Cheat Sheet

The following is a cheat sheet of useful Windows Event logs.

4624: An account was successfully logged on #

• Log Source: Client - This event is generated on the computer that was accessed.
• Policy: Logon/Logoff audit
• Type: Success
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
  • ManageEngine
• Relevant Fields:
  • Subject: (Who is doing the logon)
    • Account Name
    • Account Domain
  • Logon Type¹
  • New Logon:
    • Account Name
    • Account Domain
    • Logon ID
  • Network Information: (Values can be blank, most of the time, this means local login)
    • Workstation Name: Where the logon happened
    • Source Network Address: From where the logon happened
• Known Limitations: N/A
• Additional Recommendations: N/A

4625: An account failed to log on #

• Log Source: Client - This event is generated on the computer from where the logon attempt was made.
• Policy: Logon/Logoff audit
• Type: Failure
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
  • ManageEngine
• Relevant Fields:
  • Subject: (Who is doing the logon)
    • Account Name
    • Account Domain
  • Logon Type¹
  • Account For Which Logon Failed:
    • Account Name
    • Account Domain
    • Logon ID
  • Network Information: (Values can be blank, most of the time, this means local login)_
    • Workstation Name
    • Source Network Address
• Relevant Failure Codes:
  • 0xC0000064 (User logon with misspelled or bad user account)
  • 0xC000006A (User logon with misspelled or bad password)
  • 0XC000006D (The cause is either a bad username or authentication information)
• Known Limitations: Does not cover all type of logins
• Additional Recommendations: Even if Client logs are not available, still collect the log on the domain controller

4648: A logon was attempted using explicit credentials. #

This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials. Regardless of whether the attempt was successful or not.. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.

• Log Source: Client - This event is generated on the computer from where the logon attempt was made.
• Policy: Logon/Logoff audit - Logon
• Type: Success
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
• Relevant Fields:
  • Subject: (Who is doing the logon)
    • Account Name
    • Account Domain
  • Account For Which Logon Failed:
    • Account Name
    • Account Domain
    • Logon ID
  • Target Server
    • Target Server Name (For example when using SharePoint, blank or localhost means local computer)
  • Network Information:
    • Network Address (Source of the logon request, most of the time blank, filled out when using rdp)
• Known Limitations: N/A
• Additional Recommendations: Hugh amount of these can indicating brute force attempts.

4672: Special privileges assigned to new logon #

This event is generated when a logon for an account with sensitive privileges occurs.

• Log Source: DC, Client
• Policy: Logon/Logoff audit -> Special Logon
• Type: Success
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
• Relevant Fields:
  • Subject: (Who is doing the logon)
    • Account Name
    • Account Domain
    • Logon ID
  • Privileges
• Known Limitations: N/A
• Additional Recommendations: N/A

4768: A Kerberos authentication ticket (TGT) was requested #

Issued when a client requests a new TGT. Helps tracking initial logins with kerberos.

• Log Source: Domain Controller
• Policy: Account Logon -> Kerberos Service Ticket Operations
• Type: Success, Failure
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
  • ManageEngine
• Relevant Fields:
  • Account Information:
    • Account Name (Computer account name ends with a $)
    • Supplied Real Name (Domain of the account)
  • Network Information:
    • Client Address
  • Additional Information
    • Result Code (0x0 = Success, else failure)
    • Ticket Encryption Type
• Success Status Code:
  • 0x0
• Relevant Failure Codes:
  • 0x6 (Client not found in Kerberos database - The username doesn’t exist.)
  • 0x12 (Client’s credentials have been revoked - For example: account disabled, expired, or locked out.)
  • 0x18 (Pre-authentication information was invalid - The wrong password was provided.)
• Known Limitations: N/A
• Additional Recommendations:
  • This also logs request by computer accounts (account name ending with a $).
  • For Anomaly Based “Machine Learning” further fields like Encryption or Pre-Authentication Type could be useful.

4769: A Kerberos service ticket was requested #

Issued when a client requests a new TGS. Allows tracking of service usage.

• Log Source: Domain Controller
• Policy: Account Logon -> Kerberos Authentication Service
• Type: Success, Failure
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
  • ManageEngine
• Relevant Fields:
  • Account Information:
    • Account Name (Computer account name ends with a $)
    • Account Domain (Domain of the account)
  • Service Information
    • Service Name
  • Network Information:
    • Client Address
  • Additional Information
    • Result Code _(0x0 = Success, else failure)
    • Ticket Encryption Type
• Success Status Code:
  • 0x0
• Relevant Failure Codes:
  • 0x20: TGS expired
• Known Limitations: N/A
• Additional Recommendations:
  • This also logs request by computer accounts (account name ending with a $).
  • For Anomaly Based “Machine Learning” further options like Encryption Type could be useful.

4770: A Kerberos service ticket was renewed #

Issued when a client renews a TGS

• Log Source: Domain Controller
• Policy: Account Logon -> Kerberos Service Ticket Operations
• Type: Success
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
• Relevant Fields:
  • Account Information:
    • Account Name _ (Computer account name ends with a $)
    • Supplied Realm (Domain of the account)
  • Service Information
    • Service Name
  • Network Information:
    • Client Address
  • Additional Information
    • Ticket Encryption Type
• Known Limitations: N/A
• Additional Recommendations:
  • -Not sure if really needed

4771: Kerberos pre-authentication failed. #

Issued when the username or password used for the TGT request is invalid

• Log Source: Domain Controller
• Policy: Account Logon -> Kerberos Authentication Service
• Type: Failure
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
  • ManageEngine
• Relevant Fields:
  • Account Information:
    • Security ID
    • Account Name (Computer account name ends with a $)
  • Network Information (Values can be blank, most of the time, this means local login):
    • Client Address
  • Additional Information
    • Result Code
    • Ticket Encryption Type
• Relevant Result(Failure) Codes:
  • 0x18 (Pre-authentication information was invalid - The wrong password was provided.)
• Known Limitations: N/A
• Additional Recommendations: N/A

4776: The computer attempted to validate the credentials for an account #

This event generates every time that a credential validation occurs using NTLM authentication.

• Log Source: Domain Controller, Client
• Policy: Account Logon -> Credential Validation
• Type: Success, Failure
• Links:
  • Microsoft Documentation
  • Ultimate Windows Security
  • ManageEngine
• Relevant Fields:
  • Logon Account
  • Source Workstation
  • Error Code
• Success Code: 0x0
• Relevant Result(Failure) Codes:
  • C0000064 (user name does not exist)
  • C000006A (user name is correct but the password is wrong)
• Known Limitations: N/A
• Additional Recommendations: Old name was The domain controller attempted to validate the credentials for an account

Footnotes #