Lateral Movement Logging Recommendations

Search…

Windows Event IDs to monitor

Lateral movement is defined  as the movement of attackers within an organization's infrastructure. This could either be "to gain additional credentials" or to "steal data". The attacker may use different tools and techniques allowing them to move laterally through a network to map the system.
Below are the list of event IDs to monitor and hunt for, which would help detect such activity.

Event ID List
Threat Actor Behavior
4624
An account was successfully logged on
4634
An account was logged off
4648
A logon was attempted using explicit credentials
4656
A handle to an object was requested
4658
The handle to an object was closed
4660
An object was deleted
4663
An attempt was made to access an object
4672
Special privileges assigned to new logon
4673
A privileged service was called
4688
A new process has been created
4689
A process has exited
4698
A scheduled task was created
4720
A user account was created
4768
A Kerberos authentication ticket (TGT) was requested
4769
A Kerberos service ticket was requested
4946
A change has been made to Windows Firewall exception list. A rule was added
5140
A network share object was accessed
5142
A network share object was added
5144
A network share object was deleted

Windows Logging Recommendations

Windows Advanced Auditing Recommendations

Last modified 1yr ago

Copy link