Active Directory Events for Detecting Compromise

Recommended event IDs to log and monitor to detect the Active Directory compromises detailed in the Detect and Mitigate Active Directory Compromise sections

Domain Controller Events

The following events should be centrally logged and analysed to identify Active Directory compromises involving Domain Controllers.

Table 1. Events that detect compromises involving Domain Controllers

Event ID	Compromise	Description
39	AD CS	The KDC encountered a valid user certificate that could not be securely mapped to a user (such as via explicit mapping, key trust mapping, or a SID).
40	AD CS	A certificate is issued before the user exists in Active Directory, and no explicit mapping can be found. This event is only logged when the KDC is in Compatibility mode.
41	AD CS	A certificate contains the new SID extension, but it does not match the SID of the corresponding user account.
1103	Dumping ntds.dit, One-way Trust Bypass, SID History, Skeleton Key	The ‘Security’ audit log is cleared.
2889	Password Spray	A computer object tries to make an unsigned LDAP bind.
3033	Skeleton Key	A driver fails to load because it does not meet Microsoft’s signing requirements.
3063	Skeleton Key	A driver fails to load because it does not meet the security requirements for shared sections.
4103	Dumping ntds.dit, One-way Trust Bypass, SID History, Skeleton Key	PowerShell executes and logs pipeline execution details.
4104	Dumping ntds.dit, One-way Trust Bypass, SID History, Skeleton Key	PowerShell executes code to capture scripts and commands.
4624	Password Spray, MachineAccountQuota, Unconstrained Delegation	An account is successfully logged on
4625	AS-REP Roasting, Password Spray	An account fails to log on.
4656	Dumping ntds.dit	A handle to an object is requested.
4662	DCSync, Golden SAML	An operation is performed on an object.
4663	Dumping ntds.dit, Skeleton Key	An attempt is made to access an object.
4673	Skeleton Key	A privileged service is called.
4674	AD CS	An operation is attempted on a privileged object.
4675	SID History (Domain hopping with Golden Tickets and SID History)	SIDs were filtered
4688	Dumping ntds.dit	A new process is created.
4697	Skeleton Key	A service is installed in the system.
4703	Skeleton Key	A user right is adjusted.
4724	MachineAccountQuota	An attempt is made to reset an account's password.
4738	Kerberoasting, AS-REP Roasting, SID History	A user account is changed.
4740	Password Spray	A user account is locked out.
4741	MachineAccountQuota	A computer account was created in Active Directory.
4768	AS-REP Roasting, AD CS, Golden Ticket, One-way Trust Bypass	A Kerberos TGT is requested.
4769	Kerberoasting, Golden Ticket	A TGS is requested.
4770	Unconstrained Delegation	A Kerberos TGT is renewed.
4771	Password Spray	Kerberos pre-authentication fails.
5136	Kerberoasting, AS-REP Roasting	A directory service object was modified.
8222	Dumping ntds.dit	A shadow copy is created.

Active Directory Certificate Services Certificate Authority (AD CS CA) Events

The below events should be centrally logged and analysed to identify Active Directory compromises involving AD CS CA servers.

Table 2. Events that detect compromises involving AD CS CA servers

Event ID	Compromise	Description
1102	AD CS, Golden Certificate	The ‘Security’ audit log was cleared.
4103	Golden Certificate	PowerShell module logging.
4104	Golden Certificate	PowerShell script block logging.
4876	Golden Certificate	Certificate Services backup was started.
4886	AD CS	Certificate Services received a certificate request.
4887	AD CS	Certificate Services approved a certificate request and issued a certificate.
4899	AD CS	A Certificate Services template was updated.
4900	AD CS	Certificate Services template security was updated.

Active Directory Federation Services (AD FS) Events

The events below should be centrally logged and analysed to identify active directory compromises involving AD FS servers.

Table 3. Events that detect compromises involving AD FS servers

Event ID	Compromise	Description
70	Golden SAML	A Certificate Private Key was acquired.
307	Golden SAML	The Federation Service configuration was changed.
510	Golden SAML	Additional information about events, such as federation service configuration changes, was requested.
1007	Golden SAML	A certificate was exported.
1102	Golden SAML	The ‘Security’ audit log was cleared.
1200	Golden SAML	The Federation Service issued a valid token.
1202	Golden SAML	The Federation Service validated a new credential.

Microsoft Entra Connect Server Events

The events should be centrally logged and analysed to identify Active Directory compromises involving Microsoft Entra Connect servers.

Table 4. Events that detect compromises involving Microsoft Entra Connect servers

Event ID	Compromise	Description
611	Microsoft Entra Connect	PHS failed for the domain.
650	Microsoft Entra Connect	Password synchronisation starts retrieving updated passwords from the on-premises AD DS.
651	Microsoft Entra Connect	Password synchronisation finishes retrieving updated passwords from the on-premises AD DS.
656	Microsoft Entra Connect	Password synchronisation indicates that a password change was detected and there was an attempt to sync it to Microsoft Entra ID.
657	Microsoft Entra Connect	A password was successfully synced for a user object.
1102	Microsoft Entra Connect	The security audit log was cleared.
4103	Microsoft Entra Connect	PowerShell module logging.
4104	Microsoft Entra Connect	PowerShell script block logging.

Computer Objects Configured for Unconstrained Delegation Events

The events below should be centrally logged and analysed to identify Active Directory compromises involving computer objects configured for unconstrained delegation.

Table 5. Events that detect compromises involving computer objects configured for unconstrained delegation

Event ID	Compromise	Description
4103	Unconstrained delegation	PowerShell executes and logs pipeline execution details.
4104	Unconstrained delegation	PowerShell executes code to capture scripts and commands.
4624	Unconstrained delegation	An account is successfully logged on.
4688	Unconstrained delegation	A new process is created.

Computer Objects Compromised by a Silver Ticket

The following events should be centrally logged and analysed to identify Active Directory compromises involving Silver Tickets.

Table 6. Events that detect Silver Ticket compromises

Event ID	Compromise	Description
4624	Silver Ticket	This event is generated when an account is logged into a computer. It can be correlated and analysed with event 4627 for signs of a potential Silver Ticket.
4627	Silver Ticket	This event is generated alongside event 4624 and provides additional information regarding the group membership of the account that logged in. This event can be analysed for discrepancies, such as mismatching SID and group membership information for the user object that logged on. Note that a Silver Ticket forges the TGS, which can contain false information, such as a different SID to the user object logging on and different group memberships. Malicious actors falsify this information to escalate their privileges on the target computer object.

Reference

• Microsoft Identity and Access documentation
• Detecting and mitigating Active Directory compromises
• Best Practices for Securing Active Directory
• Securing Domain Controllers Against Attack
• Top 25 Active Directory Security Best Practices