Windows artifacts
Event IDs, registry hives, execution artifacts, USB, LNK, and browser paths
Logon Type field critical: 2=interactive, 3=network, 4=batch, 5=service, 7=unlock, 10=remote interactive, 11=cached
Check SubStatus: 0xC000006A=wrong password, 0xC0000064=bad username, 0xC000006F=outside hours
Paired with 4624. Type 3 logoffs often immediate — not reliable for session duration
Lateral movement indicator. Subject = source account, Account = target account
Indicates admin/privileged account logon. Always follows 4624 for admin accounts
Generated on DC for domain accounts. Error code 0xC000006A = wrong password
Result code 0x6 = bad username, 0x12 = disabled/expired, 0x17 = expired password
Kerberoasting generates many 4769s with encryption type 0x17 (RC4)
Check creator account — lateral movement often creates local accounts
Enabling dormant admin accounts is a persistence technique
Adding to Domain Admins (group 512) is high priority
Adding to Administrators, Remote Desktop Users — lateral movement indicator
Enterprise Admins membership changes
Requires audit policy. New Process Name + Creator Process. Enable command-line logging for full visibility
Paired with 4688. Exit code 0=clean, non-zero=error/crash
Richer than 4688: includes hash, parent cmdline, current directory. Gold standard
Process-to-IP mapping. Catches C2 beaconing. Pairs with 4688/1
ClientAddress shows source IP. Pairs with 4624 Type 10
Not logoff — session persists in disconnected state
Source IP in event. More reliable than 4624 for RDP tracking
User reconnected to existing disconnected session
Requires SACL on object. File/reg read/write/delete. High volume — filter on sensitive paths
Precedes 4663. Access Mask field: 0x80=read, 0x2=write, 0x10000=delete
Service Name + Image Path. Malware installs services as persistence. Check unusual paths
Operational record of service state changes
Complement to 7045. Requires audit policy. Includes account that installed
Task name + XML definition. Fileless malware often uses schtasks for persistence
Modification of existing task — may indicate tampering
More detail than 4698. Includes full task XML
Module logging. Captures cmdlets and output. Enable via GPO
Script block logging — most verbose PS logging. Captures deobfuscated code
HostApplication field shows invocation method. Downgrade to v2 bypasses 4104
Share name + source IP. C$ or ADMIN$ access = lateral movement indicator
Detailed file access on shares. High volume
Always investigate. Subject shows who cleared. Timestamp = clearing time not incident time
Same significance as 1102 for System log
Pre-Vista equivalent of 1102