Windows Event IDs

Event ID	Description
4625	Failed account logon (important for detecting brute force or unauthorized attempts). ⭐
4624	Successful account logon. ⭐
4648	Logon attempt with explicit credentials (useful for detecting lateral movement or pass-the-hash attack). ⭐
4647	a user has initiated a logoff, meaning the user has requested to end their session
4634	An account logged off.
4672	Special privileges assigned to a new logon ⭐
1102	Audit Log Cleared / user clears the Security Event Log (high indicator of malicious intent) ⭐
104	(Log File Cleared / any event log (System, Application, etc.) ⭐
4719	System audit policy was changed
4720	A user account was created. ⭐
4724	Attempt to reset an account's password. ⭐
4723	Attempt to change an account's password. ⭐
4722	A user account was enabled. ⭐
4725	A user account was disabled. ⭐
4726	A user account was deleted. ⭐
4740	A user account was locked out. ⭐
4767	A user account was unlocked. ⭐
4738	A user account was changed. (e.g., attacker adds their account to “Domain Admins.”) ⭐
4728	A user added to a privileged global group. ⭐
4732	A user added to a privileged local group. ⭐
4771	Pre-authentication failed (indicative of brute force attempts). ⭐
4776	Credential validation failed. ⭐ Credential validation via NTLM — useful for spotting brute-force or legacy auth attempts
4772	Failed Kerberos authentication ticket request. ⭐
7036	Service state change (e.g., service stopped/started).
4907	Audit policy change.
4954	Group Policy settings for Windows Firewall changed.
4964	Special group assigned to a new logon.
4697	An attempt was made to install a service (potential persistence mechanism). ⭐
4698-4702	Scheduled task changes (created, modified, deleted, enabled, or disabled). **⭐
4698 = created / 4699 = deleted / 4702 = updated**
4946	Rule added to Windows Firewall exception list.
4947	Rule modified in Windows Firewall exception list.
5152	Network packet blocked by Windows Filtering Platform. ⭐
5155	Application/service blocked from listening on a port by Windows Filtering Platform. (Useful when attacker tools try to bind to ports — shows failed persistence attempts.) ⭐
4735	Privileged local group was modified. ⭐
4756	User added to a privileged universal group. ⭐
4777	Domain controller failed to validate account credentials. ⭐
4706	A new trust was created to a domain
4985	Registry value changed. ⭐
43	System file was modified or replaced.
13	A certificate was requested (watch for unauthorized cert requests).
4799	A security-enabled local group membership was enumerated (This is often seen during reconnaissance when attackers use commands like net localgroup administrators) ⭐
1033	Security-sensitive process exited (often linked to sensitive OS functions).
5379	Credential manager credentials were read.
5447	Windows Filtering Platform filter was changed.
4649	A replay attack was detected ⭐
4688	A new process was created (important for process auditing and detecting malicious executables). ⭐
4689	A process was terminated (useful in context with 4688 to track behavior). ⭐
4690	An attempt was made to duplicate a handle (could indicate privilege escalation).
4703	A token right was adjusted (monitor for privilege escalation attempts). ⭐
4660	An object was deleted (confirms deletion, correlate with 4656 via Handle ID) ⭐
4741	A computer account was created.
4742	A computer account was changed.
4743	A computer account was deleted.
4768	A Kerberos authentication ticket (TGT) was requested. ⭐
4769	A Kerberos service ticket (TGS) was requested. ⭐
5024	The Windows Firewall service was started.
5038	Code integrity determined that a file is not valid. (Possible tampering with binaries or unsigned driver load attempts.) ⭐
5140	A network share was accessed (monitor lateral movement). ⭐
5145	A file was accessed over the network (important for detecting data exfiltration). ⭐
5168	A filter driver failed to attach (indicative of tampering / Seen with rootkits or security bypass attempts) ⭐

1116	Microsoft Defender Antivirus detected malware or other potentially unwanted software ⭐
1117	Microsoft Defender detected malware and took action (quarantine/clean/remove/block) ⭐
1149	Remote Desktop Services: A user successfully connected to the system via Remote Desktop (useful for tracking remote logins)
4661	Logged when a handle is requested for an object, often used in tracking unauthorized access attempts.
7045	A new service was installed on the system. (often used for persistence) ⭐
4662	Object access with specific permissions (e.g., AD enumeration, LSASS dump) ⭐
5861	Indicates WMI Provider Host activity, useful for detecting unusual WMI queries or potential abuse ⭐
4929	logs when an Active Directory (AD) replica source naming context is removed
(a key indicator of DCShadow activity) ⭐
4663	An attempt was made to access an object.
4656
Handle requested for an object (used to audit when access to files, registry keys, etc. is being initiated).
5156	The Windows Filtering Platform has allowed a connection
28115	Shortcut added to App Resolver Cache (indicates application installation)
11707	MSI installation success. Logs every successful MSI-based application install. Useful for detecting unauthorized software, LOLBins, and persistence mechanisms. Helps build a timeline during investigations when standard logs are missing or tampered.
4658	The handle to an object was closed (this is logged when an open handle to an object like a file, registry key, or process is closed). It is commonly used together with 4656 (handle requested) and 4663 (object access attempt) to reconstruct full object access timelines in forensic investigations.
4616	System time was changed (common in anti-forensics)
4670	Permissions on an object were changed (important for privilege escalation and persistence)
4674	Operation attempted on a privileged object

Most Important Marked with ⭐