Ftrsec

EventCodes

List of notables EventCodes and how to activate them in GPO.

EventCode

DescriptionAudit configurationActionCategory
4104 Microsoft-Windows-PowerShell/OperationalGo to Administrative Templates -> Windows Components -> Windows PowerShellSelect Turn on PowerShell Script Block Logging -> Select Enabled .Script Block Logging
4104Saved in textGo to Administrative Templates -> Windows Components -> Windows PowerShell and Select Turn on PowerShell Transcription

Select Enabled and choose a directory to save powershell transcripts otherwise it will be stored in user's Documents folder.

Optional: Powershell transcription
4624 An account was successfully logged onSelect Logon/LogoffSelect Audit Logon and check both success and failure audit eventsLogon
4625An account failed to log onSelect Logon/LogoffSelect Audit Account Lockout and check both success and failure audit eventsAudit Account Lockout
4627 Group membership informationSelect Logon/LogoffSelect Audit Group Membership and check both success and failure audit eventsGroup Membership
4634An account was logged offSelect Logon/LogoffSelect Audit Logoff and check both success and failure audit eventsLogoff
4648 A logon was attempted using explicit credentialsSelect Logon/LogoffSelect Audit Logon and check both success and failure audit eventsLogon
4649 A replay attack was detectedSelect Logon/LogoffSelect Audit Other Logon/Logoff Events and check both success and failure audit eventsOther Logon/Logoff Events
4670 Permissions on an object were changedSelect Policy ChangeSelect Authentication Policy Change and check both success and failure audit eventsAuthentication Policy Change
4672 Special privileges assigned to new logonSelect Logon/LogoffSelect Audit Special Logon and check both success and failure audit eventsSpecial Logon
4674An operation was attempted on a privileged objectSelect Privilege UseSelect Audit Sensitive Privilege Use and check both success and failure audit eventsSensitive Privilege Use
4675 SIDs were filteredSelect Logon/LogoffSelect Audit Logon and check both success and failure audit eventsLogon
4688 A new process has been createdSelect Detailed TrackingSelect Audit Process Creation and check both success and failure audit eventsProcess Creation
4697 A service was installed in the systemSelect SystemSelect Audit Security System Extension and check both success and failure audit eventsSecurity System Extension
4698A scheduled task was createdSelect Object AccessSelect Audit Other Object Access Events and check both success and failure audit eventsOther Object Access Events
4702A scheduled task was updatedSelect Object AccessSelect Audit Other Object Access Events and check both success and failure audit eventsOther Object Access Events
4703 A user right was adjustedSelect Policy ChangeSelect Authorization Policy Change and check both success and failure audit eventsAuthorization Policy Change
4704 A user right was assignedSelect Policy ChangeSelect Authorization Policy Change and check both success and failure audit eventsAuthorization Policy Change
4705 A user right was removedSelect Policy ChangeSelect Authorization Policy Change and check both success and failure audit eventsAuthorization Policy Change
4706 A new trust was created to a domainSelect Policy ChangeSelect Authentication Policy Change and check both success and failure audit eventsAuthentication Policy Change
4719 System audit policy was changedSelect Policy ChangeSelect Audit Policy Change and check both success and failure audit eventsAudit Policy Change
4720 A user account was created.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4722 A user account was enabled.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4723 An attempt was made to change an account's password.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4724 An attempt was made to reset an account's password.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4725 A user account was disabled.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4726 A user account was deleted.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4727 A security-enabled global group was createdSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4728 A member was added to a security-enabled global groupSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4729 A member was removed from a security-enabled global groupSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4730 A security-enabled global group was deletedSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4731 A security-enabled local group was created.Select Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4732 A member was added to a security-enabled local group.Select Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4733 A member was removed from a security-enabled local group.Select Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4734 A security-enabled local group was deleted.Select Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4735 A security-enabled local group was changed.Select Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4737 A security-enabled global group was changedSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4738 A user account was changed.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4739 Domain Policy was changedSelect Policy ChangeSelect Authentication Policy Change and check both success and failure audit eventsAuthentication Policy Change
4740 A user account was locked out.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4741 A computer account was createdSelect Account ManagementSelect Computer Account Management and check both success and failure audit eventsComputer Account Management
4742 A computer account was changedSelect Account ManagementSelect Computer Account Management and check both success and failure audit eventsComputer Account Management
4754 A security-enabled universal group was createdSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4755 A security-enabled universal group was changedSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4756 A member was added to a security-enabled universal groupSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4757 A member was removed from a security-enabled universal groupSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4758 A security-enabled universal group was deletedSelect Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4765 SID History was added to an account.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4766 An attempt to add SID History to an account failed.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4767 A user account was unlocked.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4768 A Kerberos authentication ticket (TGT) was requestedSelect Account LogonSelect Audit Kerberos Authentication Service and check both success and failure audit eventsKerberos Authentication Service
4769 A Kerberos service ticket was requestedSelect Account LogonSelect Audit Kerberos Service Ticket Operations and check both success and failure audit eventsKerberos Service Ticket Operations
4770 A Kerberos service ticket was renewedSelect Account LogonSelect Audit Kerberos Service Ticket Operations and check both success and failure audit eventsKerberos Service Ticket Operations
4771 Kerberos pre-authentication failedSelect Account LogonSelect Audit Kerberos Authentication Service and check both success and failure audit eventsKerberos Authentication Service
4776 The computer attempted to validate the credentials for an accountSelect Account LogonSelect Security Group Management and check both success and failure audit eventsCredential Validation
4778 A session was reconnected to a Window StationSelect Logon/LogoffSelect Audit Other Logon/Logoff Events and check both success and failure audit eventsOther Logon/Logoff Events
4779 A session was disconnected from a Window StationSelect Logon/LogoffSelect Audit Other Logon/Logoff Events and check both success and failure audit eventsOther Logon/Logoff Events
4780 The ACL was set on accounts which are members of administrators groups.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4781 The name of an account was changed.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4794 An attempt was made to set the Directory Services Restore Mode administrator password.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4798 A user's local group membership was enumerated.Select Account ManagementSelect User Account Management and check both success and failure audit eventsUser Account Management
4799 A security-enabled local group membership was enumerated.Select Account ManagementSelect Security Group Management and check both success and failure audit eventsSecurity Group Management
4865 A trusted forest information entry was addedSelect Policy ChangeSelect Authentication Policy Change and check both success and failure audit eventsAuthentication Policy Change

4886

Certificate Services received a certificate request

Select Object Access

Select Audit Certification Services and check both success and failure audit events

Audit Certification Services

4887

Certificate Services approved a certificate request and issued a certificate.

Select Object Access

Select Audit Certification Services and check both success and failure audit events

Audit Certification Services

4906 The CrashOnAuditFail value has changedSelect Policy ChangeSelect Audit Policy Change and check both success and failure audit eventsAudit Policy Change
4908 Special Groups Logon table modifiedSelect Policy ChangeSelect Audit Policy Change and check both success and failure audit eventsAudit Policy Change
4911 Resource attributes of the object were changedSelect Policy ChangeSelect Authorization Policy Change and check both success and failure audit eventsAuthorization Policy Change
4913 Central Access Policy on the object was changedSelect Policy ChangeSelect Authorization Policy Change and check both success and failure audit eventsAuthorization Policy Change
4964 Special groups have been assigned to a new logonSelect Logon/LogoffSelect Audit Special Logon and check both success and failure audit eventsSpecial Logon
5140A network share object was accessedSelect Object AccessSelect Audit File Share and check both success and failure audit eventsAudit File Share
5142A network share object was addedSelect Object AccessSelect Audit File Share and check both success and failure audit eventsAudit File Share
5145 A network share object was checked to see whether client can be granted desired access.Select Object AccessSelect Audit Detailed File Share and check both success and failure audit eventsAudit Detailed File Share
800 Pipeline Execution DetailsGo to Administrative Templates -> Windows Components -> Windows PowerShellSelect Turn on Module Logging -> Select Enabled. In the Options pane click on Show > In the Module Names window and enter '*' to record all modules > OK. pipeline execution

Some considerations :

  • Activate Command Line Auditing for EventCode 4688 :
    Administrative Templates\System\Audit Process Creation -> Include command line in process creation events
  • Powershell version 5 minimum mandatory (for script block logging and enhanced logging)
  • Activate ADCS Logs for your ADCS considering the rise of ESC attacks
  • Consider applying many different GPO considering your devices (Windows, Windows Server, SQL Server, AD)

Laisser un commentaire