Lateral Movement Logging Recommendations
Windows Event IDs to monitor
Lateral movement is defined as the movement of attackers within an organization's infrastructure. This could either be "to gain additional credentials" or to "steal data". The attacker may use different tools and techniques allowing them to move laterally through a network to map the system.
Below are the list of event IDs to monitor and hunt for, which would help detect such activity.
Event ID List | Threat Actor Behavior |
4624 | An account was successfully logged on |
4634 | An account was logged off |
4648 | A logon was attempted using explicit credentials |
4656 | A handle to an object was requested |
4658 | The handle to an object was closed |
4660 | An object was deleted |
4663 | An attempt was made to access an object |
4672 | Special privileges assigned to new logon |
4673 | A privileged service was called |
4688 | A new process has been created |
4689 | A process has exited |
4698 | A scheduled task was created |
4720 | A user account was created |
4768 | A Kerberos authentication ticket (TGT) was requested |
4769 | A Kerberos service ticket was requested |
4946 | A change has been made to Windows Firewall exception list. A rule was added |
5140 | A network share object was accessed |
5142 | A network share object was added |
5144 | A network share object was deleted |
5145 | A network share object was checked to see whether client can be granted desired access |
5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections |
5156 | The Windows Filtering Platform has allowed a connection |
5447 | A Windows Filtering Platform filter has been changed |
8222 | Shadow copy has been created |
7036 | Service Control Manager started a running |
7045 | A new service was installed in the system. |
20001 | New hardware is connected to the your computer. 0 (0x00000000) Installation Successful 2 (0x00000002) File Not Found 2147942402 (0x80070002) File Not Found 2147942403 (0x80070003) Path Not Found 2147942405 (0x80070005) Access Denied 2148467251 (0x800F0233) Invalid Target 2150105198 (0x8028006E) Invalid Source Path 1459 (0x000005B3) Requires Interactive Workstation 1460 (0x000005B4) Timeout 3758096948 (0xE0000234) Driver Non-native 3758096966 (0xE0000246) Deice Installer Not Ready |
80 | Event logging for applications & services under Windows Remote Management |
132 | Event logging for applications & services under Windows Remote Management |
143 | Event logging for applications & services under Windows Remote Management |
166 | Event logging for applications & services under Windows Remote Management |
81 | Event logging for applications & services under Windows Remote Management |
106 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
129 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
200 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
201 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
21 | Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational |
24 | Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational |
60 | Application and Service Log under \Microsoft\Windows\Bits-Client |
104 | System log files was cleared |
Last updated