Windows Security Logs (Identity and Logon Activities)
Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.
Windows Security Logs (Identity and Logon Activities)
Overview:
Windows Security Logs contain rich information about identity and logon activities. These logs are crucial for detecting unauthorized logons, privilege escalation, and lateral movement.
25 Example Queries for Identity and Logon Activities:
Track Successful Logon Events (Event ID 4624) Event ID 4624 records successful logon events, which can be analyzed for suspicious activity.
Monitor Failed Logon Attempts (Event ID 4625) Multiple failed logon attempts may indicate a brute force attack.
Track Interactive Logons (LogonType 2, Event ID 4624) Interactive logons are physical or RDP logons to a system.
Detect Use of Service Accounts for Logon (LogonType 5) Service accounts may be used to maintain persistence within the network.
Monitor Privileged Logons (Event ID 4672) Privileged accounts logon events can be tracked for signs of abuse.
Detect Kerberos Logon Failures (Event ID 4771) Failed Kerberos logon attempts may indicate credential theft or brute force attacks.
Track NTLM Logon Events (Event ID 4624) NTLM logons can be used for lateral movement through pass-the-hash attacks.
Monitor Account Lockout Events (Event ID 4740) Account lockouts may indicate attempted brute force attacks or credential theft.
Detect Logon Events During Unusual Hours Unusual logon times may indicate unauthorized access outside of business hours.
Track Interactive Logon Failures (LogonType 2) Failed interactive logons may indicate unauthorized attempts to access a system.
Detect Unusual Logon Locations for Users (GeoLocation Analysis) Users logging in from unusual locations may indicate credential compromise.
Monitor Remote Logons Using RDP (Event ID 4624, LogonType 10) Remote logons using RDP may be an indication of lateral movement or remote access attacks.
Detect Unsuccessful Logon Attempts for Privileged Accounts Failed logon attempts for admin accounts may indicate credential guessing or brute force attacks.
Track Use of Temporary or Guest Accounts for Logon Temporary or guest accounts being used for logon may indicate unauthorized access.
Monitor Use of Smartcards for Logon (Event ID 4776) Logons using smartcards can be tracked to ensure they are legitimate.
Detect Logon Attempts Using Stale Credentials (Expired Passwords) Repeated attempts to logon with expired credentials may indicate an attacker is using stolen credentials.
Track Failed Logon Attempts Due to Bad Passwords Bad password failures may indicate a brute force or credential stuffing attack.
Monitor Use of Shadow Credentials for Logon Attempts Shadow credentials (e.g., certificate-based) may be used for unauthorized access.
Track Successful Logons Using Unusual Account Types (Service, System) Unusual logon types may indicate an attacker is using system or service accounts.
Detect Multiple Logon Attempts from a Single IP Address (Credential Stuffing) Multiple logon attempts from the same IP may indicate credential stuffing attacks.
Monitor Use of Administrative Accounts for Interactive Logons Interactive logons using administrative accounts can be tracked for unauthorized access.
Track Unusual Authentication Attempts Using NTLM (Event ID 4624) NTLM authentication may be used for lateral movement or unauthorized access.
Detect Logons Using Expired or Disabled Accounts Logon attempts using disabled or expired accounts may indicate account compromise.
Monitor Logon Attempts Using Compromised Accounts (Known Breaches) Known compromised accounts from breaches can be monitored for logon attempts.
Track Use of Anonymous Logon Accounts (Event ID 4624, Account: ANONYMOUS) Anonymous logon attempts may indicate unauthorized access attempts.
Last updated