Lateral Movement Logging Recommendations

Windows Event IDs to monitor

Lateral movement is defined  as the movement of attackers within an organization's infrastructure. This could either be "to gain additional credentials" or to "steal data". The attacker may use different tools and techniques allowing them to move laterally through a network to map the system.
Below are the list of event IDs to monitor and hunt for, which would help detect such activity.

Event ID List
Threat Actor Behavior
4624
An account was successfully logged on
4634
An account was logged off
4648
A logon was attempted using explicit credentials
4656
A handle to an object was requested
4658
The handle to an object was closed
4660
An object was deleted
4663
An attempt was made to access an object
4672
Special privileges assigned to new logon
4673
A privileged service was called
4688
A new process has been created
4689
A process has exited
4698
A scheduled task was created
4720
A user account was created
4768
A Kerberos authentication ticket (TGT) was requested
4769
A Kerberos service ticket was requested
4946
A change has been made to Windows Firewall exception list. A rule was added
5140
A network share object was accessed
5142
A network share object was added
5144
A network share object was deleted
5145
A network share object was checked to see whether client can be granted desired access
5154
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
5156
The Windows Filtering Platform has allowed a connection
5447
A Windows Filtering Platform filter has been changed
8222
Shadow copy has been created
7036
Service Control Manager started a running
7045
A new service was installed in the system.
20001
New hardware is connected to the your computer.
0 (0x00000000) Installation Successful
2 (0x00000002) File Not Found
2147942402 (0x80070002) File Not Found
2147942403 (0x80070003) Path Not Found
2147942405 (0x80070005) Access Denied
2148467251 (0x800F0233) Invalid Target
2150105198 (0x8028006E) Invalid Source Path
1459 (0x000005B3) Requires Interactive Workstation
1460 (0x000005B4) Timeout
3758096948 (0xE0000234) Driver Non-native
3758096966 (0xE0000246) Deice Installer Not Ready
80
Event logging for applications & services under Windows Remote Management
132
Event logging for applications & services under Windows Remote Management
143
Event logging for applications & services under Windows Remote Management
166
Event logging for applications & services under Windows Remote Management
81
Event logging for applications & services under Windows Remote Management
106
Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
129
Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
200
Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
201
Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
21
Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational
24
Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational
60
Application and Service Log under \Microsoft\Windows\Bits-Client
104
System log files was cleared

Windows Logging Recommendations

Windows Advanced Auditing Recommendations

Last modified 2yr ago

Event ID List	Threat Actor Behavior
4624	An account was successfully logged on
4634	An account was logged off
4648	A logon was attempted using explicit credentials
4656	A handle to an object was requested
4658	The handle to an object was closed
4660	An object was deleted
4663	An attempt was made to access an object
4672	Special privileges assigned to new logon
4673	A privileged service was called
4688	A new process has been created
4689	A process has exited
4698	A scheduled task was created
4720	A user account was created
4768	A Kerberos authentication ticket (TGT) was requested
4769	A Kerberos service ticket was requested
4946	A change has been made to Windows Firewall exception list. A rule was added
5140	A network share object was accessed
5142	A network share object was added
5144	A network share object was deleted
5145	A network share object was checked to see whether client can be granted desired access
5154	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
5156	The Windows Filtering Platform has allowed a connection
5447	A Windows Filtering Platform filter has been changed
8222	Shadow copy has been created
7036	Service Control Manager started a running
7045	A new service was installed in the system.
20001	New hardware is connected to the your computer. 0 (0x00000000) Installation Successful 2 (0x00000002) File Not Found 2147942402 (0x80070002) File Not Found 2147942403 (0x80070003) Path Not Found 2147942405 (0x80070005) Access Denied 2148467251 (0x800F0233) Invalid Target 2150105198 (0x8028006E) Invalid Source Path 1459 (0x000005B3) Requires Interactive Workstation 1460 (0x000005B4) Timeout 3758096948 (0xE0000234) Driver Non-native 3758096966 (0xE0000246) Deice Installer Not Ready
80	Event logging for applications & services under Windows Remote Management
132	Event logging for applications & services under Windows Remote Management
143	Event logging for applications & services under Windows Remote Management
166	Event logging for applications & services under Windows Remote Management
81	Event logging for applications & services under Windows Remote Management
106	Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
129	Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
200	Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
201	Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
21	Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational
24	Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational
60	Application and Service Log under \Microsoft\Windows\Bits-Client
104	System log files was cleared