# Lateral Movement Logging Recommendations
**Lateral movement** is defined as the movement of attackers within an organization's infrastructure. This could either be "to gain additional credentials" or to "steal data". The attacker may use different tools and techniques allowing them to move laterally through a network to map the system.
Below are the list of event IDs to monitor and hunt for, which would help detect such activity.
| **Event ID List** | **Threat Actor Behavior** |
| ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 4624 | An account was successfully logged on |
| 4634 | An account was logged off |
| 4648 | A logon was attempted using explicit credentials |
| 4656 | A handle to an object was requested |
| 4658 | The handle to an object was closed |
| 4660 | An object was deleted |
| 4663 | An attempt was made to access an object |
| 4672 | Special privileges assigned to new logon |
| 4673 | A privileged service was called |
| 4688 | A new process has been created |
| 4689 | A process has exited |
| 4698 | A scheduled task was created |
| 4720 | A user account was created |
| 4768 | A Kerberos authentication ticket (TGT) was requested |
| 4769 | A Kerberos service ticket was requested |
| 4946 | A change has been made to Windows Firewall exception list. A rule was added |
| 5140 | A network share object was accessed |
| 5142 | A network share object was added |
| 5144 | A network share object was deleted |
| 5145 | A network share object was checked to see whether client can be granted desired access |
| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections |
| 5156 | The Windows Filtering Platform has allowed a connection |
| 5447 | A Windows Filtering Platform filter has been changed |
| 8222 | Shadow copy has been created |
| 7036 | Service Control Manager started a running |
| 7045 | A new service was installed in the system. |
| 20001 | New hardware is connected to the your computer.
0 (0x00000000) Installation Successful
2 (0x00000002) File Not Found
2147942402 (0x80070002) File Not Found
2147942403 (0x80070003) Path Not Found
2147942405 (0x80070005) Access Denied
2148467251 (0x800F0233) Invalid Target
2150105198 (0x8028006E) Invalid Source Path
1459 (0x000005B3) Requires Interactive Workstation
1460 (0x000005B4) Timeout
3758096948 (0xE0000234) Driver Non-native
3758096966 (0xE0000246) Deice Installer Not Ready
|
| 80 | Event logging for applications & services under Windows Remote Management |
| 132 | Event logging for applications & services under Windows Remote Management |
| 143 | Event logging for applications & services under Windows Remote Management |
| 166 | Event logging for applications & services under Windows Remote Management |
| 81 | Event logging for applications & services under Windows Remote Management |
| 106 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 129 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 200 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 201 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 21 | Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational |
| 24 | Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational |
| 60 | Application and Service Log under \Microsoft\Windows\Bits-Client |
| 104 | System log files was cleared |