Windows Event ID Matrix

Press ESC to clear
Showing 134 of 134 cataloged security events// Keyboard-first instant filtering enabled (`keyup` / `input`)
ADVERTISEMENT / SPONSORED RESERVATION (728x90)
Event IDEvent Definition & Root Cause Analysis (Primary Hierarchy)Category & Applicability (Secondary Hierarchy)Inspect Details
307
Windows Defender Application Control (`WDAC` / Code Integrity) blocked or audited an unsigned/unapproved driver or DLL.
// Failure Reason / Root Cause:Driver/DLL failed digital signature or WDAC policy check (`FileName` & `SHA256 Hash`).
Category:Code Integrity
Audit Type:Failure Audit
Severity:Critical
OS:Windows Server / Client
400
The PowerShell host engine (`powershell.exe` or runspace host) initialized and started execution.
// Failure Reason / Root Cause:PowerShell runspace engine initialization (`HostApplication` command line shown).
Category:PowerShell
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
800
A PowerShell command pipeline began execution (`Windows PowerShell` log).
// Failure Reason / Root Cause:Pipeline execution initiated (`HostApplication` & command summary captured).
Category:PowerShell
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
1006
Windows Defender Antivirus real-time protection detected malware, trojans, or exploit artifacts on the endpoint.
// Failure Reason / Root Cause:Malware signature or behavioral detection triggered by Windows Defender real-time scanner.
Category:Windows Defender
Audit Type:Failure Audit
Severity:High
OS:Windows Server / Client
1100
The event logging service has shut down normally or unexpectedly.
// Failure Reason / Root Cause:System shutdown, scheduled reboot, or malicious tampering attempting to terminate logging pipelines prior to lateral movement.
Category:Event Log
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
1101
Audit events have been dropped by the real-time event log backup or transport pipeline.
// Failure Reason / Root Cause:Log storage disk saturation, extreme event flooding by an adversary or malfunctioning service, or slow SIEM agent ingestion.
Category:Event Log
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
1102
The audit log was cleared. Indicates that the Windows Security Event Log was wiped clean.
// Failure Reason / Root Cause:Legitimate IT maintenance during re-baselining, or malicious anti-forensics defense evasion by an adversary covering tracks.
Category:Event Log
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
1104
The security log is now full. When the security log reaches maximum capacity and is configured to 'Do not overwrite events', no new security events can be recorded.
// Failure Reason / Root Cause:Improper event log retention policy configuration, log storage capacity limits reached, or intentional log flooding by an adversary.
Category:Event Log
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
1105
The security event log was automatically archived and cleared based on retention policy.
// Failure Reason / Root Cause:Standard automated log rotation and archiving behavior configured via Group Policy.
Category:Event Log
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
1108
The event logging service encountered a critical error processing telemetry.
// Failure Reason / Root Cause:Corrupt event manifest registration, disk I/O errors, or malformed third-party provider events.
Category:Event Log
Audit Type:Failure Audit
Severity:Medium
OS:Windows Server / Client
1116
Windows Defender detected malware and started automatic remediation (`Quarantine` / `Remove`).
// Failure Reason / Root Cause:Antivirus detection remediation process initiated against `Threat Name`.
Category:Windows Defender
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
1117
Windows Defender successfully quarantined, cleaned, or deleted detected malware.
// Failure Reason / Root Cause:Successful execution of antivirus remediation action on detected threat.
Category:Windows Defender
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4103
PowerShell Module Logging recorded command invocation and parameter binding within a pipeline.
// Failure Reason / Root Cause:PowerShell pipeline execution inside an audited module (`ScriptBlock ID` & `CommandInvocation`).
Category:PowerShell
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4104
PowerShell Script Block Logging recorded the complete, un-obfuscated code block of an executing script.
// Failure Reason / Root Cause:Execution of PowerShell script block (`ScriptBlock ID` & `ScriptBlockText` captured).
Category:PowerShell
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4608
Windows is starting up. Indicates initialization of the Local Security Authority (LSASS).
// Failure Reason / Root Cause:Normal operating system startup, hardware power cycle, or reboot after updates or unauthorized modifications.
Category:System
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4609
Windows is shutting down. Documents termination of the Local Security Authority LSASS.
// Failure Reason / Root Cause:Admin-initiated reboot, automated patch management reboot, or attacker-initiated system restart.
Category:System
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4610
An authentication DLL/package was loaded into the LSA space during boot or runtime.
// Failure Reason / Root Cause:Custom authentication package registration or security provider injection (`SSP/AP`).
Category:System
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4611
A process registered with LSA as a trusted logon process (`SeTcbPrivilege`).
// Failure Reason / Root Cause:Trusted logon process registration with the LSA (`SeTcbPrivilege` exercised).
Category:System
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4614
A password filter DLL (`Notification Package`) was loaded by the SAM.
// Failure Reason / Root Cause:Password filter notification DLL loaded by LSA/SAM during service startup.
Category:System
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4616
The system time was changed manually or via NTP synchronization.
// Failure Reason / Root Cause:Normal NTP time synchronization (`w32time`), CMOS battery failure, or malicious clock tampering to confuse forensic timeline analysis.
Category:System
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4621
An administrator recovered the system from the CrashOnAuditFail state.
// Failure Reason / Root Cause:Recovery procedure after strict high-security audit capacity limits caused an intentional kernel panic.
Category:System
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4622
A security package (SSP/AP) was loaded by LSASS.
// Failure Reason / Root Cause:Normal operating system boot loading core providers, or attacker credential dumping via malicious SSP injection.
Category:System
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4624
An account was successfully logged on. Indicates a successful authentication and session creation on the target machine.
// Failure Reason / Root Cause:Normal user or service logon activity, scheduled task execution, system startup, or remote desktop (RDP) session initiation.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4625
An account failed to log on. Documents unsuccessful authentication attempts along with the failure reason code (e.g., 0xC000006D / 0xC000006A for incorrect password).
// Failure Reason / Root Cause:Expired or invalid credentials, brute-force or password spraying attacks, or misconfigured automated service accounts.
Category:Logon/Logoff
Audit Type:Failure Audit
Severity:High
OS:Windows Server / Client
4634
An account was logged off. Indicates that an existing authentication session was terminated or destroyed.
// Failure Reason / Root Cause:User explicit logoff, RDP disconnection, automated service completion, or system shutdown.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4635
A user session encountered an error or access denied condition when attempting to terminate.
// Failure Reason / Root Cause:Authentication package teardown error or handle retention failure during logoff.
Category:Logon/Logoff
Audit Type:Failure Audit
Severity:Low
OS:Windows Server / Client
4647
A user explicitly initiated a logoff sequence from the console or remote desktop.
// Failure Reason / Root Cause:User console logout or interactive RDP logoff action.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4648
A logon was attempted using explicit credentials (e.g., RunAs command or network authentication with alternate account).
// Failure Reason / Root Cause:IT administrative `RunAs` actions, scheduled tasks with stored passwords, or attacker lateral movement using stolen credentials.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4649
Kerberos or NTLM authentication detected a replayed authenticator or ticket.
// Failure Reason / Root Cause:Duplicate Kerberos ticket/authenticator detected by domain controller replay cache.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4656
A process requested access rights to a file, registry key, kernel object, or service.
// Failure Reason / Root Cause:File server access, registry modification attempts, or attacker attempting to open handles to critical system files (`SAM`, `SYSTEM` hives).
Category:Object Access
Audit Type:Success / Failure Audit
Severity:Medium
OS:Windows Server / Client
4657
A registry key value was created, altered, or deleted within an audited registry path.
// Failure Reason / Root Cause:Registry modification on an audited key (e.g., Run keys, LSA configurations, Service keys).
Category:Object Access
Audit Type:Success / Failure Audit
Severity:High
OS:Windows Server / Client
4658
An open handle to a file, registry key, kernel object, or process was released.
// Failure Reason / Root Cause:Object handle closure following read, write, or access completion.
Category:Object Access
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4660
An object (file, registry key) was deleted from the filesystem or registry.
// Failure Reason / Root Cause:File deletion, temporary installer cleanup, or ransomware/attacker deleting logs and shadow copies.
Category:Object Access
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4662
Access or replication operation performed against an Active Directory directory object (`DS-Replication-Get-Changes`).
// Failure Reason / Root Cause:Normal domain controller replication between authorized DCs, or **DCSync** attack executed by a compromised user/computer identity (`mimikatz lsadump::dcsync`).
Category:Directory Service Access
Audit Type:Success / Failure Audit
Severity:Critical
OS:Windows Server / Client
4663
Specific access (Read, Write, Delete) was performed on a file, registry key, or pipe.
// Failure Reason / Root Cause:User opening/editing files on network shares, or unauthorized exfiltration/encryption of sensitive financial folders.
Category:Object Access
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4664
A process attempted to create an NTFS hard link between two file paths.
// Failure Reason / Root Cause:NTFS hard link creation attempt (`LinkName` pointing to `ObjectName`).
Category:Object Access
Audit Type:Success / Failure Audit
Severity:Medium
OS:Windows Server / Client
4670
SACLs or DACLs on a file, registry key, or system object were modified.
// Failure Reason / Root Cause:IT permission adjustments, or attacker weakening DACLs on `C:\Windows\System32\` files to replace system executables.
Category:Object Access
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4672
Special privileges assigned to new logon. Indicates that an account logged on with administrative or high-level system privileges.
// Failure Reason / Root Cause:Administrator interactive/network logon, service execution with `LocalSystem` or `NetworkService` rights, or attacker credential exploitation.
Category:Privilege Use
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4673
A process requested and exercised a sensitive privilege (e.g., `SeBackupPrivilege`, `SeTcbPrivilege`).
// Failure Reason / Root Cause:Sensitive token privilege exercised during API call (`PrivilegeList`).
Category:Privilege Use
Audit Type:Success / Failure Audit
Severity:High
OS:Windows Server / Client
4674
An operation requiring sensitive privileges was attempted on a secured kernel object.
// Failure Reason / Root Cause:Privileged operation attempted on secured system or process object.
Category:Privilege Use
Audit Type:Success / Failure Audit
Severity:High
OS:Windows Server / Client
4688
A new process has been created on the system. Tracks process execution, creator process ID (parent process), and full command-line arguments when enabled.
// Failure Reason / Root Cause:Standard operating system process launches, application execution, script execution (`powershell.exe`, `cmd.exe`), or malicious payload detonation.
Category:Process Tracking
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4689
A process terminated normally or was killed.
// Failure Reason / Root Cause:Application closure, script termination, or process kill commands (`taskkill.exe`).
Category:Process Tracking
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4692
DPAPI backup master key recovery attempted.
// Failure Reason / Root Cause:DPAPI key extraction.
Category:Data Protection (DPAPI)
Audit Type:Success / Failure Audit
Severity:Info
OS:Windows Server / Client
4693
An attempt was made to recover a DPAPI backup protection master key.
// Failure Reason / Root Cause:DPAPI backup master key retrieval request executed against Domain Controller.
Category:Credential Management
Audit Type:Success / Failure Audit
Severity:Critical
OS:Windows Server / Client
4697
A service was installed in the system. Logs the service name, service file name (binary path), and service start type.
// Failure Reason / Root Cause:Standard software installation, IT remote administration tools (e.g., PsExec), or attacker persistence and lateral movement service creation.
Category:System
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4698
A scheduled task was created on the system. Contains the full XML task definition including actions, triggers, and execution account.
// Failure Reason / Root Cause:System software updates, automated backup tasks, or attacker persistence mechanism establishing scheduled code execution.
Category:Object Access / Task Scheduler
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4699
An existing scheduled task was deleted from Task Scheduler.
// Failure Reason / Root Cause:Task expiration, uninstaller cleanup, or attacker covering tracks.
Category:Object Access / Task Scheduler
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4700
A disabled scheduled task was enabled (`schtasks /change /enable`).
// Failure Reason / Root Cause:Task activation.
Category:Object Access / Task Scheduler
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4701
A scheduled task was disabled (`schtasks /change /disable`).
// Failure Reason / Root Cause:Task deactivation or attacker disabling security scanning cron jobs.
Category:Object Access / Task Scheduler
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4702
An existing scheduled task definition was modified (`schtasks /change`).
// Failure Reason / Root Cause:Software update modifying task schedules, or attacker hijacking trusted scheduled tasks (`task hijacking`).
Category:Object Access / Task Scheduler
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4703
Privileges were enabled or disabled inside an existing access token.
// Failure Reason / Root Cause:Token privilege modification (`AdjustTokenPrivileges` called by `ProcessName`).
Category:Privilege Use
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4704
A user right was assigned to an account or group via Local Security Policy or Group Policy.
// Failure Reason / Root Cause:Group Policy rollout, database/service account configuration, or malicious local policy tampering for privilege escalation.
Category:Policy Change
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4705
A user right was revoked or removed from an account or group.
// Failure Reason / Root Cause:Security policy re-hardening or compliance audit cleanup.
Category:Policy Change
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4713
Domain Kerberos ticket lifetime, renewal, or clock skew settings were altered.
// Failure Reason / Root Cause:Modification of domain Kerberos policy values via domain security policy.
Category:Policy Change
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4716
Active Directory trust properties, SID filtering, or direction settings were updated.
// Failure Reason / Root Cause:Modification of domain trust object (`TrustedDomainName` properties updated).
Category:Policy Change
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4717
An account was granted a User Right Assignment (`Logon right` or `Privilege`) across local or domain policy.
// Failure Reason / Root Cause:User right assignment granted (`Access Right` granted to `TargetSid`).
Category:Policy Change
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4718
An account had a User Right Assignment (`Logon right` or `Privilege`) revoked.
// Failure Reason / Root Cause:User right assignment revoked from `TargetSid`.
Category:Policy Change
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4719
System audit policy was changed on the machine. Documents enabling or disabling of specific audit categories.
// Failure Reason / Root Cause:Group Policy audit policy updates, administrative re-configuration, or attacker defense evasion turning off auditing.
Category:Policy Change
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4720
A user account was created in Active Directory or the local Security Accounts Manager (SAM).
// Failure Reason / Root Cause:Routine administrative onboarding, automated provisioning scripts, or unauthorized persistence establishment by a malicious actor creating a backdoor account.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4722
A previously disabled user account was enabled in Active Directory or local SAM.
// Failure Reason / Root Cause:HR employee re-activation, IT troubleshooting, or attacker activating dormant/backdoor accounts.
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4723
A user attempted to change their own password.
// Failure Reason / Root Cause:Routine password rotation by user.
Category:Account Management
Audit Type:Success / Failure Audit
Severity:Info
OS:Windows Server / Client
4724
An administrator attempted to reset the password for another user account.
// Failure Reason / Root Cause:Helpdesk password reset request, or unauthorized administrative takeover of accounts via forced password reset.
Category:Account Management
Audit Type:Success / Failure Audit
Severity:High
OS:Windows Server / Client
4725
A user account was disabled in Active Directory or local SAM.
// Failure Reason / Root Cause:HR termination offboarding, compliance lockout, or administrative cleanup.
Category:Account Management
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4726
A user account was permanently deleted from Active Directory or local SAM.
// Failure Reason / Root Cause:Routine directory cleanup, or malicious account destruction and anti-forensics.
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4728
A member was added to a security-enabled global group in Active Directory (e.g., Domain Admins, Enterprise Admins).
// Failure Reason / Root Cause:Authorized IT administrative role assignment, privileged access management workflows, or attacker privilege escalation.
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4729
A member was removed from an Active Directory global security group.
// Failure Reason / Root Cause:Role revocation, offboarding, or administrative cleanup.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4730
A user or computer account was removed from an AD Global Security Group (`Domain Admins`, etc.).
// Failure Reason / Root Cause:Removal of `MemberName` from global group `TargetUserName` by `SubjectUserName`.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4731
A new local security group or AD Domain Local group was created.
// Failure Reason / Root Cause:Creation of new security local group (`TargetUserName`).
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4732
A member was added to a security-enabled local group (e.g., local Administrators, Remote Desktop Users).
// Failure Reason / Root Cause:Endpoint administrative support actions, domain group policy deployment, or malicious local privilege elevation.
Category:Account Management
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4733
A member was removed from a local security group (e.g., local Administrators).
// Failure Reason / Root Cause:Administrative access revocation or Group Policy enforcement removing unauthorized local administrators.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4734
An existing local security group or AD Domain Local group was deleted.
// Failure Reason / Root Cause:Deletion of security local group (`TargetUserName`) by `SubjectUserName`.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4735
Properties of a local security group or AD Domain Local group (`SAM Account Name`, `Description`, `Group Type`) were altered.
// Failure Reason / Root Cause:Modification of local/domain local group attributes (`TargetUserName`).
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4737
Properties of an AD Global Security Group (`Domain Admins`, etc.) were modified.
// Failure Reason / Root Cause:Modification of AD global security group properties (`TargetUserName`).
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4738
User account attributes (`UserAccountControl`, SPN, logon hours, profile paths) were modified.
// Failure Reason / Root Cause:Helpdesk profile updates, or attacker setting `DONT_EXPIRE_PASSWORD` / adding SPNs to backdoor accounts.
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4739
Domain password policy, account lockout thresholds, or Kerberos settings were modified.
// Failure Reason / Root Cause:Modification of domain account/lockout security policy (`Domain Policy`).
Category:Policy Change
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4740
A user account was locked out after exceeding the configured threshold of consecutive failed logon attempts.
// Failure Reason / Root Cause:Repeated authentication failures from cached old passwords on mobile/remote devices, aggressive brute-force attacks, or credential stuffing.
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4754
A new AD Universal Security Group was created across the forest.
// Failure Reason / Root Cause:Creation of universal security group (`TargetUserName`) by `SubjectUserName`.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4755
Properties of an AD Universal Security Group (`GroupType`, `SAM Account Name`) were altered.
// Failure Reason / Root Cause:Modification of AD universal security group attributes (`TargetUserName`).
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4756
A member was added to a security-enabled universal group within Active Directory.
// Failure Reason / Root Cause:Cross-domain forest administration, enterprise restructuring, or attacker forest-wide lateral movement preparation.
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4757
A user, group, or computer was removed from an AD Universal Security Group (`Enterprise Admins`, etc.).
// Failure Reason / Root Cause:Removal of `MemberName` from universal group `TargetUserName` by `SubjectUserName`.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4758
An existing AD Universal Security Group was deleted.
// Failure Reason / Root Cause:Deletion of universal security group (`TargetUserName`) by `SubjectUserName`.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4764
The scope or classification (`GroupType`) of an AD group was converted (e.g., Security to Distribution, Global to Universal).
// Failure Reason / Root Cause:Conversion of AD group type (`GroupType` changed on `TargetUserName`).
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4767
A previously locked-out user account was unlocked by an administrator or self-service portal.
// Failure Reason / Root Cause:Helpdesk unlocking account following false-positive lockout or user verification.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4768
A Kerberos Ticket Granting Ticket (TGT) was requested from the Domain Controller KDC.
// Failure Reason / Root Cause:Initial user domain login, or Kerberos password spraying (`Result Code: 0x18`).
Category:Kerberos
Audit Type:Success / Failure Audit
Severity:Medium
OS:Windows Server / Client
4769
A Kerberos service ticket (TGS) was requested from the Domain Controller Key Distribution Center (KDC).
// Failure Reason / Root Cause:Normal domain resource authentication, or Kerberoasting attacks targeting Service Principal Names (SPNs) for offline password cracking.
Category:Kerberos
Audit Type:Success / Failure Audit
Severity:High
OS:Windows Server / Client
4770
A Kerberos service ticket (TGS) was renewed by the KDC prior to expiration.
// Failure Reason / Root Cause:Standard Kerberos ticket lifecycle renewal for long-running sessions.
Category:Kerberos
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4771
Kerberos pre-authentication verification failed (`bad password or AS-REP Roasting attempt`).
// Failure Reason / Root Cause:User mistyping domain password, brute-force attacks, or AS-REP Roasting attempts against vulnerable accounts.
Category:Kerberos
Audit Type:Failure Audit
Severity:High
OS:Windows Server / Client
4776
The computer attempted to validate credentials using NTLM authentication package via domain or local accounts.
// Failure Reason / Root Cause:Legacy application authentication, SMB/file share access over NTLM, or active NTLM credential stuffing / Pass-the-Hash attacks.
Category:Logon/Logoff
Audit Type:Success / Failure Audit
Severity:Medium
OS:Windows Server / Client
4778
An existing Remote Desktop (RDP) or Fast User Switching session was reconnected.
// Failure Reason / Root Cause:User resuming an RDP session after network drop or lock screen, or attacker reconnecting to a hijacked RDP session.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4779
An existing Remote Desktop (RDP) or terminal session was disconnected without logging off.
// Failure Reason / Root Cause:User closing RDP window without explicit logoff or network interruption.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4781
A user account or computer account (`sAMAccountName`) was renamed.
// Failure Reason / Root Cause:Account rename operation (`OldTargetUserName` renamed to `NewTargetUserName`).
Category:Account Management
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4798
A process enumerated the local security groups to which a specific user belongs.
// Failure Reason / Root Cause:Local user group membership enumeration API call executed by `ProcessName`.
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4799
A process enumerated the members of a local security group (`Administrators`, `Remote Desktop Users`, etc.).
// Failure Reason / Root Cause:Local group membership listing API call executed against `TargetUserName` (e.g., `Administrators`).
Category:Account Management
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4800
The workstation screen was locked (`Win+L` or timeout).
// Failure Reason / Root Cause:User pressing `Win+L`, screensaver timeout, or automated security inactivity enforcement.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4801
The workstation screen was unlocked following successful authentication.
// Failure Reason / Root Cause:User unlocking screen after entering password/PIN/smartcard.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4802
The screensaver was activated on the workstation.
// Failure Reason / Root Cause:Screensaver activation policy.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4803
The screensaver was dismissed by user mouse movement or keyboard input.
// Failure Reason / Root Cause:User resuming activity.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
4817
A System Access Control List (SACL) on an object (`File`, `Registry`, `Service`) was modified.
// Failure Reason / Root Cause:Modification of SACL security descriptor on `ObjectName`.
Category:Policy Change
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4886
A user, computer, or process submitted a certificate enrollment request to AD CS (`PKI`).
// Failure Reason / Root Cause:Certificate enrollment request (`Request ID`) submitted to AD CS Certificate Authority.
Category:Active Directory
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4887
AD CS approved and issued an X.509 certificate based on a submitted template request.
// Failure Reason / Root Cause:X.509 certificate issued (`Request ID`) by Certificate Authority service.
Category:Active Directory
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4888
AD CS rejected a certificate enrollment request due to policy or template restriction.
// Failure Reason / Root Cause:Certificate enrollment request denied by CA policy or permission check (`Disposition message`).
Category:Active Directory
Audit Type:Failure Audit
Severity:Medium
OS:Windows Server / Client
4898
AD CS loaded an updated or newly created certificate template into the CA.
// Failure Reason / Root Cause:Certificate template loaded into AD CS memory/configuration during CA operation.
Category:Active Directory
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4902
A per-user audit policy (`AuditPol /set /user:...`) was established or initialized.
// Failure Reason / Root Cause:Initialization of per-user audit policy (`AuditPol` per-user table created).
Category:Policy Change
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4907
A System Access Control List (SACL) security descriptor on an audited object was updated.
// Failure Reason / Root Cause:SACL security descriptor modification (`Security Descriptor` updated on `ObjectName`).
Category:Policy Change
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4912
A per-user audit policy setting was altered (`AuditPol /set /user:...`).
// Failure Reason / Root Cause:Modification of per-user audit policy (`TargetSid` policy altered by `SubjectSid`).
Category:Policy Change
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4944
A new local or Group Policy firewall rule was added to the Windows Filtering Platform (`WFP`).
// Failure Reason / Root Cause:Windows Firewall rule creation (`RuleName` added allowing/blocking traffic).
Category:Windows Firewall
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4946
A rule was added to the Windows Firewall exception list allowing specific applications or ports.
// Failure Reason / Root Cause:Firewall exception rule added (`Application Path` / `Port` allowed through firewall).
Category:Windows Firewall
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
4948
An existing firewall rule or exception was removed from the Windows Firewall configuration.
// Failure Reason / Root Cause:Deletion of Windows Firewall rule (`RuleName` removed by `SubjectUserName`).
Category:Windows Firewall
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
4950
Global Windows Firewall profile behavior (`Domain`, `Private`, `Public` profiles enabled/disabled) was altered.
// Failure Reason / Root Cause:Windows Firewall profile configuration changed (`EnableFirewall` toggled).
Category:Windows Firewall
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
4964
Special groups (`Auditpol Special Groups`) were assigned to an authenticating session.
// Failure Reason / Root Cause:High-value identity authentication tracked via Special Groups monitoring.
Category:Logon/Logoff
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
5001
Real-time virus and threat protection scanning was turned off (`DisableRealtimeMonitoring`).
// Failure Reason / Root Cause:Disabling of Defender real-time protection engine (`DisableRealtimeMonitoring`).
Category:Windows Defender
Audit Type:Failure Audit
Severity:Critical
OS:Windows Server / Client
5004
Configuration parameters for real-time threat scanning were altered.
// Failure Reason / Root Cause:Modification of real-time protection configuration parameters (`New Value` shown).
Category:Windows Defender
Audit Type:Failure Audit
Severity:High
OS:Windows Server / Client
5007
General Windows Defender settings, exclusion paths, or scanning schedules were modified.
// Failure Reason / Root Cause:Modification of Windows Defender preferences (e.g., path/process exclusion added).
Category:Windows Defender
Audit Type:Failure Audit
Severity:Critical
OS:Windows Server / Client
5136
An Active Directory object attribute (`LDAP Display Name`, `Value`) was modified.
// Failure Reason / Root Cause:Administrative AD management, or attacker injecting `sIDHistory` / configuring RBCD (`Resource-Based Constrained Delegation`) for domain privilege escalation.
Category:Directory Service Access
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
5137
A new directory object (OU, container, GPO, custom object) was created in Active Directory.
// Failure Reason / Root Cause:Domain structure provisioning or rogue GPO container creation.
Category:Directory Service Access
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
5138
An Active Directory object previously marked as deleted (`isDeleted=TRUE`) was restored from the AD Recycle Bin.
// Failure Reason / Root Cause:Undelete API operation performed on AD object (`ObjectDN`).
Category:Directory Service Access
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
5140
A user connected to an SMB network share (`\\Server\Share`).
// Failure Reason / Root Cause:Normal file server drive mapping, or lateral movement accessing administrative SMB shares (`ADMIN$`, `IPC$`).
Category:Object Access
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
5141
An Active Directory object was deleted from the domain directory tree.
// Failure Reason / Root Cause:Directory maintenance or cleanup of staged AD persistence containers.
Category:Directory Service Access
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
5142
A new SMB network share (`net share`) was created on the server.
// Failure Reason / Root Cause:Server administration setting up file shares, or attacker creating unauthorized exfiltration shares (`net share staging$=C:\...`).
Category:Object Access
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
5143
A network share (`SMB/CIFS Share`) had its permissions, path, or configuration modified.
// Failure Reason / Root Cause:SMB network share modification (`ShareName` settings updated by `SubjectUserName`).
Category:Object Access
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
5144
An existing network share (`net share /delete`) was removed.
// Failure Reason / Root Cause:Share decommissioning or temporary exfiltration share cleanup.
Category:Object Access
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
5145
Detailed file access check over SMB (`Relative Target Name` filename accessed on share).
// Failure Reason / Root Cause:Remote file reads over SMB, or named pipe access (`svcctl`, `samr`, `lsarpc`, `srvsvc`) during lateral movement reconnaissance.
Category:Object Access
Audit Type:Success / Failure Audit
Severity:High
OS:Windows Server / Client
5148
The Windows Filtering Platform (`WFP`) detected and dropped network packets exceeding Denial of Service thresholds.
// Failure Reason / Root Cause:High-volume network flood or malformed traffic triggering WFP DoS defense thresholds.
Category:Windows Firewall
Audit Type:Failure Audit
Severity:High
OS:Windows Server / Client
5156
A network connection (`TCP/UDP`) was permitted by Windows Filtering Platform rules (`Application Name`, `Source/Dest IP & Port`).
// Failure Reason / Root Cause:Network connection permitted by WFP filter rule (`Application Name` connecting to `Destination Address`).
Category:Windows Firewall
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
5157
A network connection attempt was blocked by Windows Filtering Platform or host firewall rules.
// Failure Reason / Root Cause:Network connection attempt dropped by WFP filter rule (`Filter Run-Time ID`).
Category:Windows Firewall
Audit Type:Failure Audit
Severity:High
OS:Windows Server / Client
5158
A process (`Application Name`) successfully bound and opened a local listening port (`TCP/UDP`).
// Failure Reason / Root Cause:Local port bind operation permitted (`Application Name` binding to `Source Port`).
Category:Windows Firewall
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
5378
Credential delegation (`CredSSP` / `WinRM` / `RDP`) blocked by restricted delegation policies (`Remote Credential Guard`).
// Failure Reason / Root Cause:Security policy preventing credential exposure on untrusted jump boxes.
Category:Credential Management
Audit Type:Failure Audit
Severity:Medium
OS:Windows Server / Client
5857
A Windows Management Instrumentation (`WMI`) provider DLL started execution inside `wmiprvse.exe`.
// Failure Reason / Root Cause:Initialization of WMI provider (`ProviderName`) within `wmiprvse.exe` host process.
Category:WMI Activity
Audit Type:Success Audit
Severity:Medium
OS:Windows Server / Client
5861
A WMI Event Consumer (`__EventConsumer`) was registered in the WMI repository for event-triggered execution.
// Failure Reason / Root Cause:Permanent WMI event consumer registration (`Consumer:` name and `PossibleCause:` string shown).
Category:WMI Activity
Audit Type:Success Audit
Severity:Critical
OS:Windows Server / Client
7045
A service was installed in the system (logged in the System Event Log by Service Control Manager).
// Failure Reason / Root Cause:Software installation, `sc create` execution, or lateral movement (`PsExec` service creation).
Category:System
Audit Type:Success Audit
Severity:High
OS:Windows Server / Client
8003
An executable or DLL binary was permitted to execute by AppLocker application control policy.
// Failure Reason / Root Cause:Binary execution allowed by matching AppLocker rule (`RuleName`).
Category:AppLocker
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
8004
An executable or DLL binary was blocked from execution by AppLocker application control rules.
// Failure Reason / Root Cause:Binary execution blocked by AppLocker enforcement (`FilePath` denied by rule).
Category:AppLocker
Audit Type:Failure Audit
Severity:High
OS:Windows Server / Client
8006
A script (`VBS`, `JS`, `PS1`, `BAT`) or Windows Installer (`MSI`) was allowed to run by AppLocker policy.
// Failure Reason / Root Cause:Script or MSI allowed to run by AppLocker script policy rule (`RuleName`).
Category:AppLocker
Audit Type:Success Audit
Severity:Info
OS:Windows Server / Client
8007
A script (`VBS`, `JS`, `PS1`, `BAT`) or Windows Installer (`MSI`) was blocked by AppLocker application control.
// Failure Reason / Root Cause:Script or MSI execution blocked by AppLocker rule (`FilePath` denied).
Category:AppLocker
Audit Type:Failure Audit
Severity:High
OS:Windows Server / Client
ADVERTISEMENT / SPONSORED RESERVATION (728x90)