ActiveDirectory persistence

Security

4720

A user account was created. Logged both for local SAM accounts and domain accounts and includes the creator SID, domain, username and Logon ID.

Security

4722

A user account enabled, logged both for local SAM accounts and domain accounts and is always logged after a Security event 4720 - user account creation.

Security

4723

An attempt was made to change an account's password. Logged both for local SAM accounts and domain accounts when an user attempts to change his/her own password. This event is logged only if the user entered his/her correct password and reported as a failure if his/her new password fails to meet the password policy. Includes the SID, domain, username and Logon ID of the user that performed the password change.

Security

4724

An attempt was made to reset an accounts password. Logged both for local SAM accounts and domain accounts when an user attempts to change another user password. This event is logged only if the user correct password is specified, the user attempting the password reset as the necessary permissions to do so, and reported as a failure if his/her new password fails to meet the password policy. Includes the SID, domain, username and Logon ID of the user that performed the password change.

Security

4670

Permissions on an object were changed. This event generates when the permissions for an object are changed

Security

4738

A user account was changed. Logged both for local SAM accounts and domain accounts when an user object attributes are modified. The old and new value for the updated attribute is logged. If all attributes are marked as "-", an update on a attribute that is not listed in the event log or a modification on the user DACL object has occurred. The AD - Exploiting DACL note can be consulted for more information on exploitable DACL on user principal object. In addition to a potential modification on the user object DACL, this event can be used to detect the following persistence means: - addition of SID in the SID History of an user - disabling of Kerberos Require Preauth to make the account vulnerable to ASREPRoast.

Security

4732

A member was added to a security-enabled local group. Logged on domain controllers for Active Directory domain local groups and member computer for local SAM groups.

System

7030

Basic Service Operations. Occurs when a service is configured as an interactive, which is not supported since Windows Vista and Windows Server 2008 (du to security risks posed by interactive services).

System

7045,4697

A service was installed in the system.

System

7035, 7036

The <SERVICE_NAME> service was successfully sent a <start/stop> control. and The <SERVICE_NAME> service entered the <running/stopped> state. A run / stop signal is sent then the service is effectively started / stopped.

Security

4697

A service was installed in the system from Windows Server 2016 and Windows 10

System

7040

Service start type was changed

System

1056

DHCP server oddities

Security

4688

A new process has been created. Occurs when a process is created and include information about the process: creator subject (SID, account domain and name as well as the Logon ID), creator PID, token elevation type. etc. If enabled, the "process command line" field include the command line of the process.