Threat Hunting for Windows Event Logs

Alican Kiraz
5 min readApr 11, 2023
Sicario (2015)

Firewall, Windows Event Logs, and Linux Audit Logs are the most basic logs that strengthen our hands when we hunt threats in an institution’s cyber infrastructure. Precious data is created when our correlations in SIEM are enriched with Sysmon, Linux Auditd, and HIDS — NIDS Logs. In this article, we will look at how to detect various attacks on Windows Event Logs.

Windows Event Logs allow us to analyze many attacker actions and detect attacks. All versions of Windows maintain three main event logs:

  • Application
  • System
  • Security

Here are the activity categories you can choose to audit:

  • Audit account logon events
  • Audit account management
  • Audit directory service access
  • Audit logon events
  • Audit object access
  • Audit policy change
  • Audit privilege use
  • Audit process tracking
  • Audit system events

Now let’s skip these basics; Because there are already a lot of detailed articles about logging systems.

Suspicious Windows Event IDs

Event IDs specific to account logon events:

  • 4624 (successful logon)
  • 4625 (failed logon)
  • 4634 (successful logoff)
  • 4647 (user-initiated logoff)
  • 4648 (logon using explicit credentials)
  • 4672 (special privileges assigned)
  • 4768 (Kerberos ticket (TGT) requested)
  • 4769 (Kerberos service ticket requested)
  • 4771 (Kerberos pre-auth failed)
  • 4776 (attempted to validate credentials)
  • 4778 (session reconnected)
  • 4779 (session disconnected)

In addition to the Event IDs, we should also pay attention to the Logon Type. It will tell us how the relevant session is opened in Logon Type.

Forged Kerberos Tickets

The most commonly found kinds of forged tickets are:

  • Golden Tickets
  • Silver Tickets

Golden Tickets are fake Kerberos TGTs that can be used to request TGS tickets for any service on any computer in the domain.

To create a golden ticket;

  • Domain SID
  • Domain Name
  • Domain KRBTGT Account NTLM password hash
  • UserID for impersonation

Detection of Abnormal Golden Tickets

To detect the Golden Tickets, we need to check if the TGS requests came before the TGT request came. Also noteworthy is the triggering of Event ID: 4769 with status code 0x1F. Finally, we can identify suspicious TGT tickets by comparing the authentication ticket with the difference between StartTime and EndTime.

Detection of Abnormal Silver Tickets

To detect it, we have to check for invalid Privsvr signatures in Kerberos TGS.

Detect Password Attacks

The anomaly here will be when the condition “EventID=4625 AND Logon_Type=3” occurs several times.

Splunk Use Case for Detection;

index=WinEventLog EventID=4625 AND Logon_Type=3
| stats count as login_fail by user | search login_fail > 3

You can also exclude machine users while providing detection. You can add “user!=*$” to the search for this.

Detection of PowerView and BloodHound

We can track LDAP SearchRequests with DC Event Log 1644 to detect PowerView and BloodHound.

Detection of Abnormal Scheduled Tasks

Event IDs 4698 and 106, 200, and 201 are all related to scheduled tasks.

Detection of Abnormal Pass The Hash

In detecting Pass The Hash attacks, we should check Login Type 3 and Event ID 4624. Additionally, we should check if the Logon Process’s NtLmSsP and key length are set to 0.

Detection of Abnormal Network Shares

Event ID 4776 is specific to the NTLM protocol, so we should see Check Success or Check Failure. The Error Code will also inform us about this attempt.

Detection of Abnormal RDP Sessions

When looking for suspicious RDP sessions, we should look for Login Type 10 and Event IDs 4624–4778. In addition, we should check the expected unwanted accesses after 4624 and 4625.

Detection of Abnormal Service Creations

We should examine and track Event ID 4697.

We can also check on the machine from the registry hive below.

Windows Services Check
● SYSTEM\ControlSet00#\Service\
● SYSTEM\ControlSet00#\Service\<name>\Start

Detection of Remote Execution Through WinRM

It can be detected by establishing a relationship between Event ID 4624 and Sysmon Event ID 1. Specifically, we will see two logs with Sysmon Event ID 1 and Event ID 4624, whose ParentImage is C:\Windows\System32\winrshost.exe.

Detection of PsExec

We can check the triggers of 5145, 5140, 4697 / 7045, and 4688 / Sysmon EID 1 to detect PsExec.

Thank you for reading. See you soon :)



Alican Kiraz

Head of Cyber Defense Center | CSIE | CSAE | CCISO | CASP+ | OSCP | eCIR | CPENT | eWPTXv2 | eCDFP | eCTHPv2 | OSWP | CEH Master | Pentest+ | CySA+ and more...