# Lateral Movement Logging Recommendations
**Lateral movement** is defined as the movement of attackers within an organization's infrastructure. This could either be "to gain additional credentials" or to "steal data". The attacker may use different tools and techniques allowing them to move laterally through a network to map the system.
Below are the list of event IDs to monitor and hunt for, which would help detect such activity.
| **Event ID List** | **Threat Actor Behavior** |
| ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 4624 | An account was successfully logged on |
| 4634 | An account was logged off |
| 4648 | A logon was attempted using explicit credentials |
| 4656 | A handle to an object was requested |
| 4658 | The handle to an object was closed |
| 4660 | An object was deleted |
| 4663 | An attempt was made to access an object |
| 4672 | Special privileges assigned to new logon |
| 4673 | A privileged service was called |
| 4688 | A new process has been created |
| 4689 | A process has exited |
| 4698 | A scheduled task was created |
| 4720 | A user account was created |
| 4768 | A Kerberos authentication ticket (TGT) was requested |
| 4769 | A Kerberos service ticket was requested |
| 4946 | A change has been made to Windows Firewall exception list. A rule was added |
| 5140 | A network share object was accessed |
| 5142 | A network share object was added |
| 5144 | A network share object was deleted |
| 5145 | A network share object was checked to see whether client can be granted desired access |
| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections |
| 5156 | The Windows Filtering Platform has allowed a connection |
| 5447 | A Windows Filtering Platform filter has been changed |
| 8222 | Shadow copy has been created |
| 7036 | Service Control Manager started a running |
| 7045 | A new service was installed in the system. |
| 20001 | New hardware is connected to the your computer.
0 (0x00000000) Installation Successful
2 (0x00000002) File Not Found
2147942402 (0x80070002) File Not Found
2147942403 (0x80070003) Path Not Found
2147942405 (0x80070005) Access Denied
2148467251 (0x800F0233) Invalid Target
2150105198 (0x8028006E) Invalid Source Path
1459 (0x000005B3) Requires Interactive Workstation
1460 (0x000005B4) Timeout
3758096948 (0xE0000234) Driver Non-native
3758096966 (0xE0000246) Deice Installer Not Ready
|
| 80 | Event logging for applications & services under Windows Remote Management |
| 132 | Event logging for applications & services under Windows Remote Management |
| 143 | Event logging for applications & services under Windows Remote Management |
| 166 | Event logging for applications & services under Windows Remote Management |
| 81 | Event logging for applications & services under Windows Remote Management |
| 106 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 129 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 200 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 201 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 21 | Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational |
| 24 | Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational |
| 60 | Application and Service Log under \Microsoft\Windows\Bits-Client |
| 104 | System log files was cleared |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.blusapphire.io/16_best-practices/lateral-movement-logging-recommendations.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.