-
Notifications
You must be signed in to change notification settings - Fork 82
EventLogs
Tony Phipps edited this page Dec 1, 2022
·
7 revisions
Check out Notable Event IDs
Credential Access
Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password.Use of credentials may also occur at unusual times or to unusual systems or services and may correlate with other suspicious activity.
SELECT Message
WHERE EventID = 4738
Persistence
Generated when a user account is created on a Windows system and domain controller. Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
SELECT Message
WHERE EventID = 4720