off from the system.

Potential risks: Account logoffs are normal operational events and do not inherently pose risks. However, threat hunters should monitor the event for any unusual or unauthorized account logoffs that may indicate potential security issues or unauthorized access attempts.

Event 4646 – IKE DoS-prevention mode started.

Event 4646 indicates that the IKE (Internet Key Exchange) Denial of Service (DoS) prevention mode has been started. IKE is a protocol used for establishing IPsec (Internet Protocol Security) connections.

Potential risks: The start of IKE DoS-prevention mode helps protect against DoS attacks targeting IKE services. Threat hunters should investigate the event to ensure the proper functioning of the IKE DoS-prevention mechanisms and monitor for any signs of DoS attacks or attempts to disrupt IKE services.

Event 4647 – User initiated logoff.

Event 4647 signifies that a user initiated a logoff from the system.

Potential risks: User-initiated logoffs are normal operational events and do not inherently pose risks. However, threat hunters should monitor the event for any unusual or unauthorized user logoffs that may indicate potential security issues or attempts to evade monitoring or access controls.

Event 4648 – A logon was attempted using explicit credentials.

Event 4648 reports an attempted logon using explicit credentials.

Potential risks: Logon attempts using explicit credentials may indicate attempts to bypass normal authentication mechanisms or unauthorized use of privileged accounts. Threat hunters should investigate the event to identify the source and nature of the logon attempt and assess any potential security risks or unauthorized access attempts.

Event 4717 – System security access was granted to an account.

Event 4717 indicates that system security access was granted to an account.

Potential risks: Granting system security access to an account allows the account to potentially perform privileged actions and access sensitive system resources. Threat hunters should investigate the event to ensure that the granted access is authorized and aligns with the principle of least privilege. Any unauthorized or excessive system security access could increase the risk of unauthorized system modifications or data breaches.

Event 4718 – System security access was removed from an account.

Event 4718 reports that system security access was removed from an account.

Potential risks: Removing system security access from an account reduces the account’s ability to perform privileged actions and access sensitive system resources. Threat hunters should investigate the event to ensure that the removal of access is authorized and aligns with the principle of least privilege. Any unauthorized removal of system security access could impact system functionality or indicate attempts to restrict authorized access.

Event 4720 – A user account was created.

Event 4720 signifies the creation of a user account.

Potential risks: The creation of a user account is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the event for any unauthorized or suspicious account creations that may indicate potential security issues or attempts to establish unauthorized access.

Event 4722 – A user account was enabled.

Event 4722 indicates that a user account was enabled.

Potential risks: Enabling a user account allows the account to be used for authentication and access to resources. Threat hunters should investigate the event to ensure that the account enabling is authorized and aligns with the organization’s policies. Unauthorized or improper enabling of user accounts could lead to unauthorized access or privilege escalation.

Event 4723 – An attempt was made to change an account’s password.

Event 4723 reports an attempt to change an account’s password.

Potential risks: The attempt to change an account’s password suggests potential unauthorized access or a user’s attempt to modify their own password. Threat hunters should investigate the event to identify the source and nature of the password change attempt and assess any potential security risks or unauthorized password modifications.

Event 4725 – A user account was disabled.

Event 4725 signifies the disabling of a user account.

Potential risks: Disabling a user account restricts its ability to authenticate and access resources. Threat hunters should investigate the event to ensure that the account disabling is authorized and aligns with the organization’s policies. Unauthorized or improper disabling of user accounts could impact system functionality or indicate attempts to restrict authorized access.

Event 4726 – A user account was deleted.

Event 4726 reports the deletion of a user account.

Potential risks: The deletion of a user account can impact access controls and data ownership. Threat hunters should investigate the event to ensure that the account deletion is authorized and aligns with the organization’s policies. Unauthorized or improper deletion of user accounts could result in data loss, unauthorized access, or attempts to cover tracks.

Event 4728 – A member was added to a security-enabled global group.

Event 4728 indicates the addition of a member to a security-enabled global group.

Potential risks: Adding a member to a security-enabled global group grants the member access permissions based on the group’s configured rights and privileges. Threat hunters should investigate the event to ensure that the membership addition is authorized and aligns with the principle of least privilege. Unauthorized or improper additions to security-enabled global groups could result in unauthorized access or privilege escalation.

Event 4729 – A member was removed from a security-enabled global group.

Event 4729 reports the removal of a member from a security-enabled global group.

Potential risks: Removing a member from a security-enabled global group revokes the member’s access permissions based on the group’s configured rights and privileges. Threat hunters should investigate the event to ensure that the membership removal is authorized and aligns with the principle of least privilege. Unauthorized or improper removals from security-enabled global groups could result in unauthorized access or the removal of necessary privileges.

Event 4730 – A security-enabled global group was deleted.

Event 4730 signifies the deletion of a security-enabled global group.

Potential risks: The deletion of a security-enabled global group can impact access controls and permissions assigned to the group. Threat hunters should investigate the event to ensure that the group deletion is authorized and aligns with the organization’s policies. Unauthorized or improper deletions of security-enabled global groups could result in access control gaps or attempts to cover tracks.

Event 4731 – A security-enabled local group was created.

Event 4731 indicates the creation of a security-enabled local group.

Potential risks: The creation of a security-enabled local group can impact access controls and permissions assigned to the group. Threat hunters should investigate the event to ensure that the group creation is authorized and aligns with the organization’s policies. Unauthorized or improper creations of security-enabled local groups could result in access control gaps or attempts to establish unauthorized access.

Event 4732 – A member was added to a security-enabled local group.

Event 4732 reports the addition of a member to a security-enabled local group.

Potential risks: Adding a member to a security-enabled local group grants the member access permissions based on the group’s configured rights and privileges. Threat hunters should investigate the event to ensure that the membership addition is authorized and aligns with the principle of least privilege. Unauthorized or improper additions to security-enabled local groups could result in unauthorized access or privilege escalation.

Event 4733 – A member was removed from a security-enabled local group.

Event 4733 signifies the removal of a member from a security-enabled local group.

Potential risks: Removing a member from a security-enabled local group revokes the member’s access permissions based on the group’s configured rights and privileges. Threat hunters should investigate the event to ensure that the membership removal is authorized and aligns with the principle of least privilege. Unauthorized or improper removals from security-enabled local groups could result in unauthorized access or the removal of necessary privileges.

Event 4734 – A security-enabled local group was deleted.

Event 4734 reports the deletion of a security-enabled local group.

Potential risks: The deletion of a security-enabled local group can impact access controls and permissions assigned to the group. Threat hunters should investigate the event to ensure that the group deletion is authorized and aligns with the organization’s policies. Unauthorized or improper deletions of security-enabled local groups could result in access control gaps or attempts to cover tracks.

Event 4738 – A user account was changed.

Event 4738 indicates that a user account was changed.

Potential risks: User account changes may involve modifications to account settings, attributes, or permissions. Threat hunters should investigate the event to ensure that the account changes are authorized and align with the organization’s policies. Unauthorized or improper user account changes could result in unauthorized access, privilege escalation, or attempts to cover tracks.

Event 4740 – A user account was locked out.

Event 4740 signifies that a user account was locked out.

Potential risks: User account lockouts occur when multiple failed logon attempts exceed the account’s lockout policy. Threat hunters should investigate the event to determine the cause of the lockout, such as password guessing or brute-force attacks. Unauthorized or suspicious lockouts may indicate attempts to gain unauthorized access or compromise user accounts.

Event 4741 – A computer account was changed.

Event 4741 reports changes made to a computer account.

Potential risks: Changes to computer accounts may involve modifications to account settings, attributes, or permissions. Threat hunters should investigate the event to ensure that the account changes are authorized and align with the organization’s policies. Unauthorized or improper changes to computer accounts could result in unauthorized access, compromised system integrity, or attempts to cover tracks.

Event 4742 – A computer account was changed.

Event 4742 indicates changes made to a computer account.

Potential risks: Changes to computer accounts may involve modifications to account settings, attributes, or permissions. Threat hunters should investigate the event to ensure that the account changes are authorized and align with the organization’s policies. Unauthorized or improper changes to computer accounts could result in unauthorized access, compromised system integrity, or attempts to cover tracks.

Event 4743 – A computer account was deleted.

Event 4743 signifies the deletion of a computer account.

Potential risks: The deletion of a computer account can impact system functionality and access controls. Threat hunters should investigate the event to ensure that the account deletion is authorized and aligns with the organization’s policies. Unauthorized or improper deletions of computer accounts could result in system disruption, unauthorized access, or attempts to cover tracks.

Event 4744 – A security-disabled local group was created.

Event 4744 indicates the creation of a security-disabled local group.

Potential risks: The creation of a security-disabled local group does not inherently pose risks as it indicates a group that is not currently used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious group creations that may indicate potential security issues or attempts to establish unauthorized access.

Event 4745 – A security-disabled local group was changed.

Event 4745 reports changes made to a security-disabled local group.

Potential risks: Changes to security-disabled local groups do not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious group changes that may indicate potential security issues or attempts to establish unauthorized access.

Event 4746 – A member was added to a security-disabled local group.

Event 4746 signifies the addition of a member to a security-disabled local group.

Potential risks: Adding a member to a security-disabled local group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious member additions that may indicate potential security issues or attempts to establish unauthorized access.

Event 4747 – A member was removed from a security-disabled local group.

Event 4747 reports the removal of a member from a security-disabled local group.

Potential risks: Removing a member from a security-disabled local group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious member removals that may indicate potential security issues or attempts to restrict access.

Event 4748 – A security-disabled local group was deleted.

Event 4748 indicates the deletion of a security-disabled local group.

Potential risks: The deletion of a security-disabled local group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious group deletions that may indicate potential security issues or attempts to cover tracks.

Event 4749 – A security-disabled global group was created.

Event 4749 signifies the creation of a security-disabled global group.

Potential risks: The creation of a security-disabled global group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious group creations that may indicate potential security issues or attempts to establish unauthorized access.

Event 4750 – A security-disabled global group was changed.

Event 4750 reports changes made to a security-disabled global group.

Potential risks: Changes to security-disabled global groups do not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious group changes that may indicate potential security issues or attempts to establish unauthorized access.

Event 4751 – A member was added to a security-disabled global group.

Event 4751 signifies the addition of a member to a security-disabled global group.

Potential risks: Adding a member to a security-disabled global group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious member additions that may indicate potential security issues or attempts to establish unauthorized access.

Event 4752 – A member was removed from a security-disabled global group.

Event 4752 reports the removal of a member from a security-disabled global group.

Potential risks: Removing a member from a security-disabled global group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious member removals that may indicate potential security issues or attempts to restrict access.

Event 4753 – A security-disabled global group was deleted.

Event 4753 indicates the deletion of a security-disabled global group.

Potential risks: The deletion of a security-disabled global group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious group deletions that may indicate potential security issues or attempts to cover tracks.

Event 4756 – A member was added to a security-enabled universal group.

Event 4756 signifies the addition of a member to a security-enabled universal group.

Potential risks: Adding a member to a security-enabled universal group grants the member access permissions based on the group’s configured rights and privileges. Threat hunters should investigate the event to ensure that the membership addition is authorized and aligns with the principle of least privilege. Unauthorized or improper additions to security-enabled universal groups could result in unauthorized access or privilege escalation.

Event 4757 – A member was removed from a security-enabled universal group.

Event 4757 reports the removal of a member from a security-enabled universal group.

Potential risks: Removing a member from a security-enabled universal group revokes the member’s access permissions based on the group’s configured rights and privileges. Threat hunters should investigate the event to ensure that the membership removal is authorized and aligns with the principle of least privilege. Unauthorized or improper removals from security-enabled universal groups could result in unauthorized access or the removal of necessary privileges.

Event 4758 – A security-enabled universal group was deleted.

Event 4758 indicates the deletion of a security-enabled universal group.

Potential risks: The deletion of a security-enabled universal group can impact access controls and permissions assigned to the group. Threat hunters should investigate the event to ensure that the group deletion is authorized and aligns with the organization’s policies. Unauthorized or improper deletions of security-enabled universal groups could result in access control gaps or attempts to cover tracks.

Event 4759 – A security-disabled universal group was created.

Event 4759 signifies the creation of a security-disabled universal group.

Potential risks: The creation of a security-disabled universal group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious group creations that may indicate potential security issues or attempts to establish unauthorized access.

Event 4760 – A security-disabled universal group was changed.

Event 4760 reports changes made to a security-disabled universal group.

Potential risks: Changes to security-disabled universal groups do not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious group changes that may indicate potential security issues or attempts to establish unauthorized access.

Event 4761 – A member was added to a security-disabled universal group.

Event 4761 signifies the addition of a member to a security-disabled universal group.

Potential risks: Adding a member to a security-disabled universal group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious member additions that may indicate potential security issues or attempts to establish unauthorized access.

Event 4762 – A member was removed from a security-disabled universal group.

Event 4762 reports the removal of a member from a security-disabled universal group.

Potential risks: Removing a member from a security-disabled universal group does not inherently pose risks as these groups are not used for security purposes. However, threat hunters should monitor the event for any unauthorized or suspicious member removals that may indicate potential security issues or attempts to restrict access.

Event 4767 – A user account was unlocked.

Event 4767 indicates that a user account was unlocked.

Potential risks: Unlocking a user account restores its ability to authenticate and access resources. Threat hunters should investigate the event to ensure that the account unlocking is authorized and aligns with the organization’s policies. Unauthorized or improper unlocking of user accounts could result in unauthorized access or attempts to evade monitoring or access controls.

Event 4768 – A Kerberos authentication ticket (TGT) was requested.

Event 4768 signifies a request for a Kerberos authentication ticket (TGT).

Potential risks: Requesting a Kerberos authentication ticket is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the event for any unusual or unauthorized TGT requests that may indicate potential security issues or attempts to impersonate user accounts.

Event 4769 – A Kerberos service ticket was requested.

Event 4769 indicates a request for a Kerberos service ticket.

Potential risks: Requesting a Kerberos service ticket is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the event for any unusual or unauthorized service ticket requests that may indicate potential security issues or attempts to gain unauthorized access to services or resources.

Event 4770 – A Kerberos service ticket was renewed.

Event 4770 reports the renewal of a Kerberos service ticket.

Potential risks: Renewing a Kerberos service ticket is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the event for any unusual or unauthorized service ticket renewals that may indicate potential security issues or attempts to prolong unauthorized access to services or resources.

Event 4771 – Kerberos pre-authentication failed.

Event 4771 signifies a failed Kerberos pre-authentication.

Potential risks: Kerberos pre-authentication failures can indicate authentication attempts using incorrect or compromised credentials. Threat hunters should investigate the event to identify the source and nature of the pre-authentication failure and assess any potential security risks or unauthorized access attempts.

Event 4772 – A Kerberos authentication ticket request failed.

Event 4772 reports a failed Kerberos authentication ticket request.

Potential risks: Failed Kerberos authentication ticket requests can indicate authentication attempts using incorrect or compromised credentials. Threat hunters should investigate the event to identify the source and nature of the authentication failure and assess any potential security risks or unauthorized access attempts.

Event 4775 – An account could not be mapped for logon.

Event 4775 signifies that an account could not be mapped for logon.

Potential risks: The inability to map an account for logon may indicate issues with account authentication or authorization. Threat hunters should investigate the event to identify the cause of the mapping failure and assess any potential security risks or unauthorized access attempts.

Event 4776 – The domain controller attempted to validate the credentials for an account.

Event 4776 indicates that the domain controller attempted to validate the credentials for an account.

Potential risks: Validating account credentials is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the event for any unusual or unauthorized credential validation attempts that may indicate potential security issues or attempts to gain unauthorized access.

Event 4777 – The domain controller failed to validate the credentials for an account.

Event 4777 reports that the domain controller failed to validate the credentials for an account.

Potential risks: The failure to validate account credentials may indicate issues with authentication or attempts to use incorrect or compromised credentials. Threat hunters should investigate the event to identify the cause of the validation failure and assess any potential security risks or unauthorized access attempts.

Event 4781 – The name of an account was changed:

Event 4781 indicates that the name of an account was changed.

Potential risks: Account name changes can impact authentication, authorization, and access controls. Threat hunters should investigate the event to ensure that the account name change is authorized and aligns with the organization’s policies. Unauthorized or improper account name changes could result in confusion, access control gaps, or attempts to cover tracks.

Event 4782 – The password hash of an account was accessed.

Event 4782 signifies the access of the password hash of an account.

Potential risks: Accessing the password hash of an account may indicate attempts to crack or compromise passwords. Threat hunters should investigate the event to identify the source and nature of the password hash access and assess any potential security risks or unauthorized access attempts.

Event 4783 – A basic application group was created.

Event 4783 indicates the creation of a basic application group.

Potential risks: The creation of a basic application group is a normal operational event and does not inherently pose risks. However, threat hunters should monitor the event for any unauthorized or suspicious group creations that may indicate potential security issues or attempts to establish unauthorized access.

Event 7045: A service was installed in the system – AppSvc.exe

From a threat hunting perspective, Event ID 7045 indicates that a service has been installed in the system, specifically mentioning the service “AppSvc.exe.”

Potential risks and considerations:

  1. Unauthorized service installation: Threat hunters should investigate whether the installation of the service was authorized. If the service installation was not expected or approved, it may indicate unauthorized access or malicious activity. Further investigation is necessary to determine the nature and intent of the installed service.
  2. Malware or malicious service: AppSvc.exe could potentially be a legitimate service, but threat hunters should verify its authenticity. Malicious actors often use names similar to legitimate services to evade detection. Scanning the AppSvc.exe file for known malware signatures or analyzing its behavior can help determine if it poses a security risk.
  3. Persistence mechanism: Services are commonly used as persistence mechanisms by attackers. By installing a service, an attacker can ensure that their malicious code or backdoor remains active even after a system reboot. Threat hunters should investigate the installed service’s behavior, configuration, and associated files to determine if it exhibits any signs of persistence or is part of a broader attack.
  4. Privilege escalation: Some services require elevated privileges to function properly. Threat hunters should verify whether the installed service runs with elevated privileges. If a service with unnecessary or excessive privileges is installed, it can provide an avenue for attackers to escalate their privileges and gain unauthorized access to the system or sensitive resources.
  5. Vulnerabilities or misconfigurations: Newly installed services may introduce vulnerabilities or misconfigurations that could be exploited by attackers. Threat hunters should assess the service’s configuration settings, dependencies, and known vulnerabilities to identify any potential security weaknesses. Regular patching and secure configuration practices can help mitigate these risks.
  6. Event correlation: Threat hunters should correlate Event ID 7045 with other relevant events to establish a complete picture of the security incident or activity. Examining related events such as service start or stop events, network communication, and changes to system settings can provide valuable context and aid in identifying any potential security threats or indicators of compromise (IOCs).

In summary, Event ID 7045 indicates the installation of a service named “AppSvc.exe.” Threat hunters should investigate the legitimacy, behavior, privileges, and potential risks associated with this service to ensure system security and detect any unauthorized or malicious activity.

Locally get Security event IDs details

wevtutil
wevtutil

Run the following command in your Windows command prompt window:

wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true

This command is using the Windows Event Log utility, specifically the “wevtutil” command, to configure Group Policy settings for the “Microsoft-Windows-Security-Auditing” log.

Here is a step-by-step breakdown of the command and its parameters:

  1. wevtutil: This is the command-line utility for managing the Windows Event Log.
  2. gp: This parameter specifies that the operation to be performed is related to Group Policy settings.
  3. Microsoft-Windows-Security-Auditing: This is the name of the log you want to configure. In this case, it is the Security-Auditing log provided by Microsoft Windows.
  4. /ge: This parameter stands for “Get Enabled”. It retrieves the current state of the specified Group Policy setting.
  5. /gm:true: This parameter, /gm, stands for “Get Machines”. It retrieves the Group Policy setting for the local machine or the specified remote machine. In this case, the value “true” indicates that you want to retrieve the Group Policy setting for the local machine.

To summarize, the command is retrieving the current Group Policy setting for the “Microsoft-Windows-Security-Auditing” log, specifically the “Enabled” state, on the local machine.


Done reading? Continue with these critical need to know event IDs.

Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author