security.json

{
  "dataset": {
    "name": "EID Quick Reference - Security",
    "version": "1.16.0",
    "generatedAt": "2026-05-10T00:00:00Z",
    "id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/security.json",
    "schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
    "license": {
      "name": "Creative Commons Attribution 4.0 International",
      "spdx": "CC-BY-4.0",
      "notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
    },
    "sources": [
      {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/",
        "type": "primary"
      }
    ]
  },
  "entries": [
    {
      "id": 1102,
      "log": "Security",
      "provider": "Microsoft-Windows-Eventlog",
      "channel": "Security",
      "level": "Information",
      "title": "The audit log was cleared",
      "summary": "Security log cleared.",
      "details": "Generated when the Security event log is cleared. High severity because clearing may indicate evidence destruction.",
      "category": "Log Tampering",
      "tags": [
        "log-cleared",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 104,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685.005",
          "techniqueName": "Disable or Modify Tools: Clear Windows Event Logs",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName identifies the account that cleared the log — flag any non-IT account",
          "Correlate with System EID 104 — simultaneous clearing of both Security and System logs is a strong evidence destruction indicator",
          "Review the timestamp and check for any log entries from just before the clear for an attacker timeline"
        ],
        "commonFalsePositives": [
          "IT administrators clearing logs for storage management (rare, should be in change records)"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that cleared the log"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-1102"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Security Log Cleared",
          "rule": "SecurityEvent\n| where EventID == 1102\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName\n| order by TimeGenerated desc",
          "notes": "Every occurrence is high priority — there is no legitimate automated reason to clear the Security log outside of approved change windows."
        },
        {
          "platform": "Sigma",
          "title": "Security Log Cleared",
          "rule": "title: Security Log Cleared\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 1102\n  condition: selection\nfalsepositives:\n  - Legitimate administrator log management\nlevel: high"
        }
      ],
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4616,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The system time was changed",
      "summary": "System clock was modified.",
      "details": "Generated when the system clock is changed. Attackers may modify the system clock to manipulate log timestamps, evade time-based detection rules, or shift the investigative timeline.",
      "category": "Defense Evasion",
      "tags": [
        "time-change",
        "defense-evasion",
        "log-tampering"
      ],
      "relatedEventIds": [
        {
          "id": 4688,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070.006",
          "techniqueName": "Indicator Removal: Timestomp",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Compare PreviousTime and NewTime — large backward shifts immediately before malicious activity suggest deliberate timestamp manipulation",
          "SubjectUserName identifies who changed the time — non-admin accounts or unexpected accounts warrant investigation",
          "Correlate with Security EID 4688 around the same timestamp to identify what process triggered the time change"
        ],
        "commonFalsePositives": [
          "NTP synchronization events, especially on systems with clock drift after extended downtime",
          "VM host/guest time synchronization on virtual machines"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that changed the time"
        },
        {
          "name": "PreviousTime",
          "xpath": "EventData/Data[@Name='PreviousTime']",
          "description": "System time before the change"
        },
        {
          "name": "NewTime",
          "xpath": "EventData/Data[@Name='NewTime']",
          "description": "System time after the change"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4624,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An account was successfully logged on",
      "summary": "Successful logon session creation.",
      "details": "Generated when a logon session is successfully created. Covers interactive, network, service, batch, and other logon types.",
      "category": "Logon/Authentication",
      "tags": [
        "logon",
        "authentication"
      ],
      "relatedEventIds": [
        {
          "id": 4625,
          "log": "Security"
        },
        {
          "id": 4634,
          "log": "Security"
        },
        {
          "id": 4672,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1078",
          "techniqueName": "Valid Accounts",
          "tactics": [
            {
              "tacticId": "TA0001",
              "tacticName": "Initial Access"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "LogonType is the primary pivot: 2=interactive (console), 3=network (SMB/WMI), 10=RemoteInteractive (RDP), 4=batch, 5=service",
          "IpAddress/WorkstationName identifies the source — flag logons from unexpected hosts or external IPs",
          "TargetUserName combined with LogonType 3 from an admin account outside business hours is a common lateral movement pattern",
          "Correlate LogonID with EID 4634/4647 to track session duration"
        ],
        "commonFalsePositives": [
          "Normal user and service account logons",
          "High-frequency network logons (LogonType 3) from backup, monitoring, or endpoint management systems"
        ]
      },
      "keyFields": [
        {
          "name": "LogonType",
          "xpath": "EventData/Data[@Name='LogonType']",
          "description": "Type of logon: 2=interactive, 3=network, 4=batch, 5=service, 10=RemoteInteractive (RDP)"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that logged on"
        },
        {
          "name": "IpAddress",
          "xpath": "EventData/Data[@Name='IpAddress']",
          "description": "Source IP address of the logon"
        },
        {
          "name": "WorkstationName",
          "xpath": "EventData/Data[@Name='WorkstationName']",
          "description": "Source workstation name"
        },
        {
          "name": "LogonId",
          "xpath": "EventData/Data[@Name='TargetLogonId']",
          "description": "Logon session identifier for correlating with logoff events"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Suspicious Network Logon Outside Business Hours",
          "rule": "SecurityEvent\n| where EventID == 4624\n| where LogonType == 3\n| where AccountType != \"Machine\"\n| where TargetUserName !endswith \"$\"\n| where hourofday(TimeGenerated) !between (7 .. 18)\n| project TimeGenerated, Computer, TargetUserName, TargetDomainName, IpAddress, WorkstationName, LogonType\n| order by TimeGenerated desc",
          "notes": "Tune business hours window and exclude known service accounts and backup systems to reduce volume."
        },
        {
          "platform": "KQL",
          "title": "RDP Logon (LogonType 10) from External IP",
          "rule": "SecurityEvent\n| where EventID == 4624\n| where LogonType == 10\n| where IpAddress !startswith \"10.\" and IpAddress !startswith \"192.168.\" and IpAddress !startswith \"172.\"\n| where IpAddress != \"-\" and IpAddress != \"127.0.0.1\"\n| project TimeGenerated, Computer, TargetUserName, TargetDomainName, IpAddress, LogonType\n| order by TimeGenerated desc"
        },
        {
          "platform": "Sigma",
          "title": "Logon with Explicit Credentials from Unusual Source",
          "rule": "title: Suspicious Interactive Logon\nstatus: experimental\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4624\n    LogonType:\n      - 2\n      - 10\n  condition: selection\nfalsepositives:\n  - Normal user desktop logons\nlevel: informational"
        }
      ],
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4625,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditFailure",
      "title": "An account failed to log on",
      "summary": "Failed logon attempt recorded.",
      "details": "Generated when a logon attempt fails. Records the failure reason via Status and SubStatus codes.",
      "category": "Logon/Authentication",
      "tags": [
        "failure",
        "bruteforce"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4740,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1110",
          "techniqueName": "Brute Force",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubStatus 0xC000006A (wrong password) vs 0xC0000064 (bad username) distinguishes valid-user brute force from username enumeration",
          "Many failures against many accounts from one source = password spray; many failures against one account = brute force",
          "IpAddress/WorkstationName identifies the source — external IPs or unfamiliar workstations are high priority",
          "Correlate with EID 4740 to identify accounts that were locked out as a result"
        ],
        "commonFalsePositives": [
          "Misconfigured service accounts using stale credentials",
          "Users failing to log on after a password change before updating saved credentials"
        ]
      },
      "keyFields": [
        {
          "name": "Status",
          "xpath": "EventData/Data[@Name='Status']",
          "description": "NTSTATUS code for the failure category"
        },
        {
          "name": "SubStatus",
          "xpath": "EventData/Data[@Name='SubStatus']",
          "description": "NTSTATUS code for the specific failure reason (e.g., 0xC000006A = wrong password, 0xC0000064 = bad username)"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account targeted by the failed logon attempt"
        },
        {
          "name": "IpAddress",
          "xpath": "EventData/Data[@Name='IpAddress']",
          "description": "Source IP address of the failed logon"
        },
        {
          "name": "WorkstationName",
          "xpath": "EventData/Data[@Name='WorkstationName']",
          "description": "Source workstation name"
        },
        {
          "name": "LogonType",
          "xpath": "EventData/Data[@Name='LogonType']",
          "description": "Type of logon attempted"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Password Spray Detection — Many Accounts from One Source",
          "rule": "SecurityEvent\n| where EventID == 4625\n| where LogonType in (3, 10)\n| summarize FailureCount = count(), DistinctAccounts = dcount(TargetUserName) by IpAddress, bin(TimeGenerated, 10m)\n| where DistinctAccounts >= 5 and FailureCount >= 10\n| project TimeGenerated, IpAddress, FailureCount, DistinctAccounts\n| order by FailureCount desc",
          "notes": "Thresholds should be tuned per environment. Set DistinctAccounts lower (e.g., 3) in smaller environments."
        },
        {
          "platform": "KQL",
          "title": "Brute Force Detection — Many Failures Against One Account",
          "rule": "SecurityEvent\n| where EventID == 4625\n| summarize FailureCount = count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)\n| where FailureCount >= 20\n| project TimeGenerated, TargetUserName, IpAddress, FailureCount\n| order by FailureCount desc"
        },
        {
          "platform": "Sigma",
          "title": "Multiple Failed Logon Attempts",
          "rule": "title: Multiple Failed Logon Attempts (Brute Force)\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4625\n  condition: selection | count() by IpAddress > 20\n  timeframe: 5m\nfalsepositives:\n  - Misconfigured service accounts with stale credentials\nlevel: medium"
        }
      ],
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 4634,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An account was logged off",
      "summary": "Logon session terminated.",
      "details": "Generated when a logon session ends and is destroyed. EID 4647 records user-initiated interactive/RDP logoffs; EID 4634 marks the actual session termination.",
      "category": "Logon/Authentication",
      "tags": [
        "logoff",
        "authentication"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4647,
          "log": "Security"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "LogonID links this event back to EID 4624 — use it to calculate full session duration",
          "Long-lived sessions (hours to days) for network logon types may indicate persistent attacker access or a long-running tool"
        ],
        "commonFalsePositives": [
          "Normal session termination for any logon type"
        ]
      },
      "keyFields": [
        {
          "name": "TargetLogonId",
          "xpath": "EventData/Data[@Name='TargetLogonId']",
          "description": "Logon session identifier linking back to EID 4624"
        },
        {
          "name": "LogonType",
          "xpath": "EventData/Data[@Name='LogonType']",
          "description": "Type of logon session that ended"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4647,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "User initiated logoff",
      "summary": "User-initiated interactive logoff recorded.",
      "details": "Generated when a user initiates a logoff from an interactive or RDP session. Unlike EID 4634 which marks session termination, EID 4647 records the user's intent to log off.",
      "category": "Logon/Authentication",
      "tags": [
        "logoff",
        "authentication"
      ],
      "relatedEventIds": [
        {
          "id": 4634,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate LogonID with EID 4624 to identify the originating logon and calculate session duration",
          "EID 4647 without a subsequent EID 4634 may indicate the session terminated abnormally before the logon record was closed"
        ],
        "commonFalsePositives": [
          "Normal user-initiated logoff from interactive or RDP sessions"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that initiated the logoff"
        },
        {
          "name": "TargetLogonId",
          "xpath": "EventData/Data[@Name='TargetLogonId']",
          "description": "Logon session identifier linking to EID 4624"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4648,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A logon was attempted using explicit credentials",
      "summary": "Explicit credential logon attempt recorded.",
      "details": "Generated when a process uses explicit credentials (such as runas or scheduled task authentication) rather than the session's default token.",
      "category": "Logon/Authentication",
      "tags": [
        "logon",
        "explicit-credentials",
        "runas"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4769,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1550.002",
          "techniqueName": "Use Alternate Authentication Material: Pass the Hash",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        },
        {
          "techniqueId": "T1078",
          "techniqueName": "Valid Accounts",
          "tactics": [
            {
              "tacticId": "TA0001",
              "tacticName": "Initial Access"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName vs TargetUserName mismatch indicates credential substitution — flag when TargetUserName is a more privileged account",
          "TargetServerName identifies the remote target — flag connections to domain controllers, servers, or internal infrastructure",
          "ProcessName of unexpected executables (e.g., cmd.exe, wmic.exe, PowerShell) using explicit credentials is a lateral movement indicator"
        ],
        "commonFalsePositives": [
          "Administrators using runas to run tools under a different account",
          "Scheduled tasks configured with explicit credentials triggering at execution time"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account whose session initiated the explicit credential logon"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account whose credentials were explicitly supplied"
        },
        {
          "name": "TargetServerName",
          "xpath": "EventData/Data[@Name='TargetServerName']",
          "description": "Remote server targeted by the explicit credential logon"
        },
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='ProcessName']",
          "description": "Process that used the explicit credentials"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4648"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Explicit Credential Use by Non-Admin Process",
          "rule": "SecurityEvent\n| where EventID == 4648\n| where SubjectUserName != TargetUserName\n| where ProcessName !in (\"C:\\\\Windows\\\\System32\\\\lsass.exe\", \"C:\\\\Windows\\\\System32\\\\svchost.exe\", \"C:\\\\Windows\\\\System32\\\\services.exe\")\n| project TimeGenerated, Computer, SubjectUserName, TargetUserName, TargetServerName, ProcessName\n| order by TimeGenerated desc",
          "notes": "Filter known scheduled task and service manager processes. Focus on ProcessName values outside System32 or unusual locations."
        },
        {
          "platform": "Sigma",
          "title": "Explicit Credential Logon",
          "rule": "title: Explicit Credential Logon Attempt\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4648\n  filter:\n    SubjectUserName|endswith: '$'\n  condition: selection and not filter\nfalsepositives:\n  - Administrators using runas\n  - Scheduled tasks using explicit credentials\nlevel: medium"
        }
      ],
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4649,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditFailure",
      "title": "A Kerberos service ticket was requested with a replayed authentication",
      "summary": "Kerberos replay attack detected.",
      "details": "Generated when the Kerberos Key Distribution Center detects a replayed authenticator -- an authenticator previously used in a valid ticket request being resubmitted. This event fires when replay detection succeeds within the timestamp-based window (default 5 minutes). The presence of this event indicates either an active replay attack or a significant time skew issue triggering false replay detection.",
      "category": "Kerberos/Authentication",
      "tags": [
        "kerberos",
        "replay-attack",
        "credential-access"
      ],
      "relatedEventIds": [
        {
          "id": 4768,
          "log": "Security"
        },
        {
          "id": 4769,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1558",
          "techniqueName": "Steal or Forge Kerberos Tickets",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Logon > Audit Kerberos Service Ticket Operations must be enabled (Success and Failure)"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ClientAddress identifies the source of the replay — pivot to this host for further investigation",
          "TargetUserName reveals which account's ticket was replayed — correlate with recent 4768/4769 requests from the same account",
          "A cluster of this event from different sources targeting the same account indicates a credential relay or ticket sharing attack"
        ],
        "commonFalsePositives": [
          "Severe clock skew (more than 5 minutes) between client and KDC causing authenticators to appear replayed",
          "Network packet retransmissions in lossy environments can sometimes trigger replay detection"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account whose ticket was replayed"
        },
        {
          "name": "ClientAddress",
          "xpath": "EventData/Data[@Name='ClientAddress']",
          "description": "Source address of the replay attempt"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4656,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A handle to an object was requested",
      "summary": "Object handle request recorded.",
      "details": "Generated when access to a file, registry key, or kernel object is requested. Records the requested access rights but not whether the operation was actually performed. Requires SACL configuration on monitored objects.",
      "category": "Object Access",
      "tags": [
        "file-access",
        "registry-access",
        "object-access"
      ],
      "relatedEventIds": [
        {
          "id": 4663,
          "log": "Security"
        },
        {
          "id": 4670,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1083",
          "techniqueName": "File and Directory Discovery",
          "tactics": [
            {
              "tacticId": "TA0007",
              "tacticName": "Discovery"
            }
          ]
        },
        {
          "techniqueId": "T1112",
          "techniqueName": "Modify Registry",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "AccessMask field records what access was requested — flag WriteData, DELETE, or WRITE_DAC on sensitive objects",
          "ObjectName identifies the file or registry key — correlate against a list of sensitive paths (SAM, NTDS, LSASS, credential stores)",
          "Correlate with EID 4663 to confirm whether the handle was used for actual access"
        ],
        "commonFalsePositives": [
          "Normal file and registry access by legitimate applications — high volume on systems without targeted SACLs"
        ]
      },
      "keyFields": [
        {
          "name": "ObjectName",
          "xpath": "EventData/Data[@Name='ObjectName']",
          "description": "Full path of the file or registry key for which access was requested"
        },
        {
          "name": "AccessMask",
          "xpath": "EventData/Data[@Name='AccessMask']",
          "description": "Bitmask of requested access rights (e.g., WriteData, DELETE, WRITE_DAC)"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that requested the handle"
        },
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='ProcessName']",
          "description": "Process that requested the handle"
        },
        {
          "name": "HandleId",
          "xpath": "EventData/Data[@Name='HandleId']",
          "description": "Handle identifier for correlating with EID 4663 and EID 4658"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4656"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4657,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A registry value was modified",
      "summary": "Registry value was created or changed.",
      "details": "Generated when a registry value is created, modified, or deleted, provided object access auditing is enabled for the specific registry key. High-value registry paths include Run/RunOnce keys (persistence), service ImagePath values (service hijacking), Defender and security tool configuration keys (tamper), and application compatibility shims (persistence).",
      "category": "Persistence/Defense Evasion",
      "tags": [
        "registry",
        "persistence",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4688,
          "log": "Security"
        },
        {
          "id": 4663,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1112",
          "techniqueName": "Modify Registry",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1543.003",
          "techniqueName": "Create or Modify System Process: Windows Service",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ObjectName is the key pivot — filter on Run/RunOnce, service ImagePath, Defender exclusion paths, and security tool configuration keys",
          "OldValue vs NewValue reveals what changed — value deletions (OldValue present, NewValue absent) can also indicate cleanup",
          "Correlate with Security EID 4688 to identify the process that made the change"
        ],
        "commonFalsePositives": [
          "High-volume legitimate registry activity — this event requires targeted filtering on sensitive key paths to be actionable",
          "Software installations and updates modifying their own registry keys"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that modified the registry value"
        },
        {
          "name": "ObjectName",
          "xpath": "EventData/Data[@Name='ObjectName']",
          "description": "Registry key path containing the modified value"
        },
        {
          "name": "ObjectValueName",
          "xpath": "EventData/Data[@Name='ObjectValueName']",
          "description": "Name of the registry value that was changed"
        },
        {
          "name": "OldValue",
          "xpath": "EventData/Data[@Name='OldValue']",
          "description": "Previous value data before the change"
        },
        {
          "name": "NewValue",
          "xpath": "EventData/Data[@Name='NewValue']",
          "description": "New value data after the change"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4657"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4658,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A handle to an object was closed",
      "summary": "An open object handle was closed, completing the handle lifecycle.",
      "details": "Generated when a handle opened with auditing (EID 4656) is closed. Completes the 4656-4663-4658 lifecycle chain. Without EID 4658, the access time window cannot be determined.",
      "category": "Object Access",
      "tags": [
        "handle",
        "object-access",
        "lsass",
        "credential-access"
      ],
      "relatedEventIds": [
        {
          "id": 4656,
          "log": "Security"
        },
        {
          "id": 4663,
          "log": "Security"
        },
        {
          "id": 4690,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1003.001",
          "techniqueName": "OS Credential Dumping: LSASS Memory",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Handle Manipulation must be enabled under Advanced Audit Policy > Object Access. The target object must also have a SACL configured to audit handle open/close operations."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Link HandleId to EID 4656 to determine which object the handle was opened on — LSASS, SAM database, or NTDS are highest priority",
          "Calculate the time between EID 4656 (open) and EID 4658 (close) to determine how long access was held",
          "Presence of EID 4663 between the matching 4656 and 4658 events confirms that actual access (read/write) occurred during the open window"
        ],
        "commonFalsePositives": [
          "Every legitimate handle close on objects with SACL auditing configured — extremely high volume in environments with broad object access auditing"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4658"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "keyFields": [
        {
          "name": "HandleId",
          "xpath": "EventData/Data[@Name='HandleId']",
          "description": "Handle identifier — correlate with EID 4656 HandleId to identify which object was opened and then closed"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that closed the handle"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process that held and released the handle; cross-reference with EID 4688 ProcessId for process identification"
        }
      ],
      "lastReviewed": "2026-04-11"
    },
    {
      "id": 4660,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An object was deleted",
      "summary": "An audited file, registry key, or other object was deleted.",
      "details": "Generated when an auditable object is deleted, provided the object has a SACL configured for the DELETE operation. EID 4660 does not include the deleted object path; HandleId must be correlated with the matching EID 4656 to retrieve ObjectName.",
      "category": "Object Access",
      "tags": [
        "file-access",
        "object-access",
        "defense-evasion",
        "indicator-removal"
      ],
      "relatedEventIds": [
        {
          "id": 4656,
          "log": "Security"
        },
        {
          "id": 4663,
          "log": "Security"
        },
        {
          "id": 4658,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070.004",
          "techniqueName": "Indicator Removal: File Deletion",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1112",
          "techniqueName": "Modify Registry",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Object Access must be enabled under Advanced Audit Policy. The target object must have a SACL configured to audit DELETE access operations."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "HandleId must be correlated with EID 4656 to retrieve ObjectName — EID 4660 alone does not include the deleted object's path",
          "SubjectUserName and ProcessId identify who deleted the object and what process performed the deletion",
          "Deletion of objects in sensitive paths (\\Registry\\Machine\\SYSTEM, staging temp directories) shortly after creation is a strong indicator of attacker cleanup"
        ],
        "commonFalsePositives": [
          "Normal file and registry deletions on objects with broad SACL configurations — filter by sensitive paths to reduce noise"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4660"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "keyFields": [
        {
          "name": "HandleId",
          "xpath": "EventData/Data[@Name='HandleId']",
          "description": "Correlate with EID 4656 to retrieve ObjectName — EID 4660 does not include the object path"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that deleted the object"
        }
      ],
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4662,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An operation was performed on an object",
      "summary": "An operation was performed on an Active Directory object.",
      "details": "Generated when an operation is performed on an Active Directory object, such as reading, writing, or replicating a directory object. Critical for detecting DCSync attacks: when replication rights are used to request password hashes from a DC, EID 4662 is generated with ObjectType of DS-Replication-Get-Changes and DS-Replication-Get-Changes-All.",
      "category": "Credential Access",
      "tags": [
        "active-directory",
        "dcsync",
        "credential-access",
        "replication"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4688,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1003.006",
          "techniqueName": "OS Credential Dumping: DCSync",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "DCSync detection: filter for ObjectType GUIDs 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes) and 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All) from a non-DC account",
          "SubjectUserName should be a domain controller machine account for legitimate replication — any other account is suspicious",
          "Correlate with Security EID 4624 to identify how the attacker authenticated before performing the replication request"
        ],
        "commonFalsePositives": [
          "Legitimate AD replication between domain controllers — SubjectUserName will be a DC machine account",
          "Azure AD Connect and other directory synchronization tools with replication permissions"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the directory operation"
        },
        {
          "name": "ObjectDN",
          "xpath": "EventData/Data[@Name='ObjectDN']",
          "description": "Distinguished name of the target Active Directory object"
        },
        {
          "name": "ObjectType",
          "xpath": "EventData/Data[@Name='ObjectType']",
          "description": "GUID identifying the type of operation (replication GUIDs indicate DCSync)"
        },
        {
          "name": "OperationType",
          "xpath": "EventData/Data[@Name='OperationType']",
          "description": "Type of operation performed on the object"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4663,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An attempt was made to access an object",
      "summary": "Object access attempt recorded.",
      "details": "Generated when a specific access right is exercised on a file, registry key, or kernel object with a matching SACL. Confirms that the access requested in EID 4656 was actually performed. Requires SACL configuration on monitored objects.",
      "category": "Object Access",
      "tags": [
        "file-access",
        "registry-access",
        "object-access"
      ],
      "relatedEventIds": [
        {
          "id": 4656,
          "log": "Security"
        },
        {
          "id": 4670,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1083",
          "techniqueName": "File and Directory Discovery",
          "tactics": [
            {
              "tacticId": "TA0007",
              "tacticName": "Discovery"
            }
          ]
        },
        {
          "techniqueId": "T1005",
          "techniqueName": "Data from Local System",
          "tactics": [
            {
              "tacticId": "TA0009",
              "tacticName": "Collection"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Accesses field shows what operation was performed — WriteData/AddFile or DELETE on sensitive paths are high priority",
          "ObjectName identifies the specific file or registry key accessed — flag sensitive paths such as SAM, NTDS.dit, credential manager stores",
          "SubjectUserName combined with ProcessName reveals what account and process performed the access"
        ],
        "commonFalsePositives": [
          "Legitimate application access to monitored files — high volume without targeted SACL scoping"
        ]
      },
      "keyFields": [
        {
          "name": "ObjectName",
          "xpath": "EventData/Data[@Name='ObjectName']",
          "description": "Full path of the file or registry key accessed"
        },
        {
          "name": "Accesses",
          "xpath": "EventData/Data[@Name='Accesses']",
          "description": "Specific access operation performed (e.g., WriteData, ReadData, DELETE)"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the access"
        },
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='ProcessName']",
          "description": "Process that performed the access"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4670,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Permissions on an object were changed",
      "summary": "Object DACL/permissions changed.",
      "details": "Generated when the permissions (DACL) of a file, registry key, or token object are changed. OldSd and NewSd fields contain SDDL representations of the permission change. Requires SACL configuration on monitored objects.",
      "category": "Object Access",
      "tags": [
        "permissions",
        "acl-change",
        "object-access"
      ],
      "relatedEventIds": [
        {
          "id": 4663,
          "log": "Security"
        },
        {
          "id": 4656,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1222",
          "techniqueName": "File and Directory Permissions Modification",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "OldSd and NewSd are SDDL strings — diff them to determine what permissions were added or removed",
          "Permission changes on security tool directories, log directories, or credential stores may indicate defense evasion or pre-staging",
          "SubjectUserName combined with ObjectName identifies who changed permissions on what"
        ],
        "commonFalsePositives": [
          "Software installers modifying file or registry permissions during setup",
          "Group Policy applying permission changes to managed objects"
        ]
      },
      "keyFields": [
        {
          "name": "ObjectName",
          "xpath": "EventData/Data[@Name='ObjectName']",
          "description": "Full path of the object whose permissions were changed"
        },
        {
          "name": "OldSd",
          "xpath": "EventData/Data[@Name='OldSd']",
          "description": "SDDL string of the security descriptor before the change"
        },
        {
          "name": "NewSd",
          "xpath": "EventData/Data[@Name='NewSd']",
          "description": "SDDL string of the security descriptor after the change"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that changed the permissions"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4670"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4672,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Special privileges assigned to new logon",
      "summary": "Sensitive privileges assigned at logon.",
      "details": "Generated when a new logon session is assigned sensitive privileges such as SeDebugPrivilege, SeBackupPrivilege, or SeTakeOwnershipPrivilege. Very common for SYSTEM logons.",
      "category": "Privilege Use",
      "tags": [
        "privilege",
        "authentication"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1078",
          "techniqueName": "Valid Accounts",
          "tactics": [
            {
              "tacticId": "TA0001",
              "tacticName": "Initial Access"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1134",
          "techniqueName": "Access Token Manipulation",
          "tactics": [
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "PrivilegeList is the key field — SeDebugPrivilege enables memory access to other processes (used by credential dumpers), SeBackupPrivilege enables reading any file",
          "Correlate LogonID with EID 4624 to identify the logon session that received the privileges",
          "Unexpected non-admin accounts assigned SeDebugPrivilege or SeTcbPrivilege are high-confidence escalation indicators"
        ],
        "commonFalsePositives": [
          "SYSTEM logons are very high volume and routinely receive sensitive privileges — baseline and filter these",
          "Administrator logons receiving their normal assigned privileges"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that received the sensitive privileges"
        },
        {
          "name": "PrivilegeList",
          "xpath": "EventData/Data[@Name='PrivilegeList']",
          "description": "List of sensitive privileges assigned to the logon session"
        },
        {
          "name": "SubjectLogonId",
          "xpath": "EventData/Data[@Name='SubjectLogonId']",
          "description": "Logon session identifier for correlating with EID 4624"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4672"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Sensitive Privilege Assigned to Non-Admin Account",
          "rule": "SecurityEvent\n| where EventID == 4672\n| where AccountName !endswith \"$\"\n| where AccountName !in (\"SYSTEM\", \"LOCAL SERVICE\", \"NETWORK SERVICE\")\n| where PrivilegeList has_any (\"SeDebugPrivilege\", \"SeLoadDriverPrivilege\", \"SeTcbPrivilege\", \"SeCreateTokenPrivilege\", \"SeTakeOwnershipPrivilege\")\n| project TimeGenerated, Computer, AccountName, AccountDomain, PrivilegeList\n| order by TimeGenerated desc",
          "notes": "SYSTEM logons are extremely high-volume and routinely receive these privileges — exclude AccountName == 'SYSTEM' or baseline those first."
        }
      ],
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4673,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A privileged service was called",
      "summary": "Sensitive privilege used by a process.",
      "details": "Generated when a process uses a sensitive Windows privilege such as SeDebugPrivilege, SeTcbPrivilege, SeLoadDriverPrivilege, SeCreateTokenPrivilege, SeTakeOwnershipPrivilege, or SeAssignPrimaryTokenPrivilege. SeDebugPrivilege is required for direct LSASS memory access. SeLoadDriverPrivilege is used to load kernel drivers. SeTcbPrivilege grants 'act as part of the operating system' rights.",
      "category": "Privilege Abuse",
      "tags": [
        "privilege",
        "credential-access",
        "SeDebugPrivilege",
        "mimikatz"
      ],
      "relatedEventIds": [
        {
          "id": 4674,
          "log": "Security"
        },
        {
          "id": 4688,
          "log": "Security"
        },
        {
          "id": 4672,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1003.001",
          "techniqueName": "OS Credential Dumping: LSASS Memory",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        },
        {
          "techniqueId": "T1134",
          "techniqueName": "Access Token Manipulation",
          "tactics": [
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Privilege Use > Audit Sensitive Privilege Use must be enabled (Success and Failure)"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "PrivilegeList is the key field — filter for SeDebugPrivilege, SeTcbPrivilege, SeLoadDriverPrivilege, and SeCreateTokenPrivilege",
          "ProcessName identifies the binary claiming the privilege — any process outside System32 or known security software using SeDebugPrivilege is high priority",
          "Correlate SubjectUserName with EID 4688 to build the process ancestry chain — unexpected parent processes are a strong indicator"
        ],
        "commonFalsePositives": [
          "Security software (AV, EDR, vulnerability scanners) legitimately using SeDebugPrivilege for memory inspection",
          "Task Manager and Process Explorer using SeDebugPrivilege for process inspection by administrators"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account whose process used the privilege"
        },
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='ProcessName']",
          "description": "Executable that used the privilege"
        },
        {
          "name": "PrivilegeList",
          "xpath": "EventData/Data[@Name='PrivilegeList']",
          "description": "Sensitive privilege that was exercised"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "SeDebugPrivilege Used by Non-System Process",
          "rule": "SecurityEvent\n| where EventID == 4673\n| where PrivilegeList has \"SeDebugPrivilege\"\n| where ProcessName !has \"\\\\Windows\\\\\"\n| project TimeGenerated, Computer, SubjectUserName, ProcessName, PrivilegeList\n| order by TimeGenerated desc",
          "notes": "Requires Audit Sensitive Privilege Use enabled. SeDebugPrivilege is the primary Mimikatz/credential dumper indicator. Tune by allowlisting known security tools."
        },
        {
          "platform": "Sigma",
          "title": "Sensitive Privilege Use — SeDebugPrivilege",
          "rule": "title: Sensitive Privilege Use — SeDebugPrivilege\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4673\n    PrivilegeList|contains: 'SeDebugPrivilege'\n  filter:\n    ProcessName|startswith:\n      - 'C:\\Windows\\'\n      - 'C:\\Program Files\\'\n  condition: selection and not filter\nfalsepositives:\n  - Security software performing memory inspection\n  - Task Manager or Process Explorer run by administrators\nlevel: high"
        }
      ],
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4674,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An operation was attempted on a privileged object",
      "summary": "An operation was attempted using a sensitive privilege.",
      "details": "Generated when an operation is attempted on a privileged object such as a security-sensitive API call or token operation that uses a sensitive privilege. Closely related to EID 4673 which records privilege use; EID 4674 is more specific to the object-level operation. This event fires for operations on objects requiring elevated privileges like LSASS handles, token duplication, or security descriptor changes.",
      "category": "Privilege Abuse",
      "tags": [
        "privilege",
        "object-access",
        "credential-access"
      ],
      "relatedEventIds": [
        {
          "id": 4673,
          "log": "Security"
        },
        {
          "id": 4688,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1134",
          "techniqueName": "Access Token Manipulation",
          "tactics": [
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Privilege Use > Audit Sensitive Privilege Use must be enabled (Success and Failure)"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate ObjectName and PrivilegeList — LSASS as object with SeDebugPrivilege is the highest fidelity credential dumping indicator",
          "Combine with EID 4673 from the same SubjectUserName and ProcessName for a complete privilege use chain",
          "Correlate with Sysmon EID 10 (ProcessAccess) for a cross-source view of the same operation"
        ],
        "commonFalsePositives": [
          "Security software performing legitimate process inspection or memory scanning",
          "System processes and services performing normal privileged operations at boot and during updates"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that attempted the privileged operation"
        },
        {
          "name": "ObjectServer",
          "xpath": "EventData/Data[@Name='ObjectServer']",
          "description": "Subsystem that handled the privileged object request"
        },
        {
          "name": "ObjectType",
          "xpath": "EventData/Data[@Name='ObjectType']",
          "description": "Type of object the operation was performed on"
        },
        {
          "name": "ObjectName",
          "xpath": "EventData/Data[@Name='ObjectName']",
          "description": "Name of the privileged object targeted"
        },
        {
          "name": "PrivilegeList",
          "xpath": "EventData/Data[@Name='PrivilegeList']",
          "description": "Privilege used for the operation"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4674"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4688,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A new process has been created",
      "summary": "Process creation event.",
      "details": "Generated when a new process is created. High-value telemetry when command-line logging is enabled via the 'Include command line in process creation events' audit policy.",
      "category": "Process Execution",
      "tags": [
        "process",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 4689,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1059",
          "techniqueName": "Command and Scripting Interpreter",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CommandLine (requires audit policy: Include command line in process creation events) is the highest-value field — search for encoded commands, download cradles, and LOLBAS abuse (binaries such as certutil.exe and mshta.exe, scripts via wscript.exe/cscript.exe, and libraries loaded through rundll32.exe)",
          "ParentProcessName establishes the process chain — unexpected parents (e.g., Office spawning cmd.exe, or wscript.exe spawning PowerShell) are strong malicious indicators",
          "SubjectUserName identifies the account context — SYSTEM or service account spawning interactive shells is suspicious",
          "Correlate NewProcessId with EID 4689 to track process lifetime"
        ],
        "commonFalsePositives": [
          "Any legitimate process creation — very high volume; effective use requires focused filtering on suspicious parent-child relationships or command patterns"
        ]
      },
      "keyFields": [
        {
          "name": "NewProcessName",
          "xpath": "EventData/Data[@Name='NewProcessName']",
          "description": "Full path of the new process executable"
        },
        {
          "name": "CommandLine",
          "xpath": "EventData/Data[@Name='CommandLine']",
          "description": "Command line used to create the process (requires audit policy)"
        },
        {
          "name": "ParentProcessName",
          "xpath": "EventData/Data[@Name='ParentProcessName']",
          "description": "Full path of the parent process executable"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account context under which the process was created"
        },
        {
          "name": "NewProcessId",
          "xpath": "EventData/Data[@Name='NewProcessId']",
          "description": "Process ID of the new process for correlating with EID 4689"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4688"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Suspicious Parent-Child Process Relationship",
          "rule": "SecurityEvent\n| where EventID == 4688\n| where ParentProcessName has_any (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"outlook.exe\", \"mshta.exe\", \"wscript.exe\", \"cscript.exe\")\n| where NewProcessName has_any (\"cmd.exe\", \"powershell.exe\", \"wmic.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"certutil.exe\")\n| project TimeGenerated, Computer, SubjectUserName, NewProcessName, ParentProcessName, CommandLine\n| order by TimeGenerated desc",
          "notes": "Requires 'Include command line in process creation events' audit policy for CommandLine field. Adjust parent/child lists to environment."
        },
        {
          "platform": "KQL",
          "title": "Encoded PowerShell Command Execution",
          "rule": "SecurityEvent\n| where EventID == 4688\n| where NewProcessName endswith \"\\\\powershell.exe\" or NewProcessName endswith \"\\\\pwsh.exe\"\n| where CommandLine has_any (\"-enc\", \"-EncodedCommand\", \"-e \", \"FromBase64String\")\n| project TimeGenerated, Computer, SubjectUserName, CommandLine, ParentProcessName\n| order by TimeGenerated desc"
        },
        {
          "platform": "Sigma",
          "title": "LOLBAS Execution via Process Creation",
          "rule": "title: LOLBAS Execution via Process Creation\nstatus: experimental\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4688\n    NewProcessName|endswith:\n      - '\\certutil.exe'\n      - '\\mshta.exe'\n      - '\\regsvr32.exe'\n      - '\\rundll32.exe'\n      - '\\bitsadmin.exe'\n      - '\\wscript.exe'\n      - '\\cscript.exe'\n      - '\\msbuild.exe'\n      - '\\wmic.exe'\n  condition: selection\nfalsepositives:\n  - Legitimate administrative use of these binaries or scripting engines\nlevel: medium",
          "notes": "Covers LOLBAS Binaries (certutil, mshta, regsvr32, rundll32, bitsadmin, wmic, msbuild) and Scripts (wscript, cscript). For library abuse (DLLs loaded via rundll32/regsvr32), inspect CommandLine for unusual .dll paths."
        }
      ],
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-07"
    },
    {
      "id": 4689,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A process has exited",
      "summary": "Process termination event.",
      "details": "Generated when a process exits. Paired with EID 4688 using ProcessId to track full process lifetime.",
      "category": "Process Execution",
      "tags": [
        "process",
        "execution"
      ],
      "relatedEventIds": [
        {
          "id": 4688,
          "log": "Security"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Pair with EID 4688 using ProcessId to calculate process lifetime — sub-second or very short-lived processes are characteristic of one-liner or stager execution",
          "ExitStatus of non-zero may indicate the process failed or was killed — correlate with Defender or EDR telemetry"
        ],
        "commonFalsePositives": [
          "Normal process termination for any application"
        ]
      },
      "keyFields": [
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='ProcessName']",
          "description": "Full path of the process that exited"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process ID for correlating with EID 4688"
        },
        {
          "name": "ExitStatus",
          "xpath": "EventData/Data[@Name='ExitStatus']",
          "description": "Exit code of the terminated process"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that owned the process"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4689"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-07"
    },
    {
      "id": 4690,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An attempt was made to duplicate a handle to an object",
      "summary": "A process attempted to duplicate an object handle into another process.",
      "details": "Generated when a handle to an object is duplicated from one process into another, provided Audit Handle Manipulation is enabled. Handle duplication can be used to obtain access to LSASS without triggering direct-open detection (EID 4656).",
      "category": "Credential Access",
      "tags": [
        "handle",
        "lsass",
        "credential-dumping",
        "process-access"
      ],
      "relatedEventIds": [
        {
          "id": 4656,
          "log": "Security"
        },
        {
          "id": 4663,
          "log": "Security"
        },
        {
          "id": 4658,
          "log": "Security"
        },
        {
          "id": 4688,
          "log": "Security"
        },
        {
          "id": 10,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1003.001",
          "techniqueName": "OS Credential Dumping: LSASS Memory",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Handle Manipulation must be enabled under Advanced Audit Policy > Object Access."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SourceProcessId and TargetProcessId are the critical fields — if either resolves to lsass.exe or the source handle maps to an LSASS object (per EID 4656), treat as a high-priority credential access indicator",
          "Correlate TargetProcessId with EID 4688 to identify the receiving process's full command line and parent process",
          "A non-security-product process duplicating a handle from LSASS is a strong ProcDump or manual-dump indicator — check SubjectUserName and the requesting process path against known tooling"
        ],
        "commonFalsePositives": [
          "Security products and EDR agents that legitimately duplicate handles as part of process monitoring",
          "Debugging tools duplicating handles for diagnostic purposes"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4690"
      },
      "detectionRules": [
        {
          "platform": "Sigma",
          "title": "LSASS Handle Duplication via Object Access Audit",
          "rule": "title: LSASS Handle Duplication via Object Access Audit\nstatus: experimental\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4690\n  condition: selection\nfalsepositives:\n  - Security products and EDR agents performing legitimate handle operations\n  - Debugging tools\nlevel: medium",
          "notes": "Requires correlation with EID 4656 on lsass.exe to confirm LSASS involvement. Sysmon EID 10 (ProcessAccess with TargetImage lsass.exe) provides higher-fidelity detection for the same technique with less prerequisite configuration."
        }
      ],
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "keyFields": [
        {
          "name": "SourceHandleId",
          "xpath": "EventData/Data[@Name='SourceHandleId']",
          "description": "Handle being duplicated — correlate with EID 4656 to identify the original object"
        },
        {
          "name": "SourceProcessId",
          "xpath": "EventData/Data[@Name='SourceProcessId']",
          "description": "Process that currently holds the handle being duplicated"
        },
        {
          "name": "TargetProcessId",
          "xpath": "EventData/Data[@Name='TargetProcessId']",
          "description": "Process receiving the duplicated handle — the likely attacker process; correlate with EID 4688"
        }
      ],
      "lastReviewed": "2026-04-11"
    },
    {
      "id": 4692,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Backup of data protection master key was attempted",
      "summary": "DPAPI master key backup attempted.",
      "details": "Generated when a backup of the Data Protection API (DPAPI) master key is attempted. DPAPI master keys encrypt secrets stored on disk including browser saved passwords, Windows credential vault entries, private keys, and application secrets. A master key backup copies the key material to a domain controller (via MS-BKRP) or to a user-controlled location.",
      "category": "Credential Access",
      "tags": [
        "dpapi",
        "credential-access",
        "master-key",
        "backup"
      ],
      "relatedEventIds": [
        {
          "id": 4693,
          "log": "Security"
        },
        {
          "id": 4695,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1555.004",
          "techniqueName": "Credentials from Password Stores: Windows Credential Manager",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit DPAPI Activity must be enabled under Advanced Audit Policy > Object Access"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName identifies the account triggering the backup — unexpected accounts or non-interactive sessions are suspicious",
          "MasterKeyId can be correlated with subsequent DPAPI decryption activity (EID 4695) to trace the full credential access chain",
          "Correlate with Security EID 4624 (logon type) to determine whether the session was interactive or network-based"
        ],
        "commonFalsePositives": [
          "Domain-joined machines automatically backing up master keys to the DC during normal user profile initialization",
          "Enterprise backup software performing DPAPI key backup as part of authorized credential archival"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that triggered the master key backup"
        },
        {
          "name": "MasterKeyId",
          "xpath": "EventData/Data[@Name='MasterKeyId']",
          "description": "Identifier of the DPAPI master key being backed up"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4692"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4693,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Recovery of data protection master key was attempted",
      "summary": "DPAPI master key recovery attempted.",
      "details": "Generated when recovery of a DPAPI master key is attempted. Recovery occurs when a master key is not available locally and must be retrieved from the domain controller backup (MS-BKRP) or from a user's roaming profile. An attacker who can authenticate as the target user or as a domain admin can recover master keys and then decrypt any DPAPI-protected secret.",
      "category": "Credential Access",
      "tags": [
        "dpapi",
        "credential-access",
        "master-key",
        "mimikatz"
      ],
      "relatedEventIds": [
        {
          "id": 4692,
          "log": "Security"
        },
        {
          "id": 4695,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1555.004",
          "techniqueName": "Credentials from Password Stores: Windows Credential Manager",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        },
        {
          "techniqueId": "T1552.004",
          "techniqueName": "Unsecured Credentials: Private Keys",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit DPAPI Activity must be enabled under Advanced Audit Policy > Object Access"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate ProcessName with EID 4688 — Mimikatz, PowerShell, or unknown executables triggering master key recovery are high priority",
          "SubjectUserName recovering a MasterKeyId associated with a different user account indicates impersonation or domain admin abuse",
          "Correlate with EID 4624 logon type — recovery during a network logon (Type 3) is unusual and warrants investigation"
        ],
        "commonFalsePositives": [
          "Users logging on to a new machine or after a master key rotation triggers automatic recovery from the domain backup",
          "Profile synchronization in roaming profile environments"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that attempted the master key recovery"
        },
        {
          "name": "MasterKeyId",
          "xpath": "EventData/Data[@Name='MasterKeyId']",
          "description": "Identifier of the DPAPI master key being recovered"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4693"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4694,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Protection of auditable protected data was attempted",
      "summary": "DPAPI encryption of auditable data was attempted.",
      "details": "Generated when the CryptProtectData API is called to encrypt auditable protected data. This event tracks the encryption (wrapping) side of the DPAPI lifecycle and is most relevant when tracking applications storing new secrets under DPAPI.",
      "category": "Credential Access",
      "tags": [
        "dpapi",
        "credential-access",
        "encryption"
      ],
      "relatedEventIds": [
        {
          "id": 4695,
          "log": "Security"
        },
        {
          "id": 4693,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1555.004",
          "techniqueName": "Credentials from Password Stores: Windows Credential Manager",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit DPAPI Activity must be enabled under Advanced Audit Policy > Object Access"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ProcessName is the primary pivot — applications outside of known browsers, credential managers, and system components encrypting auditable data warrant review",
          "DataDescription field (when populated) identifies the type of secret being protected",
          "Pair EID 4694 (encryption) with EID 4695 (decryption) from the same application to understand the full credential store lifecycle"
        ],
        "commonFalsePositives": [
          "Browsers and email clients storing credentials or session tokens under DPAPI as part of normal operation",
          "Windows systems encrypting user profile data, private keys, and stored passwords during normal activity"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account whose context was used for the encryption"
        },
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='ProcessName']",
          "description": "Process that called CryptProtectData"
        },
        {
          "name": "DataDescription",
          "xpath": "EventData/Data[@Name='DataDescription']",
          "description": "Description of the data being encrypted (when populated)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4694"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4695,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Unprotection of auditable protected data was attempted",
      "summary": "DPAPI decryption of auditable data was attempted.",
      "details": "Generated when the CryptUnprotectData API is called to decrypt auditable DPAPI-protected data. This is the decryption (unwrapping) side of the DPAPI lifecycle and fires when a process reads DPAPI-encrypted secrets such as browser saved passwords, Windows Credential Manager vault entries, or application secrets.",
      "category": "Credential Access",
      "tags": [
        "dpapi",
        "credential-access",
        "decryption",
        "mimikatz"
      ],
      "relatedEventIds": [
        {
          "id": 4694,
          "log": "Security"
        },
        {
          "id": 4693,
          "log": "Security"
        },
        {
          "id": 5379,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1555.003",
          "techniqueName": "Credentials from Password Stores: Credentials from Web Browsers",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        },
        {
          "techniqueId": "T1555.004",
          "techniqueName": "Credentials from Password Stores: Windows Credential Manager",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit DPAPI Activity must be enabled under Advanced Audit Policy > Object Access"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ProcessName is the highest-value pivot — any non-browser, non-credential-manager process decrypting auditable DPAPI data warrants investigation",
          "SubjectUserName decrypting data owned by a different user indicates impersonation or SYSTEM-level credential harvesting",
          "Correlate with EID 4693 (master key recovery) and EID 5379 (Credential Manager read) to build a complete credential theft event chain"
        ],
        "commonFalsePositives": [
          "Browsers decrypting stored passwords during normal autofill and form filling operations",
          "Windows components decrypting user secrets during session initialization and service startup"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account whose context was used for the decryption"
        },
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='ProcessName']",
          "description": "Process that called CryptUnprotectData"
        },
        {
          "name": "DataDescription",
          "xpath": "EventData/Data[@Name='DataDescription']",
          "description": "Description of the data being decrypted (when populated)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4695"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4697,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A service was installed in the system",
      "summary": "Service installation recorded in Security log.",
      "details": "Generated when a new service is installed on the system. Recorded in the Security log alongside System EID 7045.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 7045,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1543.003",
          "techniqueName": "Create or Modify System Process: Windows Service",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName identifies the account that installed the service — flag non-admin or unexpected accounts",
          "Correlate with System EID 7045 for the ServiceFileName (executable path) to assess the binary location",
          "ServiceType and ServiceStartType reveal whether the service runs as a kernel driver or user-mode process, and whether it starts at boot"
        ],
        "commonFalsePositives": [
          "Legitimate software installing services during setup",
          "Windows Update adding or updating system services"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that installed the service"
        },
        {
          "name": "ServiceName",
          "xpath": "EventData/Data[@Name='ServiceName']",
          "description": "Name of the installed service"
        },
        {
          "name": "ServiceFileName",
          "xpath": "EventData/Data[@Name='ServiceFileName']",
          "description": "Executable path of the installed service"
        },
        {
          "name": "ServiceType",
          "xpath": "EventData/Data[@Name='ServiceType']",
          "description": "Whether the service runs as a kernel driver or user-mode process"
        },
        {
          "name": "ServiceStartType",
          "xpath": "EventData/Data[@Name='ServiceStartType']",
          "description": "When the service starts (boot, auto, manual, disabled)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4697"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Service Installed with Suspicious Binary Path",
          "rule": "SecurityEvent\n| where EventID == 4697\n| where ServiceFileName !startswith \"C:\\\\Windows\\\\\"\n| where ServiceFileName !startswith \"C:\\\\Program Files\\\\\"\n| project TimeGenerated, Computer, SubjectUserName, ServiceName, ServiceFileName, ServiceType, ServiceStartType\n| order by TimeGenerated desc",
          "notes": "Services installed outside Windows and Program Files directories are common indicators of malware persistence or lateral movement tools."
        },
        {
          "platform": "Sigma",
          "title": "New Service Installed Outside Standard Paths",
          "rule": "title: New Service Installed Outside Standard Paths\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4697\n  filter:\n    ServiceFileName|startswith:\n      - 'C:\\Windows\\'\n      - 'C:\\Program Files\\'\n      - 'C:\\Program Files (x86)\\'\n  condition: selection and not filter\nfalsepositives:\n  - Third-party software installing services in non-standard locations\nlevel: high"
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 4698,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A scheduled task was created",
      "summary": "New scheduled task creation recorded.",
      "details": "Generated when a new scheduled task is created. The TaskContent field contains the full task definition XML including the command path, arguments, triggers, and LogonType.",
      "category": "Persistence/Scheduled Tasks",
      "tags": [
        "scheduled-task",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 4699,
          "log": "Security"
        },
        {
          "id": 4700,
          "log": "Security"
        },
        {
          "id": 4702,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1053.005",
          "techniqueName": "Scheduled Task/Job: Scheduled Task",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TaskContent XML contains the full task definition — inspect the Action element for the executable path and arguments",
          "LogonType of Password in the TaskContent stores credentials in Credential Manager; S4U or InteractiveToken are also worth noting",
          "Tasks created in the root scheduler namespace (no subfolder) are more commonly malicious than vendor-subfoldered tasks",
          "SubjectUserName identifies who created the task"
        ],
        "commonFalsePositives": [
          "Legitimate software installers creating scheduled tasks",
          "Group Policy deploying tasks to managed endpoints"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the task"
        },
        {
          "name": "TaskName",
          "xpath": "EventData/Data[@Name='TaskName']",
          "description": "Full path of the scheduled task in the Task Scheduler namespace"
        },
        {
          "name": "TaskContent",
          "xpath": "EventData/Data[@Name='TaskContent']",
          "description": "XML definition of the task including Action, Triggers, and LogonType"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Scheduled Task Created in Root Namespace",
          "rule": "SecurityEvent\n| where EventID == 4698\n| where TaskName !startswith \"\\\\Microsoft\\\\\"\n| project TimeGenerated, Computer, SubjectUserName, TaskName, TaskContent\n| order by TimeGenerated desc",
          "notes": "Tasks in \\Microsoft\\ subfolder are typically Microsoft/vendor-managed. Tasks at the root level (e.g., \\TaskName) are more commonly attacker-created."
        },
        {
          "platform": "Sigma",
          "title": "Scheduled Task Created",
          "rule": "title: Scheduled Task Created\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4698\n  filter:\n    TaskName|startswith: '\\Microsoft\\'\n  condition: selection and not filter\nfalsepositives:\n  - Legitimate software installers creating scheduled tasks\n  - Group Policy deploying tasks\nlevel: medium"
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 4699,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A scheduled task was deleted",
      "summary": "Scheduled task deletion recorded.",
      "details": "Generated when a scheduled task is deleted.",
      "category": "Persistence/Scheduled Tasks",
      "tags": [
        "scheduled-task",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 4698,
          "log": "Security"
        },
        {
          "id": 4700,
          "log": "Security"
        },
        {
          "id": 4702,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1053.005",
          "techniqueName": "Scheduled Task/Job: Scheduled Task",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate TaskName with EID 4698 to determine when the task was created and whether it ran before deletion",
          "Cross-reference with Task Scheduler EID 200 to confirm whether the task executed before being deleted — execution followed by deletion is a strong cleanup indicator",
          "SubjectUserName identifies who deleted the task"
        ],
        "commonFalsePositives": [
          "Software uninstallers removing their own scheduled tasks",
          "One-time setup tasks configured to self-delete after completion"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that deleted the task"
        },
        {
          "name": "TaskName",
          "xpath": "EventData/Data[@Name='TaskName']",
          "description": "Full path of the deleted scheduled task"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4700,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A scheduled task was enabled",
      "summary": "Scheduled task enabled.",
      "details": "Generated when a scheduled task is enabled.",
      "category": "Persistence/Scheduled Tasks",
      "tags": [
        "scheduled-task",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 4698,
          "log": "Security"
        },
        {
          "id": 4699,
          "log": "Security"
        },
        {
          "id": 4702,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1053.005",
          "techniqueName": "Scheduled Task/Job: Scheduled Task",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Re-enabling a previously disabled task may indicate repurposing of a dormant persistence mechanism",
          "Correlate TaskName with EID 4698 to review the original task definition and action",
          "SubjectUserName combined with timing — enablement outside business hours or during an active incident is suspicious"
        ],
        "commonFalsePositives": [
          "Group Policy or software re-enabling tasks that were disabled during maintenance",
          "IT re-enabling tasks after troubleshooting"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that enabled the task"
        },
        {
          "name": "TaskName",
          "xpath": "EventData/Data[@Name='TaskName']",
          "description": "Full path of the enabled scheduled task"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4700"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4701,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A scheduled task was disabled",
      "summary": "A scheduled task was disabled.",
      "details": "Generated when a scheduled task is disabled.",
      "category": "Defense Evasion",
      "tags": [
        "scheduled-task",
        "defense-evasion",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 4700,
          "log": "Security"
        },
        {
          "id": 4698,
          "log": "Security"
        },
        {
          "id": 4699,
          "log": "Security"
        },
        {
          "id": 4702,
          "log": "Security"
        },
        {
          "id": 141,
          "log": "TaskScheduler"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685",
          "techniqueName": "Disable or Modify Tools",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        },
        {
          "techniqueId": "T1053.005",
          "techniqueName": "Scheduled Task/Job: Scheduled Task",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Other Object Access Events must be enabled under Advanced Audit Policy > Object Access."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TaskName in \\Microsoft\\Windows\\Windows Defender\\ or security product paths is the highest-priority indicator",
          "SubjectUserName identifies who disabled the task — unexpected accounts or service accounts performing this action are suspicious",
          "Correlate with EID 4698 to review the task definition and determine whether the task was performing security-critical functions",
          "Pair with EID 4700 re-enablement events to identify the window during which the task was suppressed"
        ],
        "commonFalsePositives": [
          "IT administrators temporarily disabling tasks for maintenance or troubleshooting",
          "Software update processes temporarily disabling and re-enabling their own tasks"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Security Tool Scheduled Task Disabled",
          "rule": "SecurityEvent\n| where EventID == 4701\n| where TaskName has_any (\"Defender\", \"WindowsDefender\", \"MsMpEng\", \"Antivirus\", \"EDR\")\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, TaskName\n| order by TimeGenerated desc",
          "notes": "Tune the has_any list to include your environment's security tool task names. All matches should be reviewed regardless of actor."
        },
        {
          "platform": "Sigma",
          "title": "Scheduled Task Disabled",
          "rule": "title: Scheduled Task Disabled\nstatus: experimental\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4701\n  condition: selection\nfalsepositives:\n  - IT administrators disabling tasks for maintenance\n  - Software update processes temporarily disabling their own tasks\nlevel: low",
          "notes": "Increase to high when TaskName matches known security tool paths."
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "keyFields": [
        {
          "name": "TaskName",
          "xpath": "EventData/Data[@Name='TaskName']",
          "description": "Full path of the disabled task; tasks in \\Microsoft\\Windows\\Windows Defender\\ or security product namespaces are highest priority"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that disabled the task"
        }
      ],
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4702,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A scheduled task was updated",
      "summary": "Scheduled task modified.",
      "details": "Generated when a scheduled task is updated. The TaskContentNew field contains the updated task definition XML.",
      "category": "Persistence/Scheduled Tasks",
      "tags": [
        "scheduled-task",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 4698,
          "log": "Security"
        },
        {
          "id": 4699,
          "log": "Security"
        },
        {
          "id": 4700,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1053.005",
          "techniqueName": "Scheduled Task/Job: Scheduled Task",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TaskContentNew XML shows the updated definition — diff the Action element against EID 4698 TaskContent to identify what changed",
          "Changes to the executable path or arguments of an existing task are a high-fidelity persistence modification indicator",
          "SubjectUserName and timing of the update relative to other suspicious activity helps establish attacker presence"
        ],
        "commonFalsePositives": [
          "Software auto-updaters modifying their own scheduled task definitions",
          "Group Policy refreshes updating task configurations"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that updated the task"
        },
        {
          "name": "TaskName",
          "xpath": "EventData/Data[@Name='TaskName']",
          "description": "Full path of the updated scheduled task"
        },
        {
          "name": "TaskContentNew",
          "xpath": "EventData/Data[@Name='TaskContentNew']",
          "description": "Updated XML definition of the task"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4702"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Scheduled Task Modified — Executable Path Changed",
          "rule": "SecurityEvent\n| where EventID == 4702\n| where TaskName !startswith \"\\\\Microsoft\\\\\"\n| project TimeGenerated, Computer, SubjectUserName, TaskName, TaskContent\n| order by TimeGenerated desc",
          "notes": "Inspect TaskContent XML for changes to the Action/Command element. Correlate with EID 4698 for the original task definition to identify what changed."
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 4703,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user right was adjusted",
      "summary": "A token privilege was enabled or disabled for a process.",
      "details": "Generated when a token privilege (user right) is enabled or disabled during process execution.",
      "category": "Privilege Escalation",
      "tags": [
        "privilege",
        "token",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4688,
          "log": "Security"
        },
        {
          "id": 4672,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1134",
          "techniqueName": "Access Token Manipulation",
          "tactics": [
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "EnabledPrivilegeList is the key field — SeDebugPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, and SeTcbPrivilege are the highest-risk privileges to monitor",
          "Correlate TargetProcessName with Security EID 4688 to verify the process is legitimate",
          "SeDebugPrivilege enabled on a non-system process accessing LSASS may precede credential dumping"
        ],
        "commonFalsePositives": [
          "High volume from OS processes — filtering on specific high-risk privilege names is required to reduce noise",
          "Debuggers and profiling tools legitimately enabling SeDebugPrivilege"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account associated with the token adjustment"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account whose token was adjusted"
        },
        {
          "name": "TargetProcessName",
          "xpath": "EventData/Data[@Name='TargetProcessName']",
          "description": "Process whose token privilege was enabled or disabled"
        },
        {
          "name": "EnabledPrivilegeList",
          "xpath": "EventData/Data[@Name='EnabledPrivilegeList']",
          "description": "Privileges that were enabled"
        },
        {
          "name": "DisabledPrivilegeList",
          "xpath": "EventData/Data[@Name='DisabledPrivilegeList']",
          "description": "Privileges that were disabled"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4703"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4704,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user right was assigned",
      "summary": "A privilege or user right was assigned to an account.",
      "details": "Generated when a user right (privilege) is assigned to an account.",
      "category": "Privilege Escalation",
      "tags": [
        "privilege",
        "user-right",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4705,
          "log": "Security"
        },
        {
          "id": 4672,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1078",
          "techniqueName": "Valid Accounts",
          "tactics": [
            {
              "tacticId": "TA0001",
              "tacticName": "Initial Access"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1134",
          "techniqueName": "Access Token Manipulation",
          "tactics": [
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "PrivilegeList is the key field — SeDebugPrivilege, SeTcbPrivilege, SeCreateTokenPrivilege, and SeImpersonatePrivilege on non-admin accounts are high risk",
          "SubjectUserName identifies who assigned the right — changes made by unexpected accounts are suspicious",
          "Correlate with EID 4672 for the account that subsequently uses the elevated privileges"
        ],
        "commonFalsePositives": [
          "Group Policy applying standard privilege assignments during system startup or policy refresh",
          "Software installers assigning service-specific privileges to service accounts"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that assigned the right"
        },
        {
          "name": "TargetSid",
          "xpath": "EventData/Data[@Name='TargetSid']",
          "description": "SID of the account receiving the privilege"
        },
        {
          "name": "PrivilegeList",
          "xpath": "EventData/Data[@Name='PrivilegeList']",
          "description": "Specific privilege assigned"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4704"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4705,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user right was removed",
      "summary": "A privilege or user right was removed from an account.",
      "details": "Generated when a user right (privilege) is removed from an account.",
      "category": "Defense Evasion",
      "tags": [
        "privilege",
        "user-right",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4704,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685",
          "techniqueName": "Disable or Modify Tools",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TargetSid identifies whose privileges were removed — changes to security tool service accounts or admin accounts warrant investigation",
          "SeAuditPrivilege removal from a service account may be an attempt to suppress event logging by that service",
          "Correlate with EID 4704 to find privilege assignments/removals in close succession, which may indicate privilege manipulation"
        ],
        "commonFalsePositives": [
          "Group Policy removing privileges from accounts during policy refresh",
          "Software uninstallers removing privileges previously granted to service accounts"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that removed the right"
        },
        {
          "name": "TargetSid",
          "xpath": "EventData/Data[@Name='TargetSid']",
          "description": "SID of the account losing the privilege"
        },
        {
          "name": "PrivilegeList",
          "xpath": "EventData/Data[@Name='PrivilegeList']",
          "description": "Specific privilege removed"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4705"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4706,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A new trust was created to a domain",
      "summary": "A new domain trust relationship was established.",
      "details": "Generated when a new trust relationship is created between domains or forests. Domain trusts define authentication and resource access boundaries. Forest trusts grant extensive access across all domains in both forests.",
      "category": "Persistence/Domain Trust",
      "tags": [
        "domain-trust",
        "persistence",
        "active-directory"
      ],
      "relatedEventIds": [
        {
          "id": 4707,
          "log": "Security"
        },
        {
          "id": 4719,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1484.002",
          "techniqueName": "Domain or Tenant Policy Modification: Trust Modification",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Management > Audit Authentication Policy Change must be enabled. Must be collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TdoName identifies the trusted domain — verify it is a known partner domain or internal forest",
          "TdoType of 'Forest' or 'External' with an unexpected domain name is the highest fidelity persistence indicator",
          "TdoDirection of 'Inbound' means the remote domain trusts this domain; 'Outbound' or 'Bidirectional' grants access to the remote domain",
          "Correlate SubjectUserName with EID 4688 and EID 4624 to determine how the attacker obtained Domain Admin rights"
        ],
        "commonFalsePositives": [
          "Planned trust creation during domain migrations, mergers, or partner federation projects",
          "IT administrators setting up test or lab domain trusts"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the trust"
        },
        {
          "name": "TdoName",
          "xpath": "EventData/Data[@Name='TdoName']",
          "description": "Name of the trusted domain"
        },
        {
          "name": "TdoType",
          "xpath": "EventData/Data[@Name='TdoType']",
          "description": "Trust type: forest, external, realm, shortcut, or cross-organizational"
        },
        {
          "name": "TdoDirection",
          "xpath": "EventData/Data[@Name='TdoDirection']",
          "description": "Trust direction: inbound, outbound, or bidirectional"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4707,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A trust to a domain was removed",
      "summary": "A domain trust relationship was removed.",
      "details": "Generated when a trust relationship between domains is removed. Trust removal can disrupt cross-domain authentication for users in the trusted domain.",
      "category": "Persistence/Domain Trust",
      "tags": [
        "domain-trust",
        "active-directory",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4706,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1484.002",
          "techniqueName": "Domain or Tenant Policy Modification: Trust Modification",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Management > Audit Authentication Policy Change must be enabled. Must be collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Check whether this follows a recent EID 4706 from the same TdoName — removal of a recently created trust indicates cleanup after rogue trust persistence",
          "Verify that SubjectUserName had authorized change management approval for the trust removal",
          "Removal of a legitimate production trust causes cross-domain authentication failures — correlate with EID 4625 or Kerberos errors from affected users"
        ],
        "commonFalsePositives": [
          "Planned removal of obsolete trusts during domain consolidation or decommissioning",
          "IT project cleanup after completed partner federation"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that removed the trust"
        },
        {
          "name": "TdoName",
          "xpath": "EventData/Data[@Name='TdoName']",
          "description": "Name of the domain whose trust was removed"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4707"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4713,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Kerberos policy was changed",
      "summary": "Kerberos domain policy setting was modified.",
      "details": "Generated when a Kerberos policy setting is changed in the domain. Critical Kerberos policy settings include MaxTicketAge (maximum TGT lifetime, default 10 hours), MaxRenewAge (maximum TGT renewal period, default 7 days), MaxServiceAge (maximum service ticket lifetime, default 600 minutes), and MaxClockSkew (maximum clock skew tolerance, default 5 minutes).",
      "category": "Kerberos/Authentication",
      "tags": [
        "kerberos",
        "policy",
        "active-directory",
        "golden-ticket"
      ],
      "relatedEventIds": [
        {
          "id": 4768,
          "log": "Security"
        },
        {
          "id": 4769,
          "log": "Security"
        },
        {
          "id": 4719,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1558.001",
          "techniqueName": "Steal or Forge Kerberos Tickets: Golden Ticket",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Management > Audit Authentication Policy Change must be enabled. Must be collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "MaxRenewAge or MaxTicketAge changes are the highest priority — extending these values enables longer-lived Golden Tickets",
          "MaxClockSkew reduction can indicate preparation for a replay attack (EID 4649)",
          "SubjectUserName performing this change should be a domain admin account with documented change approval — flag any unexpected accounts"
        ],
        "commonFalsePositives": [
          "Planned security policy changes as part of hardening initiatives (e.g., reducing MaxTicketAge)",
          "Domain administrator testing Kerberos settings in a lab or staging environment that was inadvertently applied to production"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that changed the Kerberos policy"
        },
        {
          "name": "MaxTicketAge",
          "xpath": "EventData/Data[@Name='MaxTicketAge']",
          "description": "New maximum TGT lifetime value"
        },
        {
          "name": "MaxRenewAge",
          "xpath": "EventData/Data[@Name='MaxRenewAge']",
          "description": "New maximum TGT renewal period value"
        },
        {
          "name": "MaxServiceAge",
          "xpath": "EventData/Data[@Name='MaxServiceAge']",
          "description": "New maximum service ticket lifetime value"
        },
        {
          "name": "MaxClockSkew",
          "xpath": "EventData/Data[@Name='MaxClockSkew']",
          "description": "New maximum clock skew tolerance value"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4713"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4715,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The audit policy (SACL) on an object was changed",
      "summary": "The SACL governing auditing on a specific object was modified.",
      "details": "Generated when the SACL portion of an object's security descriptor is changed, modifying which access operations generate audit events. Distinct from EID 4719 (system-wide audit policy) and EID 4907 (in-session SACL change on an open handle).",
      "category": "Defense Evasion",
      "tags": [
        "audit-policy",
        "sacl",
        "defense-evasion",
        "tamper"
      ],
      "relatedEventIds": [
        {
          "id": 4719,
          "log": "Security"
        },
        {
          "id": 4907,
          "log": "Security"
        },
        {
          "id": 4656,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685.001",
          "techniqueName": "Disable or Modify Tools: Disable or Modify Windows Event Log",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Policy Change > Audit Audit Policy Change must be enabled under Advanced Audit Policy."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ObjectName identifies which object's SACL was changed — changes to sensitive objects (lsass.exe, SAM database, NTDS.dit, privileged registry hives) are high priority",
          "Compare OldSd and NewSd to determine what auditing entries were added or removed — removal of SACL entries is the attacker action",
          "SACL changes outside change management windows or from unexpected accounts are suspicious"
        ],
        "commonFalsePositives": [
          "Security policy tools (CIS, STIG) modifying SACLs to match a hardening baseline",
          "Authorized IT changes to audit policy as part of approved configuration management"
        ]
      },
      "keyFields": [
        {
          "name": "ObjectName",
          "xpath": "EventData/Data[@Name='ObjectName']",
          "description": "Object whose SACL was changed"
        },
        {
          "name": "OldSd",
          "xpath": "EventData/Data[@Name='OldSd']",
          "description": "Previous security descriptor (SACL portion)"
        },
        {
          "name": "NewSd",
          "xpath": "EventData/Data[@Name='NewSd']",
          "description": "New security descriptor (SACL portion)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4715"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4719,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "System audit policy was changed",
      "summary": "The security audit policy was modified.",
      "details": "Generated when the system-level audit policy is changed, including the specific audit category and subcategory that was modified. This event itself is only generated if 'Audit Policy Change' auditing is enabled.",
      "category": "Defense Evasion",
      "tags": [
        "audit-policy",
        "defense-evasion",
        "tamper"
      ],
      "relatedEventIds": [
        {
          "id": 4688,
          "log": "Security"
        },
        {
          "id": 1102,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685.001",
          "techniqueName": "Disable or Modify Tools: Disable or Modify Windows Event Log",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "AuditPolicyChanges field shows which subcategory was changed and from/to what level — changes reducing coverage to 'No Auditing' are the most critical",
          "SubjectUserName identifies the account that made the change — non-admin accounts or unexpected accounts warrant immediate investigation",
          "Correlate with Security EID 1102 (log cleared) and EID 4688 — audit policy changes followed by a log clear is a strong evidence destruction pattern"
        ],
        "commonFalsePositives": [
          "Group Policy audit policy enforcement during gpupdate cycles",
          "Automated security hardening scripts applying CIS or STIG audit baselines"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that changed the audit policy"
        },
        {
          "name": "AuditPolicyChanges",
          "xpath": "EventData/Data[@Name='AuditPolicyChanges']",
          "description": "Specific subcategory and the change (e.g., from Success to No Auditing)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4719"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Audit Policy Disabled on Critical Category",
          "rule": "SecurityEvent\n| where EventID == 4719\n| where AuditPolicyChanges has \"No Auditing\"\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, AuditPolicyChanges\n| order by TimeGenerated desc",
          "notes": "Changes reducing coverage to 'No Auditing' are the highest priority. Correlate with EID 1102 (log cleared) in the same time window for an evidence destruction pattern."
        },
        {
          "platform": "Sigma",
          "title": "Audit Policy Disabled",
          "rule": "title: Audit Policy Disabled\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4719\n    AuditPolicyChanges|contains: 'No Auditing'\n  condition: selection\nfalsepositives:\n  - Group Policy audit enforcement during gpupdate cycles\nlevel: high"
        }
      ],
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4720,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user account was created",
      "summary": "New user account created.",
      "details": "Generated every time a new user object is created on domain controllers, member servers, and workstations.",
      "category": "Account Management",
      "tags": [
        "account-created",
        "user-management"
      ],
      "relatedEventIds": [
        {
          "id": 4722,
          "log": "Security"
        },
        {
          "id": 4726,
          "log": "Security"
        },
        {
          "id": 4738,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1136.001",
          "techniqueName": "Create Account: Local Account",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName identifies who created the account — flag creation by non-IT accounts or automated processes",
          "TargetUserName (the new account name) — generic, numeric, or system-like names (e.g., svc_, admin$) created unexpectedly are suspicious",
          "Correlate with EID 4732 to see if the new account was immediately added to a privileged group",
          "Check for unusual UAC flags, pre-set delegation, or SID History population on the newly created account"
        ],
        "commonFalsePositives": [
          "IT provisioning new user accounts as part of onboarding",
          "Automated provisioning systems creating service or application accounts"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the new user"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the newly created account"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4720"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "User Account Created by Non-IT Account",
          "rule": "SecurityEvent\n| where EventID == 4720\n| where SubjectUserName !endswith \"$\"\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, TargetUserName, TargetDomainName\n| order by TimeGenerated desc",
          "notes": "Any account creation by a non-IT account or outside a provisioning window is suspicious. Correlate with EID 4732 to check if the new account was immediately added to a privileged group."
        },
        {
          "platform": "Sigma",
          "title": "New User Account Created",
          "rule": "title: New User Account Created\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4720\n  condition: selection\nfalsepositives:\n  - IT provisioning during onboarding\n  - Automated provisioning systems\nlevel: medium"
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 4722,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user account was enabled",
      "summary": "User account enabled.",
      "details": "Generated when a user or computer object is enabled.",
      "category": "Account Management",
      "tags": [
        "account-enabled",
        "user-management"
      ],
      "relatedEventIds": [
        {
          "id": 4720,
          "log": "Security"
        },
        {
          "id": 4725,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TargetUserName identifies the re-enabled account — check whether it is a dormant, terminated employee, or service account",
          "SubjectUserName identifies who enabled the account",
          "Re-enabling an account immediately followed by a logon event (EID 4624) from an unexpected source is a strong compromise indicator"
        ],
        "commonFalsePositives": [
          "IT re-enabling accounts for users returning from leave",
          "Automated processes re-enabling accounts after lockout resolution"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that was enabled"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the enable operation"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4722"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4723,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An attempt was made to change an account's password",
      "summary": "User attempted to change their own password.",
      "details": "Generated when an account attempts to change its own password (as opposed to an admin resetting another account's password, which generates EID 4724). The event fires regardless of success or failure; check the event outcome.",
      "category": "Account Management",
      "tags": [
        "password-change",
        "account-management"
      ],
      "relatedEventIds": [
        {
          "id": 4724,
          "log": "Security"
        },
        {
          "id": 4720,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Failed password change attempts on an account that the attacker controls may indicate they need a reset (EID 4724) to proceed",
          "Unexpected password changes outside of normal IT processes or self-service portals warrant review",
          "Correlate with EID 4624 to confirm whether the account was actively used before and after the change",
          "Multiple failed password change attempts may indicate the user does not know the current password, suggesting possible account takeover"
        ],
        "commonFalsePositives": [
          "Users changing their own passwords at regular intervals per security policy",
          "Password expiration prompts triggering self-service password changes"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account attempting the password change"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account whose password is being changed (typically the same as SubjectUserName)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4723"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4724,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An attempt was made to reset an account's password",
      "summary": "Admin or privileged account reset another account's password.",
      "details": "Generated when an account's password is reset by another account (administrative reset), as opposed to EID 4723 (user self-service change).",
      "category": "Account Management",
      "tags": [
        "password-reset",
        "account-management",
        "account-takeover"
      ],
      "relatedEventIds": [
        {
          "id": 4723,
          "log": "Security"
        },
        {
          "id": 4738,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName is the key pivot — resets performed by unexpected accounts (non-IT, non-admin) are suspicious",
          "TargetUserName identifies the victim account — resets targeting admin, service, or break-glass accounts are highest priority",
          "Correlate with EID 4624 to determine if the target account was subsequently used to log on"
        ],
        "commonFalsePositives": [
          "IT helpdesk resetting user passwords after user lockout or support requests",
          "Automated provisioning systems resetting service account passwords"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the password reset"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account whose password was reset"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4724"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4725,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user account was disabled",
      "summary": "User account disabled.",
      "details": "Generated when a user or computer object is disabled.",
      "category": "Account Management",
      "tags": [
        "account-disabled",
        "user-management"
      ],
      "relatedEventIds": [
        {
          "id": 4722,
          "log": "Security"
        },
        {
          "id": 4720,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1531",
          "techniqueName": "Account Access Removal",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Disabling of a security service account (e.g., an EDR or logging service account) may indicate defense evasion",
          "SubjectUserName identifies who disabled the account — flag unexpected actors",
          "Correlate with EID 7036 (service stopped) if the disabled account is associated with a service"
        ],
        "commonFalsePositives": [
          "IT disabling accounts as part of offboarding procedures",
          "Automated systems disabling accounts due to policy (e.g., inactivity-based disabling)"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that was disabled"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the disable operation"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4725"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4726,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user account was deleted",
      "summary": "User account deleted.",
      "details": "Generated every time a user object is deleted on domain controllers, member servers, and workstations.",
      "category": "Account Management",
      "tags": [
        "account-deleted",
        "user-management"
      ],
      "relatedEventIds": [
        {
          "id": 4720,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1531",
          "techniqueName": "Account Access Removal",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate TargetUserName with EID 4720 — deletion of a recently created account may indicate attacker cleanup",
          "Deletion of a service or admin account that was never supposed to be removed warrants investigation",
          "SubjectUserName identifies who deleted the account"
        ],
        "commonFalsePositives": [
          "IT deprovisioning accounts during offboarding",
          "Automated systems removing stale or expired accounts"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that was deleted"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the deletion"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4726"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4727,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A security-enabled global group was created",
      "summary": "A new security-enabled global group was created.",
      "details": "Generated when a security-enabled global group is created in Active Directory or locally.",
      "category": "Group Management",
      "tags": [
        "group-created",
        "active-directory",
        "persistence",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4728,
          "log": "Security"
        },
        {
          "id": 4729,
          "log": "Security"
        },
        {
          "id": 4730,
          "log": "Security"
        },
        {
          "id": 4731,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1136",
          "techniqueName": "Create Account",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4728 to detect rapid member additions immediately after group creation — a group created and immediately populated is a strong attacker persistence indicator",
          "TargetUserName (group name) should be scrutinized for names that mimic legitimate built-in groups (e.g., 'Domain Admins ' with a trailing space, or Unicode lookalikes)",
          "SubjectUserName creating groups outside of provisioning systems or during off-hours warrants review"
        ],
        "commonFalsePositives": [
          "IT creating new security groups as part of role provisioning or project access management",
          "Automated provisioning systems creating groups for application deployments"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the newly created group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the group"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-11"
    },
    {
      "id": 4728,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A member was added to a security-enabled global group",
      "summary": "Member added to global security group.",
      "details": "Generated when a member is added to a security-enabled global group such as Domain Admins.",
      "category": "Group Management",
      "tags": [
        "group-membership",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4729,
          "log": "Security"
        },
        {
          "id": 4732,
          "log": "Security"
        },
        {
          "id": 4756,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TargetUserName is the group name — additions to Domain Admins, Enterprise Admins, or Schema Admins are critical priority",
          "MemberSid identifies the added account — resolve the SID to determine whether it is a known account",
          "SubjectUserName identifies who made the change — flag non-IT accounts or automated processes"
        ],
        "commonFalsePositives": [
          "IT adding users to groups as part of role-based access provisioning"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the group the member was added to"
        },
        {
          "name": "MemberSid",
          "xpath": "EventData/Data[@Name='MemberSid']",
          "description": "SID of the account added to the group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the membership change"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Member Added to Privileged Global Group",
          "rule": "SecurityEvent\n| where EventID == 4728\n| where TargetUserName in (\"Domain Admins\", \"Enterprise Admins\", \"Schema Admins\", \"Group Policy Creator Owners\")\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, TargetUserName, MemberSid\n| order by TimeGenerated desc"
        },
        {
          "platform": "Sigma",
          "title": "Member Added to Privileged Domain Group",
          "rule": "title: Member Added to Privileged Domain Group\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4728\n    TargetUserName:\n      - 'Domain Admins'\n      - 'Enterprise Admins'\n      - 'Schema Admins'\n  condition: selection\nfalsepositives:\n  - Authorized IT provisioning\nlevel: high"
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 4729,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A member was removed from a security-enabled global group",
      "summary": "Member removed from global security group.",
      "details": "Generated when a member is removed from a security-enabled global group.",
      "category": "Group Management",
      "tags": [
        "group-membership",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4728,
          "log": "Security"
        },
        {
          "id": 4733,
          "log": "Security"
        },
        {
          "id": 4757,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1531",
          "techniqueName": "Account Access Removal",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Removal from Domain Admins or other privileged groups — correlate with EID 4728 to determine if this is part of an add/remove pattern (attacker covering tracks)",
          "MemberSid identifies the removed account — check whether removal was expected or authorized",
          "Removal of a security service account from a group may impair its function"
        ],
        "commonFalsePositives": [
          "IT removing users from groups during role changes or offboarding"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the group the member was removed from"
        },
        {
          "name": "MemberSid",
          "xpath": "EventData/Data[@Name='MemberSid']",
          "description": "SID of the account removed from the group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the membership change"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4730,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A security-enabled global group was deleted",
      "summary": "A security-enabled global group was deleted.",
      "details": "Generated when a security-enabled global group is deleted.",
      "category": "Defense Evasion",
      "tags": [
        "group-deleted",
        "active-directory",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4727,
          "log": "Security"
        },
        {
          "id": 4728,
          "log": "Security"
        },
        {
          "id": 4729,
          "log": "Security"
        },
        {
          "id": 4734,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1531",
          "techniqueName": "Account Access Removal",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4727 — groups created and deleted in a short window indicate attacker-created temporary groups being cleaned up",
          "Deletion of groups that are referenced in Group Policy objects, service account configurations, or application roles causes downstream access failures — correlate with authentication failures (EID 4625)",
          "SubjectUserName deleting groups outside of deprovisioning workflows should be reviewed"
        ],
        "commonFalsePositives": [
          "IT deprovisioning project or temporary access groups after project completion",
          "Automated provisioning systems removing groups during application decommissioning"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the deleted group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that deleted the group"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4731,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A security-enabled local group was created",
      "summary": "A local security group was created.",
      "details": "Generated when a new security-enabled local group is created.",
      "category": "Account Management",
      "tags": [
        "group-management",
        "persistence",
        "account-management"
      ],
      "relatedEventIds": [
        {
          "id": 4732,
          "log": "Security"
        },
        {
          "id": 4734,
          "log": "Security"
        },
        {
          "id": 4735,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1136.001",
          "techniqueName": "Create Account: Local Account",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4732 to see which accounts were immediately added to the new group",
          "SubjectUserName identifies who created the group — non-IT or non-admin accounts creating groups warrant investigation",
          "New groups with names mimicking system groups (e.g., 'Administratores' with a typo) are a masquerading indicator"
        ],
        "commonFalsePositives": [
          "IT provisioning scripts creating application-specific local groups",
          "Software installers creating local groups for service accounts"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the newly created local group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the group"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4731"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4732,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A member was added to a security-enabled local group",
      "summary": "Member added to local security group.",
      "details": "Generated when a new member is added to a security-enabled local group.",
      "category": "Group Management",
      "tags": [
        "group-membership",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4733,
          "log": "Security"
        },
        {
          "id": 4728,
          "log": "Security"
        },
        {
          "id": 4756,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TargetUserName of Administrators is the highest priority — local admin access enables full control of the system",
          "MemberSid of a domain account added to local Administrators is a common post-exploitation privilege escalation step",
          "SubjectUserName identifies who added the member — flag unexpected actors"
        ],
        "commonFalsePositives": [
          "IT adding service accounts or admin users to local groups as part of deployment",
          "Software installers requiring local admin membership for their service accounts"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the local group the member was added to"
        },
        {
          "name": "MemberSid",
          "xpath": "EventData/Data[@Name='MemberSid']",
          "description": "SID of the account added to the group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the membership change"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Member Added to Local Administrators Group",
          "rule": "SecurityEvent\n| where EventID == 4732\n| where TargetUserName == \"Administrators\"\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, MemberSid\n| order by TimeGenerated desc"
        },
        {
          "platform": "Sigma",
          "title": "Member Added to Local Administrators Group",
          "rule": "title: Member Added to Local Administrators Group\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4732\n    TargetUserName: 'Administrators'\n  condition: selection\nfalsepositives:\n  - IT adding service or admin accounts during deployment\nlevel: high"
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 4733,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A member was removed from a security-enabled local group",
      "summary": "Member removed from local security group.",
      "details": "Generated when a member is removed from a security-enabled local group.",
      "category": "Group Management",
      "tags": [
        "group-membership",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4732,
          "log": "Security"
        },
        {
          "id": 4729,
          "log": "Security"
        },
        {
          "id": 4757,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1531",
          "techniqueName": "Account Access Removal",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Removal from Administrators group — may indicate cleanup after temporary privilege escalation",
          "Correlate with EID 4732 to identify an add/remove pattern on the same account (attacker adding and then removing themselves)",
          "MemberSid of a service or security account unexpectedly removed may impair system defenses"
        ],
        "commonFalsePositives": [
          "IT removing users from local groups during offboarding or role changes"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the local group the member was removed from"
        },
        {
          "name": "MemberSid",
          "xpath": "EventData/Data[@Name='MemberSid']",
          "description": "SID of the account removed from the group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the membership change"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4733"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4734,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A security-enabled local group was deleted",
      "summary": "A local security group was deleted.",
      "details": "Generated when a security-enabled local group is deleted.",
      "category": "Defense Evasion",
      "tags": [
        "group-management",
        "defense-evasion",
        "account-management"
      ],
      "relatedEventIds": [
        {
          "id": 4731,
          "log": "Security"
        },
        {
          "id": 4735,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4731 — group deleted shortly after creation is a strong cleanup indicator",
          "Check EID 4732/4733 between the creation and deletion to identify what members were added and removed",
          "SubjectUserName performing unexpected group deletions warrants investigation"
        ],
        "commonFalsePositives": [
          "Software uninstallers removing application-specific local groups",
          "IT cleanup scripts removing obsolete groups"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the deleted local group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that deleted the group"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4734"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4735,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A security-enabled local group was changed",
      "summary": "A local security group's attributes were modified.",
      "details": "Generated when a security-enabled local group's attributes (such as description or SAM account name) are changed. Member additions and removals generate EID 4732/4733 rather than this event; EID 4735 captures changes to the group object itself.",
      "category": "Account Management",
      "tags": [
        "group-management",
        "account-management",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 4731,
          "log": "Security"
        },
        {
          "id": 4732,
          "log": "Security"
        },
        {
          "id": 4733,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Group name changes (SAM name) may indicate masquerading — compare the old and new names",
          "SubjectUserName identifies who modified the group — unexpected accounts making group changes warrant investigation",
          "Correlate with EID 4732 to see if member additions followed the group modification"
        ],
        "commonFalsePositives": [
          "IT renaming groups as part of organizational restructuring",
          "Software updates modifying their own local groups"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the modified local group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that modified the group"
        },
        {
          "name": "SamAccountName",
          "xpath": "EventData/Data[@Name='SamAccountName']",
          "description": "New SAM account name if renamed; '-' if unchanged"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4735"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4738,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user account was changed",
      "summary": "User account attributes modified.",
      "details": "Generated every time a user object is changed. A separate event is generated per attribute change. Unchanged attributes appear as '-'.",
      "category": "Account Management",
      "tags": [
        "account-changed",
        "user-management"
      ],
      "relatedEventIds": [
        {
          "id": 4720,
          "log": "Security"
        },
        {
          "id": 4722,
          "log": "Security"
        },
        {
          "id": 4725,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "UserAccountControl flag changes are the highest priority — enabling Trusted For Delegation or DONT_REQUIRE_PREAUTH are delegation/AS-REP roasting setup indicators",
          "AllowedToDelegateTo modifications set up constrained delegation and can be used for privilege escalation",
          "TargetUserName combined with SubjectUserName — changes made by an account to a different account's properties are suspicious"
        ],
        "commonFalsePositives": [
          "IT managing user account attributes as part of normal AD administration",
          "Automated provisioning systems updating account properties"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4738"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that was modified"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that made the change"
        },
        {
          "name": "PasswordLastSet",
          "xpath": "EventData/Data[@Name='PasswordLastSet']",
          "description": "New password set timestamp; '-' means unchanged"
        },
        {
          "name": "UserAccountControl",
          "xpath": "EventData/Data[@Name='UserAccountControl']",
          "description": "UAC flags changed on the account; '-' means unchanged"
        },
        {
          "name": "AllowedToDelegateTo",
          "xpath": "EventData/Data[@Name='AllowedToDelegateTo']",
          "description": "Constrained delegation target SPNs; '-' means unchanged"
        },
        {
          "name": "SamAccountName",
          "xpath": "EventData/Data[@Name='SamAccountName']",
          "description": "SAM account name; '-' means unchanged"
        }
      ],
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4740,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user account was locked out",
      "summary": "User account locked out.",
      "details": "Generated every time a user account is locked out.",
      "category": "Account Management",
      "tags": [
        "lockout",
        "bruteforce"
      ],
      "relatedEventIds": [
        {
          "id": 4625,
          "log": "Security"
        },
        {
          "id": 4776,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1110",
          "techniqueName": "Brute Force",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CallerComputerName identifies the source machine — investigate that host for the authentication activity that caused lockouts",
          "Multiple accounts locked out around the same time from the same source indicates a password spray",
          "Correlate with EID 4625 on the CallerComputerName to identify the failing authentication attempts"
        ],
        "commonFalsePositives": [
          "Misconfigured services using stale credentials triggering lockouts",
          "Users forgetting their password after a recent change"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4740"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that was locked out"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that reported the lockout (usually SYSTEM on the authenticating DC)"
        },
        {
          "name": "CallerComputerName",
          "xpath": "EventData/Data[@Name='CallerComputerName']",
          "description": "Machine originating the failed authentication attempts that triggered the lockout"
        }
      ],
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4741,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A computer account was created",
      "summary": "A new computer account was created in Active Directory.",
      "details": "Generated when a new computer (machine) account is created in Active Directory. By default, domain users can add up to 10 machine accounts (ms-DS-MachineAccountQuota).",
      "category": "Account Management",
      "tags": [
        "computer-account",
        "active-directory",
        "persistence",
        "lateral-movement"
      ],
      "relatedEventIds": [
        {
          "id": 4742,
          "log": "Security"
        },
        {
          "id": 4743,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1136.002",
          "techniqueName": "Create Account: Domain Account",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1187",
          "techniqueName": "Forced Authentication",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName creating a computer account is the key pivot — non-admin users creating machine accounts is a Kerberos abuse precursor",
          "Computer account names with random strings or suspicious patterns (e.g., 'EVILPC$') are suspicious",
          "Correlate with Kerberos EID 4768/4769 to see if the new computer account is immediately used for authentication"
        ],
        "commonFalsePositives": [
          "IT joining new machines to the domain (typically performed via domain join, which creates a computer account)",
          "MDM and provisioning tools creating computer accounts during enrollment"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the computer account"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the newly created computer account"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4742,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A computer account was changed",
      "summary": "A computer account's attributes were modified.",
      "details": "Generated when a computer account's attributes are modified. A separate event is generated per attribute change.",
      "category": "Privilege Escalation",
      "tags": [
        "computer-account",
        "active-directory",
        "kerberos",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4741,
          "log": "Security"
        },
        {
          "id": 4768,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1134.001",
          "techniqueName": "Access Token Manipulation: Token Impersonation/Theft",
          "tactics": [
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Changes to msDS-AllowedToActOnBehalfOfOtherIdentity attribute enable RBCD — this is a high-priority indicator when modified by unexpected accounts",
          "SPN additions or removals may indicate Kerberoasting setup or Silver Ticket preparation",
          "SubjectUserName making modifications to DC or high-value server computer accounts warrants immediate investigation"
        ],
        "commonFalsePositives": [
          "Domain join operations and machine account updates during system startup",
          "Legitimate Kerberos constrained delegation configuration by IT administrators"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that modified the computer account"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Computer account that was modified"
        },
        {
          "name": "ServicePrincipalNames",
          "xpath": "EventData/Data[@Name='ServicePrincipalNames']",
          "description": "Updated SPN list; '-' means unchanged"
        },
        {
          "name": "AllowedToDelegateTo",
          "xpath": "EventData/Data[@Name='AllowedToDelegateTo']",
          "description": "Constrained delegation target SPNs; '-' means unchanged"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4742"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4743,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A computer account was deleted",
      "summary": "A computer account was removed from Active Directory.",
      "details": "Generated when a computer account is deleted from Active Directory.",
      "category": "Defense Evasion",
      "tags": [
        "computer-account",
        "active-directory",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4741,
          "log": "Security"
        },
        {
          "id": 4742,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4741 — computer account deleted shortly after creation indicates cleanup of a Kerberos abuse artifact",
          "SubjectUserName performing unexpected computer account deletions, especially for active machines, warrants investigation",
          "Check EID 4742 between creation and deletion to identify what attributes were modified"
        ],
        "commonFalsePositives": [
          "IT removing stale machine accounts during cleanup operations",
          "Decommissioned machines having their accounts removed from Active Directory"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that deleted the computer account"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Computer account that was deleted"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4754,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A security-enabled universal group was created",
      "summary": "A new security-enabled universal group was created.",
      "details": "Generated when a security-enabled universal group is created. Universal groups can span all domains in a forest and are the broadest-scope group type in Active Directory.",
      "category": "Group Management",
      "tags": [
        "group-created",
        "active-directory",
        "persistence",
        "privilege-escalation",
        "forest"
      ],
      "relatedEventIds": [
        {
          "id": 4756,
          "log": "Security"
        },
        {
          "id": 4757,
          "log": "Security"
        },
        {
          "id": 4758,
          "log": "Security"
        },
        {
          "id": 4727,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1136",
          "techniqueName": "Create Account",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Must be collected from a domain controller. Universal groups are only available in domain functional level Windows 2000 native mode or higher."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4756 to detect rapid member additions following group creation — forest-wide attacker groups populated immediately after creation indicate an established persistence structure",
          "Universal group creation on a domain controller by a non-admin account is anomalous",
          "Groups with names mimicking built-in forest-wide groups (e.g., 'Enterprise Admins' with Unicode lookalikes) should be investigated immediately"
        ],
        "commonFalsePositives": [
          "IT creating universal groups for cross-domain resource access assignments",
          "Application provisioning systems creating universal groups for multi-domain deployments"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the newly created universal group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the group"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-11"
    },
    {
      "id": 4756,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A member was added to a security-enabled universal group",
      "summary": "Member added to universal security group.",
      "details": "Generated when a member is added to a security-enabled universal group. Universal groups span multiple domains, so additions can affect enterprise-wide permissions.",
      "category": "Group Management",
      "tags": [
        "group-membership",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4757,
          "log": "Security"
        },
        {
          "id": 4728,
          "log": "Security"
        },
        {
          "id": 4732,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Universal group membership affects all domains in the forest — additions to Enterprise Admins or universal privileged groups have the broadest impact",
          "MemberSid identifies the added account — resolve the SID and check whether the account is known and authorized",
          "SubjectUserName identifies who made the change"
        ],
        "commonFalsePositives": [
          "IT provisioning users into forest-wide groups as part of role assignments"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the universal group the member was added to"
        },
        {
          "name": "MemberSid",
          "xpath": "EventData/Data[@Name='MemberSid']",
          "description": "SID of the account added to the group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the membership change"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Member Added to Privileged Universal Group",
          "rule": "SecurityEvent\n| where EventID == 4756\n| where TargetUserName in (\"Enterprise Admins\", \"Schema Admins\")\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, TargetUserName, MemberSid\n| order by TimeGenerated desc",
          "notes": "Universal groups span all domains in the forest. Enterprise Admins and Schema Admins in universal scope have the broadest impact."
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-05"
    },
    {
      "id": 4757,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A member was removed from a security-enabled universal group",
      "summary": "Member removed from universal security group.",
      "details": "Generated when a member is removed from a security-enabled universal group. Universal groups span multiple domains, so removals may affect enterprise-wide permissions.",
      "category": "Group Management",
      "tags": [
        "group-membership",
        "privilege-escalation"
      ],
      "relatedEventIds": [
        {
          "id": 4756,
          "log": "Security"
        },
        {
          "id": 4729,
          "log": "Security"
        },
        {
          "id": 4733,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1531",
          "techniqueName": "Account Access Removal",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4756 to detect add/remove patterns — an account added and then removed may indicate temporary privilege use",
          "Removal from Enterprise Admins or equivalent universal groups is unusual and warrants validation",
          "MemberSid identifies the removed account"
        ],
        "commonFalsePositives": [
          "IT removing users from forest-wide groups during role changes or offboarding"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the universal group the member was removed from"
        },
        {
          "name": "MemberSid",
          "xpath": "EventData/Data[@Name='MemberSid']",
          "description": "SID of the account removed from the group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the membership change"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4758,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A security-enabled universal group was deleted",
      "summary": "A security-enabled universal group was deleted.",
      "details": "Generated when a security-enabled universal group is deleted. Deletion of widely-used universal groups can cause authentication failures across the entire forest.",
      "category": "Defense Evasion",
      "tags": [
        "group-deleted",
        "active-directory",
        "defense-evasion",
        "forest"
      ],
      "relatedEventIds": [
        {
          "id": 4754,
          "log": "Security"
        },
        {
          "id": 4756,
          "log": "Security"
        },
        {
          "id": 4757,
          "log": "Security"
        },
        {
          "id": 4730,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1531",
          "techniqueName": "Account Access Removal",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4754 — universal groups created and deleted in a short window indicate attacker infrastructure cleanup",
          "Deletion of Enterprise Admins or equivalent forest-wide privileged groups is a critical indicator — these should never be deleted in production",
          "SubjectUserName performing the deletion and the time of day are important pivot points"
        ],
        "commonFalsePositives": [
          "IT deprovisioning cross-domain project groups after project completion",
          "Forest restructuring operations removing universal groups as part of authorized consolidation"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the deleted universal group"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that deleted the group"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4764,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A group's type was changed",
      "summary": "The scope or type of an Active Directory group was modified.",
      "details": "Generated when the type or scope of an Active Directory group is changed — for example, converting a distribution group to a security group, or changing a global group to a universal group.",
      "category": "Privilege Escalation",
      "tags": [
        "group-management",
        "privilege-escalation",
        "active-directory"
      ],
      "relatedEventIds": [
        {
          "id": 4727,
          "log": "Security"
        },
        {
          "id": 4728,
          "log": "Security"
        },
        {
          "id": 4754,
          "log": "Security"
        },
        {
          "id": 4756,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "GroupTypeChange field shows what changed — distribution-to-security conversions are the highest-risk type as they enable new permission assignments",
          "Pivot on TargetUserName and review current group membership (via EID 4728/4756) to identify who gains new access rights from the conversion",
          "SubjectUserName and timing: group type changes by unexpected accounts or outside change management windows are suspicious"
        ],
        "commonFalsePositives": [
          "IT converting groups as part of AD restructuring or migration projects",
          "Administrative tools (e.g., Exchange, Azure AD Connect) converting group types as part of their provisioning workflows"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Name of the group whose type was changed"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that changed the group type"
        },
        {
          "name": "GroupTypeChange",
          "xpath": "EventData/Data[@Name='GroupTypeChange']",
          "description": "Description of the type or scope change applied to the group"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-security-group-management"
      },
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-11"
    },
    {
      "id": 4765,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "SID History was added to an account",
      "summary": "SID History attribute was added to a user or computer account.",
      "details": "Generated when a SID (Security Identifier) is added to the SidHistory attribute of an Active Directory account. SID History is a legitimate feature used during domain migrations to preserve access rights for migrated users, allowing an account in a new domain to retain access to resources in the old domain by carrying the old SID. Adding a privileged group SID to an account's SID History grants that account the same access rights without modifying group membership, and the change survives credential resets.",
      "category": "Persistence/Privilege Escalation",
      "tags": [
        "sid-history",
        "persistence",
        "privilege-escalation",
        "active-directory"
      ],
      "relatedEventIds": [
        {
          "id": 4766,
          "log": "Security"
        },
        {
          "id": 4728,
          "log": "Security"
        },
        {
          "id": 4768,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1134.005",
          "techniqueName": "Access Token Manipulation: SID-History Injection",
          "tactics": [
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Management > Audit User Account Management must be enabled. Must be collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SidList reveals the SID(s) added — resolve the SID to identify whether it belongs to a privileged group such as Domain Admins (S-1-5-21-...-512)",
          "TargetUserName is the account receiving the backdoor privilege — audit all access by this account since the SID History modification",
          "SubjectUserName must have had Domain Admin rights to perform this operation — trace how this account was compromised"
        ],
        "commonFalsePositives": [
          "Legitimate domain migration operations using tools such as ADMT (Active Directory Migration Tool)",
          "Automated migration scripts with proper change management approval"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the SID History modification"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that received the SID History entry"
        },
        {
          "name": "SidList",
          "xpath": "EventData/Data[@Name='SidList']",
          "description": "SID(s) added to the account's SID History"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4765"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4766,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditFailure",
      "title": "An attempt to add SID History to an account failed",
      "summary": "Failed attempt to add SID History to an account.",
      "details": "Generated when an attempt to add a SID to an account's SID History attribute fails. The failure may indicate insufficient privileges, auditing controls blocking SID History modification, or the operation being denied by a domain policy.",
      "category": "Persistence/Privilege Escalation",
      "tags": [
        "sid-history",
        "persistence",
        "active-directory"
      ],
      "relatedEventIds": [
        {
          "id": 4765,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1134.005",
          "techniqueName": "Access Token Manipulation: SID-History Injection",
          "tactics": [
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Management > Audit User Account Management must be enabled. Must be collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName attempted the operation — investigate how this account was compromised and what privilege level it held",
          "Correlate with EID 4765 on all DCs — a failure on one DC may have succeeded on another",
          "Check the failure reason — access denied failures confirm the account lacked privilege; other errors may indicate a partial attack"
        ],
        "commonFalsePositives": [
          "Failed migration tool operations with misconfigured permissions during legitimate domain migrations"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that attempted the SID History modification"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account targeted for the SID History modification"
        },
        {
          "name": "Status",
          "xpath": "EventData/Data[@Name='Status']",
          "description": "Failure status code indicating why the operation was denied"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4766"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4767,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user account was unlocked",
      "summary": "A locked-out user account was unlocked.",
      "details": "Generated when a locked-out user account is unlocked by an administrator or automatically by the account lockout policy.",
      "category": "Account Management",
      "tags": [
        "account-unlock",
        "lockout",
        "authentication"
      ],
      "relatedEventIds": [
        {
          "id": 4740,
          "log": "Security"
        },
        {
          "id": 4625,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1110",
          "techniqueName": "Brute Force",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Management > Audit User Account Management must be enabled. Collected from domain controllers for domain accounts."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName unlocking multiple accounts in rapid succession is suspicious — legitimate help desk unlocks are typically one at a time with a ticket",
          "Correlate with EID 4740 to determine the caller computer name that triggered the lockout",
          "A pattern of EID 4740 → EID 4767 → EID 4740 (repeat) may indicate an attacker repeatedly triggering lockouts and an admin repeatedly unlocking"
        ],
        "commonFalsePositives": [
          "Help desk or IT administrators unlocking accounts as part of normal support operations",
          "Automated account management tools with scheduled unlock windows"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that unlocked the locked-out account"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account that was unlocked"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4767"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4776,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The computer attempted to validate the credentials for an account",
      "summary": "NTLM credential validation attempt recorded.",
      "details": "Generated every time NTLM authentication is used, on the computer that holds the account. Captures all NTLM attempts on domain controllers for domain accounts. Common error codes include 0xC000006A (bad password), 0xC0000064 (no such user), and 0xC000006D (generic authentication failure).",
      "category": "Logon/Authentication",
      "tags": [
        "ntlm",
        "authentication",
        "credential-validation"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4625,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1550.002",
          "techniqueName": "Use Alternate Authentication Material: Pass the Hash",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        },
        {
          "techniqueId": "T1110",
          "techniqueName": "Brute Force",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ErrorCode 0xC000006A (wrong password) in volume indicates brute force or pass-the-hash failure",
          "Workstation field identifies the source machine — flag sources that are not domain-joined or are unexpected for the target account",
          "NTLM authentication in an environment that should use Kerberos may indicate pass-the-hash or a non-domain-joined attacker host"
        ],
        "commonFalsePositives": [
          "Legacy applications that do not support Kerberos and use NTLM",
          "Workgroup machines and non-domain-joined systems authenticating via NTLM"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "NTLM Authentication Failure — Password Spray Pattern",
          "rule": "SecurityEvent\n| where EventID == 4776\n| where Status != \"0x0\"\n| summarize UniqueAccounts = dcount(TargetUserName), FailureCount = count() by Workstation, bin(TimeGenerated, 5m)\n| where UniqueAccounts > 10 or FailureCount > 50",
          "notes": "NTLM credential validation failures. UniqueAccounts > 10 suggests spray; high FailureCount from one source suggests brute force. Tune thresholds per environment."
        },
        {
          "platform": "Splunk",
          "title": "NTLM Credential Validation Failure Spike",
          "rule": "index=wineventlog EventCode=4776 NOT Status=0x0\n| bin _time span=5m\n| stats dc(Target_Account_Name) as UniqueAccounts count by _time, Workstation\n| where UniqueAccounts > 10 OR count > 50",
          "notes": "NTLM-based authentication failures from a single workstation."
        },
        {
          "platform": "Sigma",
          "title": "NTLM Authentication Failure Brute Force or Spray",
          "rule": "title: NTLM Authentication Failure Brute Force or Spray\nstatus: experimental\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4776\n        Status:\n            - '0xC000006A'\n            - '0xC0000064'\n            - '0xC000006D'\ncondition: selection | count() by Workstation > 20\ntimeframe: 5m\nfalsepositives:\n    - Application service accounts with misconfigured credentials\n    - Kerberos fallback to NTLM\nlevel: medium",
          "notes": "Threshold-based; adjust count per environment NTLM baseline."
        }
      ],
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account whose credentials were validated"
        },
        {
          "name": "Workstation",
          "xpath": "EventData/Data[@Name='Workstation']",
          "description": "Machine initiating the NTLM authentication"
        },
        {
          "name": "Status",
          "xpath": "EventData/Data[@Name='Status']",
          "description": "0xC000006A = bad password, 0xC0000064 = no such user, 0xC000006D = generic auth failure"
        }
      ],
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 4778,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A session was reconnected to a Window Station",
      "summary": "A session was reconnected to a Windows desktop session.",
      "details": "Generated when a user reconnects to an existing Windows session (e.g., reconnecting to an RDP session or unlocking a workstation). Disconnected sessions remain active in memory and can be reconnected to without re-authentication in some configurations.",
      "category": "Logon/Authentication",
      "tags": [
        "session",
        "rdp",
        "lateral-movement",
        "session-hijack"
      ],
      "relatedEventIds": [
        {
          "id": 4779,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1563.002",
          "techniqueName": "Remote Service Session Hijacking: RDP Hijacking",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ClientAddress for the reconnection differing from the original connection's source IP is a session hijacking indicator",
          "Reconnections to sessions owned by other users (AccountName different from expected) indicate RDP hijacking",
          "Correlate with RDP Local Session Manager EID 25 (session reconnected) for additional session context"
        ],
        "commonFalsePositives": [
          "Legitimate users reconnecting to their own RDP sessions from a different device",
          "Users unlocking workstations after stepping away"
        ]
      },
      "keyFields": [
        {
          "name": "AccountName",
          "xpath": "EventData/Data[@Name='AccountName']",
          "description": "Account associated with the reconnected session"
        },
        {
          "name": "SessionName",
          "xpath": "EventData/Data[@Name='SessionName']",
          "description": "Name of the reconnected session (e.g., RDP-Tcp#0)"
        },
        {
          "name": "ClientName",
          "xpath": "EventData/Data[@Name='ClientName']",
          "description": "Hostname of the client that reconnected"
        },
        {
          "name": "ClientAddress",
          "xpath": "EventData/Data[@Name='ClientAddress']",
          "description": "IP address of the reconnecting client"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4778"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4779,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A session was disconnected from a Window Station",
      "summary": "A session was disconnected from a Windows desktop session.",
      "details": "Generated when a session is disconnected (but not logged off) from a window station. Disconnected sessions remain active in memory and can be reconnected to. Tracking disconnection events alongside EID 4778 (reconnection) provides a complete picture of session lifecycle.",
      "category": "Logon/Authentication",
      "tags": [
        "session",
        "rdp",
        "lateral-movement"
      ],
      "relatedEventIds": [
        {
          "id": 4778,
          "log": "Security"
        },
        {
          "id": 4634,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1563.002",
          "techniqueName": "Remote Service Session Hijacking: RDP Hijacking",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "A user's session being disconnected and then immediately reconnected by a different source IP is a session hijack pattern",
          "Disconnected sessions with no subsequent logoff (EID 4634/4647) remain active and can be hijacked",
          "Correlate with RDP Local Session Manager EID 24 for additional disconnection context"
        ],
        "commonFalsePositives": [
          "Normal RDP session disconnections when users close the RDP client without logging off",
          "Network interruptions causing RDP sessions to disconnect"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4779"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Remote Session Disconnect from Unexpected Client",
          "rule": "SecurityEvent\n| where EventID == 4779\n| join kind=leftouter (\n    SecurityEvent\n    | where EventID == 4778\n    | project AccountName, ClientAddress, TimeGenerated\n) on AccountName\n| where ClientAddress != ClientAddress1\n| project TimeGenerated, AccountName, SessionName, ClientName, ClientAddress, Computer",
          "notes": "Correlates disconnects (4779) with reconnects (4778) — session appearing on a different client IP can indicate session hijacking. Simplified query; adjust for your schema."
        },
        {
          "platform": "Splunk",
          "title": "RDP Session Disconnect",
          "rule": "index=wineventlog EventCode=4779\n| table _time, Account_Name, Session_Name, Client_Name, Client_Address, host\n| sort -_time",
          "notes": "Baseline query; correlate ClientAddress with known endpoints for the AccountName to detect unusual disconnects."
        },
        {
          "platform": "Sigma",
          "title": "Remote Session Disconnected from Workstation",
          "rule": "title: Remote Session Disconnected from Workstation\nstatus: experimental\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4779\ncondition: selection\nfalsepositives:\n    - Normal user RDP session disconnects\nlevel: informational",
          "notes": "Base rule; add ClientAddress allowlist or correlate with 4778 for higher fidelity."
        }
      ],
      "keyFields": [
        {
          "name": "AccountName",
          "xpath": "EventData/Data[@Name='AccountName']",
          "description": "Account whose session was disconnected"
        },
        {
          "name": "SessionName",
          "xpath": "EventData/Data[@Name='SessionName']",
          "description": "Name of the disconnected session (e.g., RDP-Tcp#0)"
        },
        {
          "name": "ClientName",
          "xpath": "EventData/Data[@Name='ClientName']",
          "description": "Hostname of the client that disconnected"
        },
        {
          "name": "ClientAddress",
          "xpath": "EventData/Data[@Name='ClientAddress']",
          "description": "IP address of the disconnected client"
        }
      ],
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4781,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The name of an account was changed",
      "summary": "A user or computer account was renamed.",
      "details": "Generated when a user or computer account is renamed.",
      "category": "Defense Evasion",
      "tags": [
        "account-rename",
        "defense-evasion",
        "masquerading"
      ],
      "relatedEventIds": [
        {
          "id": 4720,
          "log": "Security"
        },
        {
          "id": 4738,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1036",
          "techniqueName": "Masquerading",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "OldTargetUserName to NewTargetUserName is the key pivot — renaming the default Administrator or Guest account is a classic evasion technique",
          "NewTargetUserName mimicking system accounts or services (e.g., 'svchost', 'SYSTEM') is masquerading",
          "Correlate with EID 4624 to see if the renamed account is subsequently used for logon"
        ],
        "commonFalsePositives": [
          "IT renaming accounts as part of HR-driven name changes or organizational policy",
          "CIS/STIG hardening renaming the default Administrator account"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that performed the rename"
        },
        {
          "name": "OldTargetUserName",
          "xpath": "EventData/Data[@Name='OldTargetUserName']",
          "description": "Original account name before the rename"
        },
        {
          "name": "NewTargetUserName",
          "xpath": "EventData/Data[@Name='NewTargetUserName']",
          "description": "New account name after the rename"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4781"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4782,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The password hash of an account was accessed",
      "summary": "Password hash was read from Active Directory.",
      "details": "Generated when the password hash of an account is accessed in Active Directory. This event is a primary indicator of DCSync attacks, where an attacker uses the MS-DRSR (Directory Replication Service Remote Protocol) to impersonate a domain controller and request password hash replication. Legitimate access is limited to domain controller computer accounts and users explicitly granted Replicating Directory Changes permissions. This event is only generated for accounts with auditing configured.",
      "category": "Credential Access",
      "tags": [
        "dcsync",
        "credential-access",
        "password-hash",
        "active-directory",
        "mimikatz"
      ],
      "relatedEventIds": [
        {
          "id": 4662,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1003.006",
          "techniqueName": "OS Credential Dumping: DCSync",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Management > Audit User Account Management must be enabled. Object-level auditing must be configured on the target AD objects. Must be collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SubjectUserName should only ever be a DC computer account (e.g., DC01$) — any user account accessing hashes is a DCSync attack",
          "TargetUserName of krbtgt, Administrator, or other high-value accounts is the highest priority — these hashes enable Golden Ticket and Silver Ticket attacks",
          "Correlate with EID 4662 (object access with DS-Replication-Get-Changes-All right) and network traffic to identify DCSync replication requests"
        ],
        "commonFalsePositives": [
          "Legitimate domain controller replication via DRSR between real DCs (SubjectUserName will be a DC computer account)",
          "Authorized third-party identity management solutions with Replicating Directory Changes All permissions"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that accessed the password hash"
        },
        {
          "name": "SubjectLogonId",
          "xpath": "EventData/Data[@Name='SubjectLogonId']",
          "description": "Logon session ID of the account accessing the hash"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account whose password hash was accessed"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4782"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4793,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The Password Policy Checking API was called",
      "summary": "A process queried the password policy checking API.",
      "details": "Generated when a process calls the Password Policy Checking API (NetValidatePasswordPolicy) to validate a password against the current domain password policy. Scripting languages (PowerShell, Python via Impacket), custom tools, and password spray tools may call this API.",
      "category": "Reconnaissance",
      "tags": [
        "password-policy",
        "reconnaissance",
        "password-spray"
      ],
      "relatedEventIds": [
        {
          "id": 4625,
          "log": "Security"
        },
        {
          "id": 4740,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1201",
          "techniqueName": "Password Policy Discovery",
          "tactics": [
            {
              "tacticId": "TA0007",
              "tacticName": "Discovery"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Account Management > Audit User Account Management must be enabled. Most useful when collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CallerWorkstation identifies the machine querying the policy — correlate with other reconnaissance events from the same host",
          "SubjectUserName performing the query from a non-admin account on a non-IT workstation is suspicious",
          "Correlate with subsequent EID 4625 events from the same workstation — policy query followed by a wave of failed logons is a spray attack pattern"
        ],
        "commonFalsePositives": [
          "Identity management software and provisioning tools that validate passwords against policy before submission",
          "Password change utilities that check the new password against policy before applying the change"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that called the password policy API"
        },
        {
          "name": "CallerWorkstation",
          "xpath": "EventData/Data[@Name='CallerWorkstation']",
          "description": "Machine from which the password policy query was made"
        },
        {
          "name": "Status",
          "xpath": "EventData/Data[@Name='Status']",
          "description": "Return status of the API call"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4793"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4794,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "An attempt was made to set the Directory Services Restore Mode administrator password",
      "summary": "DSRM password change attempt on a domain controller.",
      "details": "Generated when an attempt is made to change the Directory Services Restore Mode (DSRM) administrator password on a domain controller. The DSRM account is a local administrator account that is only active when the DC boots into Directory Services Restore Mode. Setting or changing the DSRM password is an advanced AD persistence technique because DSRM can be configured to allow logon in normal mode, providing a backdoor that survives domain admin password changes and does not appear in standard AD accounts.",
      "category": "Persistence",
      "tags": [
        "dsrm",
        "active-directory",
        "persistence",
        "domain-controller"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "This event should almost never occur in a normal environment — any instance warrants immediate investigation",
          "SubjectUserName identifies who set the DSRM password — only domain admins performing intentional DR preparation should appear here",
          "Correlate with registry key changes to HKLM\\System\\CurrentControlSet\\Control\\Lsa\\DsrmAdminLogonBehavior — a value of 2 enables DSRM logon in normal mode, which is a backdoor"
        ],
        "commonFalsePositives": [
          "IT security team setting DSRM passwords during initial DC provisioning as part of DR planning (should be documented)"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that set or changed the DSRM password"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4798,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A user's local group membership was enumerated",
      "summary": "Local group membership of a user account was queried.",
      "details": "Generated when a process enumerates the local group membership of a user account. Active Directory enumeration tools such as BloodHound/SharpHound generate large volumes of this event as they map group memberships.",
      "category": "Discovery",
      "tags": [
        "group-enumeration",
        "discovery",
        "reconnaissance",
        "bloodhound"
      ],
      "relatedEventIds": [
        {
          "id": 4799,
          "log": "Security"
        },
        {
          "id": 4688,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1069.001",
          "techniqueName": "Permission Groups Discovery: Local Groups",
          "tactics": [
            {
              "tacticId": "TA0007",
              "tacticName": "Discovery"
            }
          ]
        },
        {
          "techniqueId": "T1087.001",
          "techniqueName": "Account Discovery: Local Account",
          "tactics": [
            {
              "tacticId": "TA0007",
              "tacticName": "Discovery"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CallerProcessName is the key field — net.exe, PowerShell, SharpHound.exe, or unusual binaries performing bulk enumeration are suspicious",
          "High-volume queries across many TargetUserName values in a short window is a BloodHound/AD recon indicator",
          "Correlate CallerProcessName with EID 4688 to review the process ancestry and command line"
        ],
        "commonFalsePositives": [
          "Endpoint security and monitoring agents inventorying local group memberships",
          "IT management tools querying group membership for access reviews"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account performing the enumeration"
        },
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "Account whose group membership is being enumerated"
        },
        {
          "name": "CallerProcessName",
          "xpath": "EventData/Data[@Name='CallerProcessName']",
          "description": "Process performing the group membership query"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4798"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 10 / Server 2016"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4799,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A security-enabled local group membership was enumerated",
      "summary": "Membership of a local security group was queried.",
      "details": "Generated when a process enumerates the members of a security-enabled local group. Like EID 4798, high-volume enumeration of many local groups from a single process is a BloodHound/SharpHound recon indicator. Enumerations of the Administrators, Remote Desktop Users, and Remote Management Users groups are particularly significant because they reveal which accounts have high-value access.",
      "category": "Discovery",
      "tags": [
        "group-enumeration",
        "discovery",
        "reconnaissance",
        "bloodhound"
      ],
      "relatedEventIds": [
        {
          "id": 4798,
          "log": "Security"
        },
        {
          "id": 4688,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1069.001",
          "techniqueName": "Permission Groups Discovery: Local Groups",
          "tactics": [
            {
              "tacticId": "TA0007",
              "tacticName": "Discovery"
            }
          ]
        },
        {
          "techniqueId": "T1087.001",
          "techniqueName": "Account Discovery: Local Account",
          "tactics": [
            {
              "tacticId": "TA0007",
              "tacticName": "Discovery"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CallerProcessName is the key field — look for AD recon tools, net.exe, or PowerShell performing bulk group enumeration",
          "GroupName of 'Administrators', 'Remote Desktop Users', or 'Remote Management Users' being enumerated by unexpected processes is a lateral movement planning indicator",
          "Pair with EID 4798 — tools like BloodHound generate both events together in high volume"
        ],
        "commonFalsePositives": [
          "Endpoint security agents auditing local group membership",
          "IT access management tools checking group membership for compliance reporting"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account performing the enumeration"
        },
        {
          "name": "GroupName",
          "xpath": "EventData/Data[@Name='GroupName']",
          "description": "Name of the local group being enumerated"
        },
        {
          "name": "CallerProcessName",
          "xpath": "EventData/Data[@Name='CallerProcessName']",
          "description": "Process performing the group enumeration"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4799"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows 10 / Server 2016"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4800,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The workstation was locked",
      "summary": "Workstation screen locked.",
      "details": "Generated when a user locks their workstation (Win+L, Ctrl+Alt+Del > Lock, or idle lock policy). Lock and unlock events (EID 4800/4801) combined with logon/logoff events (EID 4624/4634) build a complete picture of user presence at the keyboard. The absence of lock/unlock events during a period of active activity (such as lateral movement or data staging) indicates activity via a remote session while the legitimate user was away.",
      "category": "Logon/Authentication",
      "tags": [
        "workstation-lock",
        "session",
        "timeline"
      ],
      "relatedEventIds": [
        {
          "id": 4801,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4634,
          "log": "Security"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Combine EID 4800 and 4801 with EID 4624/4634 to establish when a physical user was present at the keyboard vs. using the machine remotely",
          "A long gap between EID 4800 (locked) and EID 4801 (unlocked) with active network logon events (EID 4624 Type 3) in between indicates remote activity while the user was away",
          "Missing EID 4800 events on an interactive session despite long inactivity may indicate an always-unlocked workstation (misconfigured lockout policy)"
        ],
        "commonFalsePositives": [
          "Normal user behavior — locking workstations when stepping away from the desk"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that locked the workstation"
        },
        {
          "name": "SubjectLogonId",
          "xpath": "EventData/Data[@Name='SubjectLogonId']",
          "description": "Logon session ID; links to EID 4624 to identify the session"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4800"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4801,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The workstation was unlocked",
      "summary": "Workstation screen unlocked.",
      "details": "Generated when a locked workstation is unlocked by the user entering their password. Paired with EID 4800 (lock), these two events provide precise windows of physical user presence at the keyboard. In DFIR investigations, unlock events help differentiate between interactive user activity and remote activity during the same session.",
      "category": "Logon/Authentication",
      "tags": [
        "workstation-unlock",
        "session",
        "timeline"
      ],
      "relatedEventIds": [
        {
          "id": 4800,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4625,
          "log": "Security"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate SubjectLogonId with EID 4800 to calculate how long the workstation was locked",
          "An EID 4801 at an unusual hour (outside working hours, weekend) immediately followed by suspicious process creation (EID 4688) is a high-priority pivot",
          "Failed unlock attempts generate EID 4625 — a cluster of EID 4625 followed by EID 4801 may indicate the attacker cracked or obtained the user's session password"
        ],
        "commonFalsePositives": [
          "Normal user behavior — returning to desk and unlocking workstation"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that unlocked the workstation"
        },
        {
          "name": "SubjectLogonId",
          "xpath": "EventData/Data[@Name='SubjectLogonId']",
          "description": "Logon session ID; links to EID 4624 and EID 4800 for timeline correlation"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4801"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4826,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Boot Configuration Data loaded",
      "summary": "The Boot Configuration Data (BCD) store was loaded at system startup.",
      "details": "Generated at every system boot when the Boot Configuration Data (BCD) store is loaded. The BCD store contains the boot configuration and feature flags that govern OS startup.",
      "category": "Persistence/Defense Evasion",
      "tags": [
        "boot",
        "bcd",
        "persistence",
        "defense-evasion",
        "bootkit",
        "driver-loading"
      ],
      "relatedEventIds": [
        {
          "id": 4688,
          "log": "Security"
        },
        {
          "id": 6005,
          "log": "System"
        },
        {
          "id": 12,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1542.001",
          "techniqueName": "Pre-OS Boot: System Firmware",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1542.003",
          "techniqueName": "Pre-OS Boot: Bootkit",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1014",
          "techniqueName": "Rootkit",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Other Policy Change Events must be enabled under Advanced Audit Policy > Policy Change."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TestSigningEnabled: Yes is a critical indicator — it allows loading of unsigned kernel drivers and is rarely set in production environments",
          "CodeIntegrityEnabled: No disables kernel code integrity enforcement — combined with test signing, this enables arbitrary driver loading",
          "KernelDebugEnabled: Yes enables kernel debugging which can be exploited for kernel-level manipulation",
          "Establish a BCD baseline from the first boot event in your log history — any subsequent change in BCD values warrants investigation",
          "Look for preceding bcdedit.exe process creation events (EID 4688) by unexpected accounts before the BCD change took effect on the next boot"
        ],
        "commonFalsePositives": [
          "Developer machines with test signing enabled for driver development",
          "VMs and lab environments with kernel debugging configured",
          "Dual-boot systems with multiple boot entries"
        ]
      },
      "keyFields": [
        {
          "name": "TestSigningEnabled",
          "xpath": "EventData/Data[@Name='TestSigningEnabled']",
          "description": "Whether test-signing mode is enabled; Yes allows unsigned kernel drivers to load"
        },
        {
          "name": "CodeIntegrityEnabled",
          "xpath": "EventData/Data[@Name='CodeIntegrityEnabled']",
          "description": "Whether kernel code integrity enforcement is active; No disables driver signing checks"
        },
        {
          "name": "KernelDebugEnabled",
          "xpath": "EventData/Data[@Name='KernelDebugEnabled']",
          "description": "Whether kernel debugging is enabled; Yes exposes the kernel to debugger-level manipulation"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4826"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "BCD Test Signing or Code Integrity Disabled",
          "rule": "SecurityEvent\n| where EventID == 4826\n| project TimeGenerated, Computer, ExtendedProperties\n| where ExtendedProperties has \"Yes\" or ExtendedProperties has \"No\"\n| order by TimeGenerated desc",
          "notes": "Parse the ExtendedProperties field for TestSigningEnabled, CodeIntegrityEnabled, and KernelDebugEnabled values. Alert on any host where TestSigningEnabled == Yes or CodeIntegrityEnabled == No compared to the established baseline."
        },
        {
          "platform": "Sigma",
          "title": "BCD Test Signing Enabled at Boot",
          "rule": "title: BCD Test Signing Enabled at Boot\nstatus: experimental\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4826\n  condition: selection\nfalsepositives:\n  - Developer workstations with driver development workflows\n  - Lab and test environments\nlevel: medium",
          "notes": "Requires parsing ExtendedProperties to check TestSigningEnabled. Baseline BCD values per host and alert on deviation from baseline rather than all occurrences."
        }
      ],
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4886,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Certificate Services received a certificate request",
      "summary": "A certificate request was submitted to a Certificate Authority.",
      "details": "Generated on Active Directory Certificate Services (ADCS) servers when a certificate request is received. Monitoring certificate requests is critical for detecting ADCS-based privilege escalation (ESC1-ESC8). ESC1 attacks involve requesting a certificate with an arbitrary Subject Alternative Name (SAN), such as a domain admin UPN, which can be used for Kerberos authentication as that user.",
      "category": "Credential Access",
      "tags": [
        "adcs",
        "certificate",
        "privilege-escalation",
        "credential-access"
      ],
      "relatedEventIds": [
        {
          "id": 4887,
          "log": "Security"
        },
        {
          "id": 4888,
          "log": "Security"
        },
        {
          "id": 4768,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1649",
          "techniqueName": "Steal or Forge Authentication Certificates",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "RequesterName is the key pivot — unexpected accounts requesting certificates (especially with admin or DC UPNs as SANs) are ESC1 indicators",
          "The certificate template used matters — enrollment-agent or vulnerable templates (those that allow requester-specified SANs with Client Authentication EKU) are high risk",
          "Correlate with EID 4887 to confirm whether the certificate was issued, and then with Kerberos EID 4768 to detect if it was used for authentication"
        ],
        "commonFalsePositives": [
          "Legitimate certificate requests from users and computers for authentication, email, or code signing",
          "Auto-enrollment generating certificate requests at renewal time"
        ]
      },
      "keyFields": [
        {
          "name": "RequesterName",
          "xpath": "EventData/Data[@Name='RequesterName']",
          "description": "Account that submitted the certificate request"
        },
        {
          "name": "CertificateTemplate",
          "xpath": "EventData/Data[@Name='CertificateTemplate']",
          "description": "Certificate template used for the request"
        },
        {
          "name": "SubjectAlternativeName",
          "xpath": "EventData/Data[@Name='SubjectAlternativeName']",
          "description": "SAN included in the request; arbitrary SANs with admin UPNs indicate ESC1 attacks"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4886"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4887,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Certificate Services approved a certificate request and issued a certificate",
      "summary": "A Certificate Authority issued a certificate.",
      "details": "Generated when the Certificate Authority approves and issues a certificate. This event confirms a certificate was successfully issued. In ESC attacks, this event confirms a certificate was obtained that can be used for authentication, privilege escalation, or persistence.",
      "category": "Credential Access",
      "tags": [
        "adcs",
        "certificate",
        "privilege-escalation",
        "credential-access"
      ],
      "relatedEventIds": [
        {
          "id": 4886,
          "log": "Security"
        },
        {
          "id": 4888,
          "log": "Security"
        },
        {
          "id": 4768,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1649",
          "techniqueName": "Steal or Forge Authentication Certificates",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 4886 using the request ID to link the request and issuance",
          "Issued certificates with admin UPNs in the SAN from non-admin requesters are a definitive ESC1 indicator",
          "Correlate with Kerberos EID 4768 using PKINIT authentication type to identify when the issued certificate was used for authentication"
        ],
        "commonFalsePositives": [
          "Legitimate certificate auto-enrollment for machine and user authentication",
          "IT-managed certificate lifecycle for VPN, Wi-Fi, email, or code signing purposes"
        ]
      },
      "keyFields": [
        {
          "name": "RequesterName",
          "xpath": "EventData/Data[@Name='RequesterName']",
          "description": "Account that requested the certificate"
        },
        {
          "name": "CertificateTemplate",
          "xpath": "EventData/Data[@Name='CertificateTemplate']",
          "description": "Certificate template used for issuance"
        },
        {
          "name": "SubjectAlternativeName",
          "xpath": "EventData/Data[@Name='SubjectAlternativeName']",
          "description": "SAN in the issued certificate; admin UPNs from non-admin requesters indicate ESC1"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4887"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4888,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditFailure",
      "title": "Certificate Services denied a certificate request",
      "summary": "A Certificate Authority rejected a certificate request.",
      "details": "Generated when the Certificate Authority denies a certificate request. Certificate request denials from unexpected accounts, particularly with unusual SANs, may indicate a failed ESC attack where the CA was properly configured to deny the request.",
      "category": "Credential Access",
      "tags": [
        "adcs",
        "certificate",
        "credential-access"
      ],
      "relatedEventIds": [
        {
          "id": 4886,
          "log": "Security"
        },
        {
          "id": 4887,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1649",
          "techniqueName": "Steal or Forge Authentication Certificates",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate denied requests (EID 4888) with approved requests (EID 4887) from the same requester — a denial followed by an approval may indicate template switching to find a vulnerable one",
          "Multiple denials from the same account across different templates is a template enumeration pattern",
          "Denial reason may reveal the specific control that blocked the request — 'denied by policy module' is the normal block"
        ],
        "commonFalsePositives": [
          "Auto-enrollment failures on hosts without valid certificate templates or enrollment permissions",
          "Expired or misconfigured certificate templates causing legitimate requests to be denied"
        ]
      },
      "keyFields": [
        {
          "name": "RequesterName",
          "xpath": "EventData/Data[@Name='RequesterName']",
          "description": "Account whose certificate request was denied"
        },
        {
          "name": "CertificateTemplate",
          "xpath": "EventData/Data[@Name='CertificateTemplate']",
          "description": "Certificate template that was attempted"
        },
        {
          "name": "DenialReason",
          "xpath": "EventData/Data[@Name='DenialReason']",
          "description": "Reason the request was denied; 'denied by policy module' is the normal control block"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4888"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 4889,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Certificate Services set the status of a certificate request to pending",
      "summary": "A Certificate Authority placed a certificate request in pending state.",
      "details": "Generated when a Certificate Authority moves a certificate request to pending status, typically because the template requires CA manager approval (the 'CA certificate manager approval' issuance requirement).",
      "category": "Credential Access",
      "tags": [
        "certificate-services",
        "adcs",
        "pki"
      ],
      "relatedEventIds": [
        {
          "id": 4886,
          "log": "Security"
        },
        {
          "id": 4887,
          "log": "Security"
        },
        {
          "id": 4888,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1649",
          "techniqueName": "Steal or Forge Authentication Certificates",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Certificate Services must be enabled under Advanced Audit Policy. Must be collected from CA servers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Template name pivot: requests for templates like UserAuthentication, SmartcardLogon, or custom domain auth templates from unexpected accounts warrant review",
          "Correlate RequesterName with the certificate request attributes — a SAN containing a different user's UPN than the requester is a strong ESC1 attack indicator",
          "Track requests that sit in pending status and are later approved (EID 4887) by reviewing the approval timestamp and the approving CA manager account"
        ],
        "commonFalsePositives": [
          "Legitimate certificate requests for templates requiring manager approval (by design)",
          "Automated certificate enrollment from service accounts awaiting approval in multi-tier PKI environments"
        ]
      },
      "keyFields": [
        {
          "name": "RequesterName",
          "xpath": "EventData/Data[@Name='RequesterName']",
          "description": "Account that submitted the certificate request"
        },
        {
          "name": "CertificateTemplate",
          "xpath": "EventData/Data[@Name='CertificateTemplate']",
          "description": "Certificate template name for the pending request"
        },
        {
          "name": "RequestAttributes",
          "xpath": "EventData/Data[@Name='RequestAttributes']",
          "description": "Request attributes including any specified SAN values"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4889"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 4907,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Auditing settings on an object were changed",
      "summary": "The SACL on an audited object was modified.",
      "details": "Generated when the auditing settings (SACL) of an object are changed mid-session while being accessed under an active handle. Complements EID 4715 (SACL changed via a security descriptor write) and captures in-session audit policy modifications.",
      "category": "Defense Evasion",
      "tags": [
        "audit-policy",
        "sacl",
        "defense-evasion",
        "tamper"
      ],
      "relatedEventIds": [
        {
          "id": 4715,
          "log": "Security"
        },
        {
          "id": 4719,
          "log": "Security"
        },
        {
          "id": 4656,
          "log": "Security"
        },
        {
          "id": 4663,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685.001",
          "techniqueName": "Disable or Modify Tools: Disable or Modify Windows Event Log",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Policy Change must be enabled under Advanced Audit Policy. The object must have an existing SACL; this event fires when that SACL is modified."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ObjectName identifies which object's auditing settings were modified — focus on sensitive objects: SAM, NTDS.dit, LSASS memory sections, privileged registry hives (HKLM\\SECURITY, HKLM\\SAM)",
          "Compare OldSd and NewSd to determine which SACL ACEs were removed — removal of all SACL entries (empty SACL in NewSd) is the highest-confidence indicator",
          "Correlate with subsequent EID 4656/4663 events on the same ObjectName — SACL removal followed by access to the same object indicates the change was made to suppress audit evidence"
        ],
        "commonFalsePositives": [
          "Security hardening tools modifying SACLs as part of applying a CIS or STIG baseline",
          "Backup software modifying SACL entries on files it needs to access without generating audit noise"
        ]
      },
      "keyFields": [
        {
          "name": "ObjectName",
          "xpath": "EventData/Data[@Name='ObjectName']",
          "description": "The object whose SACL was changed — sensitive paths (SAM, NTDS.dit, SECURITY registry hive) are highest priority"
        },
        {
          "name": "OldSd",
          "xpath": "EventData/Data[@Name='OldSd']",
          "description": "Old security descriptor in SDDL format; contains the previous SACL entries before modification"
        },
        {
          "name": "NewSd",
          "xpath": "EventData/Data[@Name='NewSd']",
          "description": "New security descriptor in SDDL format; an empty SACL in NewSd confirms all auditing was removed"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4907"
      },
      "detectionRules": [
        {
          "platform": "Sigma",
          "title": "Auditing Settings Removed from Object",
          "rule": "title: Auditing Settings Removed from Object\nstatus: experimental\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4907\n  condition: selection\nfalsepositives:\n  - Security hardening tools applying STIG/CIS baselines\n  - Authorized IT SACL management operations\nlevel: medium",
          "notes": "Parse OldSd and NewSd to detect removal of SACL entries. Alert at high level when ObjectName matches sensitive paths (SAM, NTDS, SECURITY hive) or when the NewSd contains an empty SACL."
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4912,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Per User Audit Policy was changed",
      "summary": "The per-user audit policy for a specific account was modified.",
      "details": "Generated when the per-user audit policy is changed for a specific user account. Per-user policies override the system-wide audit policy for individual accounts.",
      "category": "Defense Evasion",
      "tags": [
        "audit-policy",
        "defense-evasion",
        "tamper",
        "per-user-audit"
      ],
      "relatedEventIds": [
        {
          "id": 4719,
          "log": "Security"
        },
        {
          "id": 4715,
          "log": "Security"
        },
        {
          "id": 1102,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685.001",
          "techniqueName": "Disable or Modify Tools: Disable or Modify Windows Event Log",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Policy Change > Audit Audit Policy Change must be enabled under Advanced Audit Policy."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "TargetUserName is the critical field — a per-user audit exemption set on a privileged or service account by an unexpected SubjectUserName is a strong defense evasion indicator",
          "AuditPolicyChanges shows which category was changed to No Auditing — suppressing Account Logon, Logon/Logoff, or Object Access for a specific account is the most impactful exemption",
          "Per-user audit policies are rarely used in production environments — any occurrence outside of documented security engineering work should be investigated"
        ],
        "commonFalsePositives": [
          "Security engineering teams implementing per-user audit policies as part of a targeted monitoring configuration",
          "Automated compliance tools adjusting per-user audit settings for specific service accounts"
        ]
      },
      "keyFields": [
        {
          "name": "TargetUserName",
          "xpath": "EventData/Data[@Name='TargetUserName']",
          "description": "The account whose per-user audit policy was modified"
        },
        {
          "name": "AuditPolicyChanges",
          "xpath": "EventData/Data[@Name='AuditPolicyChanges']",
          "description": "The audit category and new setting; 'No Auditing' indicates the audit was suppressed for this user"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4912"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Per-User Audit Policy Set to No Auditing",
          "rule": "SecurityEvent\n| where EventID == 4912\n| where AuditPolicyChanges has \"No Auditing\"\n| project TimeGenerated, Computer, SubjectUserName, TargetUserName, AuditPolicyChanges\n| order by TimeGenerated desc",
          "notes": "Per-user audit exemptions are extremely rare in production. Any No Auditing setting for a specific user should be investigated immediately."
        },
        {
          "platform": "Sigma",
          "title": "Per User Audit Policy Modified",
          "rule": "title: Per User Audit Policy Modified\nstatus: experimental\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4912\n  condition: selection\nfalsepositives:\n  - Authorized security engineering changes\n  - Compliance tool configurations\nlevel: medium",
          "notes": "Increase to high when AuditPolicyChanges contains 'No Auditing'. Correlate TargetUserName with privileged account lists."
        }
      ],
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4946,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A change has been made to Windows Firewall exception list. A rule was added",
      "summary": "Windows Firewall rule added locally.",
      "details": "Generated when a new Windows Firewall rule is locally added. Does not fire for Group Policy-applied rules.",
      "category": "Firewall/Policy Change",
      "tags": [
        "firewall",
        "policy-change",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4947,
          "log": "Security"
        },
        {
          "id": 4948,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1686",
          "techniqueName": "Disable or Modify System Firewall",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Rule direction is key — inbound rules that allow traffic on non-standard ports or from any source are high priority",
          "RuleName field may provide context but can be set to anything by the creator — do not rely on it alone",
          "Correlate timestamp with Security EID 4688 to identify the process that added the rule"
        ],
        "commonFalsePositives": [
          "Software installers adding firewall rules for their application during setup",
          "IT administrators adding rules for legitimate network access requirements"
        ]
      },
      "keyFields": [
        {
          "name": "RuleName",
          "xpath": "EventData/Data[@Name='RuleName']",
          "description": "Display name of the added firewall rule"
        },
        {
          "name": "RuleId",
          "xpath": "EventData/Data[@Name='RuleId']",
          "description": "Unique identifier for the firewall rule"
        },
        {
          "name": "Direction",
          "xpath": "EventData/Data[@Name='Direction']",
          "description": "Whether the rule applies to inbound or outbound traffic"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4946"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4947,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A change has been made to Windows Firewall exception list. A rule was modified",
      "summary": "Windows Firewall rule modified locally.",
      "details": "Generated when a Windows Firewall rule is locally modified. Does not fire for Group Policy-applied changes.",
      "category": "Firewall/Policy Change",
      "tags": [
        "firewall",
        "policy-change",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4946,
          "log": "Security"
        },
        {
          "id": 4948,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1686",
          "techniqueName": "Disable or Modify System Firewall",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "RuleId links to the original rule — determine what the rule controlled before modification",
          "Modifications that change an action from Block to Allow or expand scope to Any are high priority",
          "Correlate with Security EID 4688 to identify the process that modified the rule"
        ],
        "commonFalsePositives": [
          "Software updates modifying their own firewall rules",
          "IT administrators adjusting rules for operational requirements"
        ]
      },
      "keyFields": [
        {
          "name": "RuleName",
          "xpath": "EventData/Data[@Name='RuleName']",
          "description": "Display name of the modified firewall rule"
        },
        {
          "name": "RuleId",
          "xpath": "EventData/Data[@Name='RuleId']",
          "description": "Unique identifier linking to the original rule"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4947"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4948,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A change has been made to Windows Firewall exception list. A rule was deleted",
      "summary": "Windows Firewall rule deleted locally.",
      "details": "Generated when a Windows Firewall rule is locally deleted. Does not fire for Group Policy-applied deletions.",
      "category": "Firewall/Policy Change",
      "tags": [
        "firewall",
        "policy-change",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 4946,
          "log": "Security"
        },
        {
          "id": 4947,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1686",
          "techniqueName": "Disable or Modify System Firewall",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Deletion of a blocking rule is higher priority than deletion of an allow rule — determine what traffic the deleted rule was blocking",
          "RuleId links back to EID 4946 if the rule was originally added locally — trace the rule's history",
          "Correlate with network activity following the deletion to determine if the removed rule was blocking attacker C2 or lateral movement traffic"
        ],
        "commonFalsePositives": [
          "Software uninstallers removing their own firewall rules",
          "IT administrators removing obsolete rules"
        ]
      },
      "keyFields": [
        {
          "name": "RuleName",
          "xpath": "EventData/Data[@Name='RuleName']",
          "description": "Display name of the deleted firewall rule"
        },
        {
          "name": "RuleId",
          "xpath": "EventData/Data[@Name='RuleId']",
          "description": "Unique identifier of the deleted rule; links to EID 4946 if originally added locally"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4948"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4964,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Special groups have been assigned to a new logon",
      "summary": "A logon matched the Special Groups monitoring list.",
      "details": "Generated when a user logs on who is a member of a group listed in the SpecialGroups registry value (HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Audit\\SpecialGroups). Fires at logon time and directly correlates group membership with an active session. Requires SpecialGroups to be pre-configured with monitored group SIDs.",
      "category": "Authentication/Privilege Escalation",
      "tags": [
        "authentication",
        "privileged-account",
        "logon",
        "monitoring"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4672,
          "log": "Security"
        },
        {
          "id": 4728,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1078",
          "techniqueName": "Valid Accounts",
          "tactics": [
            {
              "tacticId": "TA0001",
              "tacticName": "Initial Access"
            },
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "registry",
          "description": "The SpecialGroups registry value must be configured at HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Audit\\SpecialGroups with a multi-string list of group SIDs to monitor. Audit Special Logon must also be enabled under Advanced Audit Policy > Logon/Logoff."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SidList reveals which monitored group SID the logon matched — correlate against your privileged group inventory",
          "Correlate SubjectLogonId with EID 4624 to find the corresponding logon event and extract source IP, logon type, and workstation name",
          "Logons from unexpected source hosts or using interactive logon type (2) for normally non-interactive privileged accounts are high priority",
          "This event does not fire if SpecialGroups is not configured — absence of EID 4964 does not mean no privileged logons occurred"
        ],
        "commonFalsePositives": [
          "Routine logons by privileged admins performing expected administrative tasks during business hours",
          "Service account logons (logon type 5) for accounts that are members of monitored groups"
        ]
      },
      "keyFields": [
        {
          "name": "SidList",
          "xpath": "EventData/Data[@Name='SidList']",
          "description": "SIDs of the matched special groups; resolve to group names for context"
        },
        {
          "name": "SubjectLogonId",
          "xpath": "EventData/Data[@Name='SubjectLogonId']",
          "description": "Logon session ID — correlate with EID 4624 LogonId to retrieve source IP, workstation, and logon type"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4964"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Privileged Account Logon via Special Groups",
          "rule": "SecurityEvent\n| where EventID == 4964\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, SubjectLogonId, SidList\n| join kind=inner (\n    SecurityEvent\n    | where EventID == 4624\n    | project LogonId, IpAddress, LogonType, WorkstationName\n  ) on $left.SubjectLogonId == $right.LogonId\n| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, SidList, IpAddress, LogonType, WorkstationName\n| order by TimeGenerated desc",
          "notes": "Requires SpecialGroups registry configuration. Join with EID 4624 to enrich with source IP and logon type. Alert on logon type 3 (network) from unexpected source IPs or outside business hours."
        },
        {
          "platform": "Sigma",
          "title": "Special Group Logon Detected",
          "rule": "title: Special Group Logon Detected\nstatus: experimental\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4964\n  condition: selection\nfalsepositives:\n  - Routine administrative logons by authorized privileged users\nlevel: medium",
          "notes": "Requires SpecialGroups registry to be pre-configured with target group SIDs. Correlate with EID 4624 for full logon context."
        }
      ],
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 4985,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "Information",
      "title": "The state of a transaction has changed",
      "summary": "The Kernel Transaction Manager recorded a state change for a file system transaction.",
      "details": "Generated when the state of a Kernel Transaction Manager (KTM) transaction changes. KTM enables Transactional NTFS (TxF), which allows file operations to be grouped into atomic transactions that either commit or roll back as a unit. This event has limited volume in most environments because TxF is rarely used by mainstream applications. Some ransomware families have used TxF transactions to atomically replace file contents, reducing the number of file I/O events generated per encrypted file. KTM transactions can also be used in DLL hijacking techniques where a DLL is transactionally replaced with a malicious version visible only within the transaction, allowing in-memory loading while the clean version remains on disk.",
      "category": "File System Activity",
      "tags": [
        "transactions",
        "txf",
        "ransomware",
        "defense-evasion",
        "file-system"
      ],
      "relatedEventIds": [
        {
          "id": 4656,
          "log": "Security"
        },
        {
          "id": 4663,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1486",
          "techniqueName": "Data Encrypted for Impact",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        },
        {
          "techniqueId": "T1574.001",
          "techniqueName": "Hijack Execution Flow: DLL",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            },
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Object Access auditing must be enabled (specifically 'Audit File System' subcategory) for 4985 events to be generated."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "High volume of 4985 events from a single ProcessId touching many different files in rapid succession is a ransomware pattern — correlate with Sysmon EID 11 file creation events",
          "ProcessId for an unexpected or unsigned process generating TxF activity is anomalous — most legitimate TxF users are system components (Windows Installer, certain backup applications)",
          "TransactionId can be used to group all file operations belonging to a single logical transaction — useful for reconstructing what files were touched in an incident",
          "4985 events without corresponding file access events (4656/4663) may indicate the transaction was aborted — TxF DLL hijacking techniques sometimes abort transactions after loading their payload to clean up traces"
        ],
        "commonFalsePositives": [
          "Windows Installer (msiexec.exe) uses TxF for atomic software installation operations — high volume during software installs and updates",
          "Database engines and VSS writers using transactional file operations for consistency",
          "Backup software employing TxF-based consistent snapshot operations"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "User context of the transaction; SYSTEM or service accounts are expected; interactive user accounts are unusual"
        },
        {
          "name": "TransactionId",
          "xpath": "EventData/Data[@Name='TransactionId']",
          "description": "GUID of the transaction; use to group all related 4985 events and file access events belonging to one logical operation"
        },
        {
          "name": "ProcessId",
          "xpath": "EventData/Data[@Name='ProcessId']",
          "description": "Process that owns the transaction; unexpected processes using TxF are anomalous"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 5136,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A directory service object was modified",
      "summary": "An Active Directory object attribute was modified.",
      "details": "Generated when an Active Directory object's attribute is modified, provided DS Access auditing is enabled on the relevant OU or object. Critical attributes to monitor include adminSDHolder (ACL propagation abuse), groupType (group conversion attacks), msDS-AllowedToActOnBehalfOfOtherIdentity (RBCD abuse), ntSecurityDescriptor (ACL modification for persistence), and member (group membership changes).",
      "category": "Privilege Escalation",
      "tags": [
        "active-directory",
        "privilege-escalation",
        "persistence",
        "acl-abuse"
      ],
      "relatedEventIds": [
        {
          "id": 5137,
          "log": "Security"
        },
        {
          "id": 5141,
          "log": "Security"
        },
        {
          "id": 4662,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1484.001",
          "techniqueName": "Domain or Tenant Policy Modification: Group Policy Modification",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        },
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "AttributeLDAPDisplayName is the primary pivot — monitor adminSDHolder, ntSecurityDescriptor, msDS-AllowedToActOnBehalfOfOtherIdentity, and member",
          "SubjectUserName making AD object modifications outside of normal IT processes (change management windows) warrants investigation",
          "ntSecurityDescriptor changes on privileged groups (Domain Admins, Enterprise Admins) or high-value OUs may indicate ACL backdoor installation"
        ],
        "commonFalsePositives": [
          "Normal AD administrative operations — filtering to specific high-value attributes is required to reduce noise",
          "Group Policy applying attribute changes during policy refresh"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that modified the AD object"
        },
        {
          "name": "ObjectDN",
          "xpath": "EventData/Data[@Name='ObjectDN']",
          "description": "Distinguished name of the modified AD object"
        },
        {
          "name": "AttributeLDAPDisplayName",
          "xpath": "EventData/Data[@Name='AttributeLDAPDisplayName']",
          "description": "LDAP attribute that was changed"
        },
        {
          "name": "AttributeValue",
          "xpath": "EventData/Data[@Name='AttributeValue']",
          "description": "New value of the modified attribute"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 5137,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A directory service object was created",
      "summary": "A new Active Directory object was created.",
      "details": "Generated when a new Active Directory object is created, provided DS Access auditing is configured. New AD objects created outside of standard provisioning processes, particularly user accounts, computer accounts, group policy objects, or certificate templates, may represent persistence. New GPOs or certificate templates are particularly impactful as they can affect large numbers of systems.",
      "category": "Persistence",
      "tags": [
        "active-directory",
        "persistence",
        "account-management"
      ],
      "relatedEventIds": [
        {
          "id": 5136,
          "log": "Security"
        },
        {
          "id": 5141,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1098",
          "techniqueName": "Account Manipulation",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        },
        {
          "techniqueId": "T1484",
          "techniqueName": "Domain or Tenant Policy Modification",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ObjectClass identifies the type of object created — new groupPolicyContainer or pKICertificateTemplate objects are highest priority",
          "ObjectDN placement reveals where the object was created — objects in high-privilege OUs or unexpected containers warrant investigation",
          "Correlate with EID 5136 for subsequent attribute modifications to the newly created object"
        ],
        "commonFalsePositives": [
          "Normal AD provisioning operations — IT creating user accounts, groups, GPOs, or service objects",
          "AD Recycle Bin restoring deleted objects"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the AD object"
        },
        {
          "name": "ObjectDN",
          "xpath": "EventData/Data[@Name='ObjectDN']",
          "description": "Full distinguished name of the newly created object"
        },
        {
          "name": "ObjectClass",
          "xpath": "EventData/Data[@Name='ObjectClass']",
          "description": "Type of AD object created (e.g., user, computer, groupPolicyContainer, pKICertificateTemplate)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5137"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 5140,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A network share object was accessed",
      "summary": "Network share accessed.",
      "details": "Generated once per session on first access to a network share.",
      "category": "Network Share Access",
      "tags": [
        "file-share",
        "lateral-movement",
        "network"
      ],
      "relatedEventIds": [
        {
          "id": 5145,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1021.002",
          "techniqueName": "Remote Services: SMB/Windows Admin Shares",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        },
        {
          "techniqueId": "T1039",
          "techniqueName": "Data from Network Shared Drive",
          "tactics": [
            {
              "tacticId": "TA0009",
              "tacticName": "Collection"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ShareName of C$, ADMIN$, or IPC$ from an unexpected source is a lateral movement indicator — these shares are used by tools like PsExec, Impacket, and CrackMapExec",
          "IpAddress identifies the connecting host — flag sources outside expected management IP ranges",
          "Correlate with EID 5145 for file-level detail on what was accessed within the share"
        ],
        "commonFalsePositives": [
          "Backup software accessing administrative shares",
          "Endpoint management tools (SCCM, Ansible) accessing ADMIN$ for deployment"
        ]
      },
      "keyFields": [
        {
          "name": "ShareName",
          "xpath": "EventData/Data[@Name='ShareName']",
          "description": "Name of the accessed share (e.g., C$, ADMIN$, IPC$)"
        },
        {
          "name": "IpAddress",
          "xpath": "EventData/Data[@Name='IpAddress']",
          "description": "Source IP address of the connecting host"
        },
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account used to access the share"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 5141,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A directory service object was deleted",
      "summary": "An Active Directory object was deleted.",
      "details": "Generated when an Active Directory object is deleted. Deletion of AD objects as part of attack cleanup, for example removing a rogue computer account created for RBCD abuse, a backdoor user account, or a malicious GPO, is a defense evasion technique.",
      "category": "Defense Evasion",
      "tags": [
        "active-directory",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 5136,
          "log": "Security"
        },
        {
          "id": 5137,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 5137 — AD object deleted shortly after creation indicates cleanup of a persistence or abuse artifact",
          "ObjectDN class is important — deletion of groupPolicyContainer, pKICertificateTemplate, or computer objects are higher priority",
          "SubjectUserName performing unexpected deletions of privileged objects warrants immediate investigation"
        ],
        "commonFalsePositives": [
          "Normal AD housekeeping — IT deleting stale accounts, groups, or GPOs",
          "AD Recycle Bin enabled environments where deleted objects are moved rather than immediately removed"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that deleted the AD object"
        },
        {
          "name": "ObjectDN",
          "xpath": "EventData/Data[@Name='ObjectDN']",
          "description": "Distinguished name of the deleted object"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5141"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 5142,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A network share object was added",
      "summary": "A new network share was created.",
      "details": "Generated when a new file share is created on the system.",
      "category": "Lateral Movement/Persistence",
      "tags": [
        "file-share",
        "lateral-movement",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 5143,
          "log": "Security"
        },
        {
          "id": 5144,
          "log": "Security"
        },
        {
          "id": 5140,
          "log": "Security"
        },
        {
          "id": 4697,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1021.002",
          "techniqueName": "Remote Services: SMB/Windows Admin Shares",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit File Share must be enabled under Advanced Audit Policy > Object Access"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "SharePath is the most important field — shares pointing to system directories, user profile directories, or temp paths are suspicious",
          "ShareName ending in $ creates a hidden share — correlate with other admin share activity (EID 5140 on C$, ADMIN$, IPC$)",
          "Correlate SubjectUserName with EID 4624 to identify how the account accessed the system and whether the session was interactive or remote"
        ],
        "commonFalsePositives": [
          "IT administrators creating shares for software deployment, backup agents, or file server provisioning",
          "Application installers creating administrative shares as part of their setup process"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that created the share"
        },
        {
          "name": "ShareName",
          "xpath": "EventData/Data[@Name='ShareName']",
          "description": "Name of the new share; names ending in $ create hidden shares"
        },
        {
          "name": "SharePath",
          "xpath": "EventData/Data[@Name='SharePath']",
          "description": "Local file system path the share points to"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5142"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 5143,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A network share object was modified",
      "summary": "An existing network share's configuration was changed.",
      "details": "Generated when the configuration of an existing network share is modified, including changes to permissions, the share path, share description, or maximum connection count.",
      "category": "Lateral Movement/Persistence",
      "tags": [
        "file-share",
        "lateral-movement",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 5142,
          "log": "Security"
        },
        {
          "id": 5140,
          "log": "Security"
        },
        {
          "id": 5145,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1021.002",
          "techniqueName": "Remote Services: SMB/Windows Admin Shares",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit File Share must be enabled under Advanced Audit Policy > Object Access"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Permission changes granting Everyone or unauthenticated users access are the highest priority finding",
          "Changes to default admin shares (ADMIN$, C$, IPC$) are almost always significant — these shares are typically read-only and not modified by normal software",
          "Correlate SubjectUserName and modification time with EID 4624 logon events to understand what session was used for the modification"
        ],
        "commonFalsePositives": [
          "File server administrators adjusting share permissions as part of authorized access control changes",
          "Software deployment tools that temporarily modify share permissions during patch deployment"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that modified the share"
        },
        {
          "name": "ShareName",
          "xpath": "EventData/Data[@Name='ShareName']",
          "description": "Name of the modified share"
        },
        {
          "name": "OldRemark",
          "xpath": "EventData/Data[@Name='OldRemark']",
          "description": "Previous share description"
        },
        {
          "name": "NewRemark",
          "xpath": "EventData/Data[@Name='NewRemark']",
          "description": "Updated share description"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5143"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 5144,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A network share object was deleted",
      "summary": "A network share was removed.",
      "details": "Generated when a network share is deleted. Share deletion can represent cleanup activity, such as removing a temporary share that was used for tool staging or data collection. A share created shortly before (EID 5142) and deleted shortly after with activity in between (EID 5140/5145) indicates deliberate temporary share creation. Also relevant for availability, as deleting production shares can disrupt business operations.",
      "category": "Defense Evasion",
      "tags": [
        "file-share",
        "defense-evasion",
        "lateral-movement"
      ],
      "relatedEventIds": [
        {
          "id": 5142,
          "log": "Security"
        },
        {
          "id": 5143,
          "log": "Security"
        },
        {
          "id": 5140,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit File Share must be enabled under Advanced Audit Policy > Object Access"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 5142 — a share created and deleted within minutes or hours is a strong indicator of temporary attacker staging",
          "Check for EID 5140 or EID 5145 events against the deleted share between its creation and deletion timestamps",
          "SubjectUserName performing the deletion — if different from the creator (EID 5142 SubjectUserName) it may indicate a second attacker phase or cleanup script"
        ],
        "commonFalsePositives": [
          "Administrators removing obsolete shares during file server housekeeping",
          "Software uninstallers removing shares created during installation"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account that deleted the share"
        },
        {
          "name": "ShareName",
          "xpath": "EventData/Data[@Name='ShareName']",
          "description": "Name of the deleted share"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5144"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 5145,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "A network share object was checked to see whether client can be granted desired access",
      "summary": "Detailed network share file/folder access check.",
      "details": "Generated per-file or per-folder on network share access, providing more granularity than EID 5140. Failure events indicate share-level access denials. High-volume event.",
      "category": "Network Share Access",
      "tags": [
        "file-share",
        "lateral-movement",
        "network"
      ],
      "relatedEventIds": [
        {
          "id": 5140,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1021.002",
          "techniqueName": "Remote Services: SMB/Windows Admin Shares",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        },
        {
          "techniqueId": "T1039",
          "techniqueName": "Data from Network Shared Drive",
          "tactics": [
            {
              "tacticId": "TA0009",
              "tacticName": "Collection"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "RelativeTargetName shows the specific file or folder path within the share — flag access to executables, scripts, or sensitive configuration files",
          "Accesses field showing WriteData, AppendData, or DELETE on share paths is a data staging or destructive access indicator",
          "Failure events indicate access was denied — repeated failures from one source may indicate reconnaissance or an unauthorized access attempt"
        ],
        "commonFalsePositives": [
          "Normal file server access by users — very high volume; effective use requires targeted filtering",
          "Backup operations accessing large numbers of files across shares"
        ]
      },
      "keyFields": [
        {
          "name": "ShareName",
          "xpath": "EventData/Data[@Name='ShareName']",
          "description": "Name of the accessed share"
        },
        {
          "name": "RelativeTargetName",
          "xpath": "EventData/Data[@Name='RelativeTargetName']",
          "description": "File or folder path within the share that was accessed"
        },
        {
          "name": "Accesses",
          "xpath": "EventData/Data[@Name='Accesses']",
          "description": "Access type requested (e.g., ReadData, WriteData, DELETE)"
        },
        {
          "name": "IpAddress",
          "xpath": "EventData/Data[@Name='IpAddress']",
          "description": "Source IP address of the connecting host"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5145"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-03-29"
    },
    {
      "id": 5152,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditFailure",
      "title": "The Windows Filtering Platform blocked a packet",
      "summary": "WFP dropped a network packet.",
      "details": "Generated when the Windows Filtering Platform (WFP) drops a network packet, typically because no WFP filter permits the packet. This event fires at the packet level and is extremely high-volume in most environments.",
      "category": "Network/Filtering Platform",
      "tags": [
        "network",
        "firewall",
        "wfp",
        "packet-drop"
      ],
      "relatedEventIds": [
        {
          "id": 5157,
          "log": "Security"
        },
        {
          "id": 5156,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1071",
          "techniqueName": "Application Layer Protocol",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Filtering Platform Packet Drop must be enabled under Advanced Audit Policy > Object Access. Note: extremely high-volume; filter aggressively in production."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Filter on Application — blocked packets from non-standard binaries, scripting engines, or processes in user-writable directories are highest priority",
          "DestAddress and DestPort: outbound blocks to external IPs on unusual ports (4444, 8080, 443 from non-browser processes) indicate C2 attempts",
          "Correlate with Firewall EID 2004 (rule added) shortly after — attackers may add a permitting rule to bypass the block"
        ],
        "commonFalsePositives": [
          "High volume of normal traffic blocked by default deny firewall rules — must be filtered to reduce noise",
          "Applications attempting network connections before the network adapter is fully initialized at boot"
        ]
      },
      "keyFields": [
        {
          "name": "Application",
          "xpath": "EventData/Data[@Name='Application']",
          "description": "Process associated with the dropped packet"
        },
        {
          "name": "SourceAddress",
          "xpath": "EventData/Data[@Name='SourceAddress']",
          "description": "Source IP address of the dropped packet"
        },
        {
          "name": "DestAddress",
          "xpath": "EventData/Data[@Name='DestAddress']",
          "description": "Destination IP address of the dropped packet"
        },
        {
          "name": "SourcePort",
          "xpath": "EventData/Data[@Name='SourcePort']",
          "description": "Source port of the dropped packet"
        },
        {
          "name": "DestPort",
          "xpath": "EventData/Data[@Name='DestPort']",
          "description": "Destination port of the dropped packet"
        },
        {
          "name": "Protocol",
          "xpath": "EventData/Data[@Name='Protocol']",
          "description": "Network protocol (TCP, UDP, etc.)"
        },
        {
          "name": "FilterRTID",
          "xpath": "EventData/Data[@Name='FilterRTID']",
          "description": "Runtime ID of the WFP filter that blocked the packet"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5152"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 5156,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "The Windows Filtering Platform has allowed a connection",
      "summary": "WFP permitted a network connection.",
      "details": "Generated when the Windows Filtering Platform allows a network connection. This event is extremely high-volume and should only be enabled with aggressive filtering. Sysmon EID 3 (NetworkConnect) provides a less noisy alternative with process context.",
      "category": "Network/Filtering Platform",
      "tags": [
        "network",
        "firewall",
        "wfp",
        "connection"
      ],
      "relatedEventIds": [
        {
          "id": 5157,
          "log": "Security"
        },
        {
          "id": 5152,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1071",
          "techniqueName": "Application Layer Protocol",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Filtering Platform Connection must be enabled under Advanced Audit Policy > Object Access. Extremely high-volume; consider using Sysmon EID 3 as a targeted alternative."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Application field is the highest-value pivot — connections from scripting engines, living-off-the-land binaries, or unexpected system processes indicate attacker activity",
          "Outbound connections on port 445 (SMB) or port 135 (RPC) from process names like cmd.exe, powershell.exe, or wmic.exe indicate lateral movement tool execution",
          "Compare DestAddress against known-bad threat intelligence feeds for C2 IP detection"
        ],
        "commonFalsePositives": [
          "Extremely high volume of normal connections from legitimate applications — requires aggressive per-application filtering",
          "Security and monitoring tools making frequent connections to management infrastructure"
        ]
      },
      "keyFields": [
        {
          "name": "Application",
          "xpath": "EventData/Data[@Name='Application']",
          "description": "Process that made or received the connection"
        },
        {
          "name": "Direction",
          "xpath": "EventData/Data[@Name='Direction']",
          "description": "Whether the connection is inbound or outbound"
        },
        {
          "name": "SourceAddress",
          "xpath": "EventData/Data[@Name='SourceAddress']",
          "description": "Source IP address"
        },
        {
          "name": "DestAddress",
          "xpath": "EventData/Data[@Name='DestAddress']",
          "description": "Destination IP address"
        },
        {
          "name": "SourcePort",
          "xpath": "EventData/Data[@Name='SourcePort']",
          "description": "Source port"
        },
        {
          "name": "DestPort",
          "xpath": "EventData/Data[@Name='DestPort']",
          "description": "Destination port"
        },
        {
          "name": "Protocol",
          "xpath": "EventData/Data[@Name='Protocol']",
          "description": "Network protocol (TCP, UDP, etc.)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5156"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 5157,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditFailure",
      "title": "The Windows Filtering Platform has blocked a connection",
      "summary": "WFP blocked a network connection attempt.",
      "details": "Generated when the Windows Filtering Platform blocks a network connection. Unlike EID 5152 (packet-level drop), EID 5157 fires at the connection level when a WFP filter explicitly blocks a connection request.",
      "category": "Network/Filtering Platform",
      "tags": [
        "network",
        "firewall",
        "wfp",
        "connection-blocked"
      ],
      "relatedEventIds": [
        {
          "id": 5156,
          "log": "Security"
        },
        {
          "id": 5152,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1021.001",
          "techniqueName": "Remote Services: Remote Desktop Protocol",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Audit Filtering Platform Connection must be enabled under Advanced Audit Policy > Object Access. High-volume; filter to specific applications and ports."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Inbound blocks on port 3389 from multiple external source IPs indicate RDP brute-force scanning — correlate with EID 4625 for any that got through",
          "Outbound blocks from scripting engines or unusual processes indicate blocked C2 traffic — investigate the Application and check for persistence",
          "Repeated blocks to a specific DestAddress may indicate an attacker repeatedly attempting to reach a C2 that is being blocked by network or host firewall rules"
        ],
        "commonFalsePositives": [
          "Applications attempting network connections to services that are not running or not accessible in the current network segment",
          "Host-based firewall blocking legitimate but unexpected connections from newly installed software"
        ]
      },
      "keyFields": [
        {
          "name": "Application",
          "xpath": "EventData/Data[@Name='Application']",
          "description": "Process whose connection was blocked"
        },
        {
          "name": "Direction",
          "xpath": "EventData/Data[@Name='Direction']",
          "description": "Whether the blocked connection was inbound or outbound"
        },
        {
          "name": "SourceAddress",
          "xpath": "EventData/Data[@Name='SourceAddress']",
          "description": "Source IP address of the blocked connection"
        },
        {
          "name": "DestAddress",
          "xpath": "EventData/Data[@Name='DestAddress']",
          "description": "Destination IP address of the blocked connection"
        },
        {
          "name": "SourcePort",
          "xpath": "EventData/Data[@Name='SourcePort']",
          "description": "Source port"
        },
        {
          "name": "DestPort",
          "xpath": "EventData/Data[@Name='DestPort']",
          "description": "Destination port"
        },
        {
          "name": "Protocol",
          "xpath": "EventData/Data[@Name='Protocol']",
          "description": "Network protocol (TCP, UDP, etc.)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5157"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 5379,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Credential Manager credentials were read",
      "summary": "A process read credentials from the Credential Manager vault.",
      "details": "Generated when credentials stored in the Windows Credential Manager vault are read. Credential Manager stores domain credentials, Windows credentials, and certificate-based credentials.",
      "category": "Credential Access",
      "tags": [
        "credential-manager",
        "credential-access",
        "credential-theft"
      ],
      "relatedEventIds": [
        {
          "id": 4624,
          "log": "Security"
        },
        {
          "id": 4688,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1555.004",
          "techniqueName": "Credentials from Password Stores: Windows Credential Manager",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CallerProcessName is the primary pivot — flag non-standard processes, scripting engines, and known credential dumping tools accessing the vault",
          "TargetName reveals which stored credential was accessed — domain credentials, RDP shortcuts, or application passwords are high value to attackers",
          "Correlate with Security EID 4624 and EID 4688 to identify concurrent authentication and process activity"
        ],
        "commonFalsePositives": [
          "Applications that store and retrieve their own credentials from Credential Manager (e.g., browsers, VPN clients, email clients)",
          "Windows authentication components legitimately accessing stored credentials for SSO"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account reading credentials; SYSTEM is normal for credential manager operations, other accounts are suspicious"
        },
        {
          "name": "TargetName",
          "xpath": "EventData/Data[@Name='TargetName']",
          "description": "Name of the credential being read; domain credentials, certificate credentials, or generic stored creds"
        },
        {
          "name": "CountOfCredentialsReturned",
          "xpath": "EventData/Data[@Name='CountOfCredentialsReturned']",
          "description": "Number of credentials returned; bulk reads (>5) by non-SYSTEM processes suggest credential harvesting"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5379"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "detectionRules": [
        {
          "platform": "KQL",
          "title": "Credential Manager Bulk Read — Potential Harvesting",
          "rule": "SecurityEvent\n| where EventID == 5379\n| where SubjectUserName != \"SYSTEM\"\n| where CountOfCredentialsReturned > 5\n| project TimeGenerated, SubjectUserName, SubjectDomainName, TargetName, CountOfCredentialsReturned, Computer",
          "notes": "Filters out normal SYSTEM reads. High CountOfCredentialsReturned from a user context may indicate credential manager dumping (e.g., via Windows Credential Manager enumeration)."
        },
        {
          "platform": "Splunk",
          "title": "Credential Manager High-Volume Read",
          "rule": "index=wineventlog EventCode=5379 NOT Account_Name=SYSTEM Count_Of_Credentials_Returned>5\n| table _time, Account_Name, Target_Name, Count_Of_Credentials_Returned, host",
          "notes": "Non-SYSTEM accounts reading more than 5 credentials from Credential Manager."
        },
        {
          "platform": "Sigma",
          "title": "Credential Manager Credentials Read by Non-System Account",
          "rule": "title: Credential Manager Credentials Read by Non-System Account\nstatus: experimental\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5379\n    filter_system:\n        SubjectUserName: 'SYSTEM'\n    condition: selection and not filter_system\nfalsepositives:\n    - Credential Manager UI usage by users\n    - Applications that enumerate stored credentials legitimately\nlevel: low",
          "notes": "Low severity individually; correlate with process creation events to identify the reading process."
        }
      ],
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 6272,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Network Policy Server granted access to a user",
      "summary": "NPS (RADIUS) authentication succeeded.",
      "details": "Generated when a Network Policy Server (NPS) grants network access to a user through RADIUS authentication. NPS is used for VPN, 802.1x wireless/wired, RD Gateway, and DirectAccess authentication.",
      "category": "VPN/Network Access Authentication",
      "tags": [
        "nps",
        "radius",
        "vpn",
        "authentication"
      ],
      "relatedEventIds": [
        {
          "id": 6273,
          "log": "Security"
        },
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1078",
          "techniqueName": "Valid Accounts",
          "tactics": [
            {
              "tacticId": "TA0001",
              "tacticName": "Initial Access"
            },
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "NPS must be installed and configured. Audit logon/logoff events must be enabled on the NPS server."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CalledStationID identifies which VPN/network device the user connected through — flag connections through unusual or unrecognized access devices",
          "CallingStationID for VPN is the client's public IP — geolocation against expected user locations identifies impossible travel scenarios",
          "Correlate with subsequent EID 4624 Type 3 logon events to trace what the user accessed after VPN authentication"
        ],
        "commonFalsePositives": [
          "Normal remote worker VPN authentication events — very high volume in environments with large remote workforces",
          "Automated VPN clients reconnecting after network drops"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account granted network access"
        },
        {
          "name": "FullyQualifiedSubjectUserName",
          "xpath": "EventData/Data[@Name='FullyQualifiedSubjectUserName']",
          "description": "Fully qualified account name including domain"
        },
        {
          "name": "CalledStationID",
          "xpath": "EventData/Data[@Name='CalledStationID']",
          "description": "Network access device identifier (VPN concentrator, wireless AP, switch)"
        },
        {
          "name": "CallingStationID",
          "xpath": "EventData/Data[@Name='CallingStationID']",
          "description": "Client identifier (MAC address for 802.1x or client IP for VPN)"
        },
        {
          "name": "NASPortType",
          "xpath": "EventData/Data[@Name='NASPortType']",
          "description": "Type of network access (VPN, wireless, wired)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd772738(v=ws.10)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 6273,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditFailure",
      "title": "Network Policy Server denied access to a user",
      "summary": "NPS (RADIUS) authentication failed.",
      "details": "Generated when a Network Policy Server denies network access to a user. Denial reason codes are the primary differentiator: 16 (Authentication failed) indicates bad credentials; 23 (Expired password) indicates a valid account with an expired password; 65 (Certificate error) may indicate an MFA or certificate issue. Multiple EID 6273 events with ReasonCode 16 from the same CallingStationID against multiple usernames is a classic VPN password spray pattern.",
      "category": "VPN/Network Access Authentication",
      "tags": [
        "nps",
        "radius",
        "vpn",
        "authentication-failure",
        "password-spray"
      ],
      "relatedEventIds": [
        {
          "id": 6272,
          "log": "Security"
        },
        {
          "id": 4625,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1110.003",
          "techniqueName": "Brute Force: Password Spraying",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "NPS must be installed and configured. Audit logon/logoff events must be enabled on the NPS server."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ReasonCode 16 (Authentication failed) from one CallingStationID targeting many SubjectUserName values is a VPN spray attack",
          "CallingStationID (source IP) clustering — many failures from the same external IP indicates a single-source attack; distributed IPs suggest botnet spray",
          "Correlate with EID 6272 — a single successful auth after many 6273 failures indicates the spray succeeded"
        ],
        "commonFalsePositives": [
          "Users with expired passwords or misconfigured VPN clients generating repeated failures",
          "Device certificate renewal failures during 802.1x reauthentication"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account denied network access"
        },
        {
          "name": "ReasonCode",
          "xpath": "EventData/Data[@Name='ReasonCode']",
          "description": "Numeric denial reason (16=auth failed, 23=expired password, 65=certificate error)"
        },
        {
          "name": "CalledStationID",
          "xpath": "EventData/Data[@Name='CalledStationID']",
          "description": "Network access device identifier"
        },
        {
          "name": "CallingStationID",
          "xpath": "EventData/Data[@Name='CallingStationID']",
          "description": "Client identifier (source IP for VPN, MAC for 802.1x)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd772738(v=ws.10)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 6274,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Network Policy Server discarded the request for a user",
      "summary": "NPS discarded a network access request.",
      "details": "Generated when a Network Policy Server discards a network access request without granting or denying access. This typically occurs when a request does not match any configured network policy, when the request is malformed, or when the RADIUS client is not authorized.",
      "category": "VPN/Network Access Authentication",
      "tags": [
        "nps",
        "radius",
        "vpn",
        "reconnaissance"
      ],
      "relatedEventIds": [
        {
          "id": 6273,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1046",
          "techniqueName": "Network Service Discovery",
          "tactics": [
            {
              "tacticId": "TA0007",
              "tacticName": "Discovery"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "NPS must be installed and configured. Audit logon/logoff events must be enabled on the NPS server."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "CallingStationID of an unknown or unexpected source IP generating discarded requests indicates unauthorized RADIUS client activity",
          "High volume of discarded requests against known NPS servers may indicate RADIUS protocol scanning or fuzzing",
          "Correlate with firewall logs to identify whether the source IP has other suspicious connections to internal infrastructure"
        ],
        "commonFalsePositives": [
          "Misconfigured RADIUS clients (switches, APs, VPN concentrators) sending requests not matching any policy",
          "Legacy network access devices sending requests in a format not recognized by the NPS"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account associated with the discarded request"
        },
        {
          "name": "CalledStationID",
          "xpath": "EventData/Data[@Name='CalledStationID']",
          "description": "Network access device identifier"
        },
        {
          "name": "CallingStationID",
          "xpath": "EventData/Data[@Name='CallingStationID']",
          "description": "Client identifier (source IP or MAC address)"
        },
        {
          "name": "ReasonCode",
          "xpath": "EventData/Data[@Name='ReasonCode']",
          "description": "Reason the request was discarded"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd772738(v=ws.10)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 6276,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Network Policy Server quarantined a user",
      "summary": "NPS placed a user connection into quarantine.",
      "details": "Generated when a Network Policy Server grants network access but places the user in quarantine due to a Network Access Protection (NAP) posture check failure. The user receives limited network access (remediation resources only) until their device meets the health policy.",
      "category": "VPN/Network Access Authentication",
      "tags": [
        "nps",
        "radius",
        "vpn",
        "nap",
        "quarantine"
      ],
      "relatedEventIds": [
        {
          "id": 6272,
          "log": "Security"
        },
        {
          "id": 6278,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1078",
          "techniqueName": "Valid Accounts",
          "tactics": [
            {
              "tacticId": "TA0001",
              "tacticName": "Initial Access"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "NPS with Network Access Protection (NAP) must be configured. Audit logon/logoff events must be enabled on the NPS server."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate QuarantineSysHRS to identify which health requirement failed — failure details may reveal the specific compliance gap",
          "An endpoint consistently placed in quarantine despite remediation attempts may indicate a managed device being used by an unauthorized party",
          "Correlate with EID 6278 (full access granted) to determine if the quarantine was eventually bypassed"
        ],
        "commonFalsePositives": [
          "Endpoints temporarily out of compliance due to delayed patch application or AV signature updates",
          "New devices connecting to the network for the first time before health agent installation completes"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account placed in quarantine"
        },
        {
          "name": "CalledStationID",
          "xpath": "EventData/Data[@Name='CalledStationID']",
          "description": "Network access device identifier"
        },
        {
          "name": "CallingStationID",
          "xpath": "EventData/Data[@Name='CallingStationID']",
          "description": "Client identifier"
        },
        {
          "name": "QuarantineSysHRS",
          "xpath": "EventData/Data[@Name='QuarantineSysHRS']",
          "description": "Health requirement server that triggered the quarantine"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd772738(v=ws.10)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 6277,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Network Policy Server granted access to a user but put it on probation",
      "summary": "NPS granted access but placed the connection on probation due to a health policy issue.",
      "details": "Generated when a Network Policy Server grants full network access but logs a probationary status because the connecting device has a minor health policy violation that does not trigger full quarantine. The user receives full access while the health issue is noted. This is a transitional state in Network Access Protection environments.",
      "category": "VPN/Network Access Authentication",
      "tags": [
        "nps",
        "radius",
        "vpn",
        "nap"
      ],
      "relatedEventIds": [
        {
          "id": 6272,
          "log": "Security"
        },
        {
          "id": 6276,
          "log": "Security"
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "NPS with Network Access Protection (NAP) must be configured. Audit logon/logoff events must be enabled on the NPS server."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Identify the specific health requirement that triggered probationary status and remediate the endpoint",
          "Persistent probationary access for the same SubjectUserName over multiple sessions indicates an unresolved compliance gap",
          "Correlate with the endpoint's patch and AV status to identify the root health policy violation"
        ],
        "commonFalsePositives": [
          "Endpoints in transitional compliance states during software updates or policy rollout",
          "Newly enrolled devices connecting before all management agents are fully configured"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account granted probationary access"
        },
        {
          "name": "CalledStationID",
          "xpath": "EventData/Data[@Name='CalledStationID']",
          "description": "Network access device identifier"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd772738(v=ws.10)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 6278,
      "log": "Security",
      "provider": "Microsoft-Windows-Security-Auditing",
      "channel": "Security",
      "level": "AuditSuccess",
      "title": "Network Policy Server granted full access to a user because the host met the defined health policy",
      "summary": "NPS granted full access after health policy compliance was verified.",
      "details": "Generated when a Network Policy Server grants a user full network access after confirming that the connecting device meets all defined health policy requirements. This is the successful outcome of a NAP evaluation, meaning the device passed posture assessment and received unrestricted network access.",
      "category": "VPN/Network Access Authentication",
      "tags": [
        "nps",
        "radius",
        "vpn",
        "nap"
      ],
      "relatedEventIds": [
        {
          "id": 6272,
          "log": "Security"
        },
        {
          "id": 6276,
          "log": "Security"
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "NPS with Network Access Protection (NAP) must be configured. Audit logon/logoff events must be enabled on the NPS server."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "An endpoint that previously generated EID 6276 (quarantine) or EID 6277 (probation) then receiving EID 6278 may indicate successful remediation — or manipulation of the health agent",
          "Correlate the endpoint's reported health state with independent endpoint management data (SCCM, Intune, EDR) to verify compliance was genuine",
          "CalledStationID identifies the access device the user connected through — verify it matches an authorized NAP-enforced access point"
        ],
        "commonFalsePositives": [
          "Normal compliant endpoint authentication in any NAP-enforced environment — high volume expected"
        ]
      },
      "keyFields": [
        {
          "name": "SubjectUserName",
          "xpath": "EventData/Data[@Name='SubjectUserName']",
          "description": "Account granted full access"
        },
        {
          "name": "CalledStationID",
          "xpath": "EventData/Data[@Name='CalledStationID']",
          "description": "Network access device the user connected through"
        },
        {
          "name": "CallingStationID",
          "xpath": "EventData/Data[@Name='CallingStationID']",
          "description": "Client identifier (source IP or MAC address)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd772738(v=ws.10)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    }
  ]
}