Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Event ID 1102 - Generated when event log is cleared
Event ID 4648 - Generated when a process attempts an account logon by explicitly specifying that accounts credentials.
Windows Dashboard
EID 1 (Process Create)
EID 4688 (A new Process)
EID 10 (Process Access)
EID 4624 (An account was successfully logged on)
EID 4648 (A logon was attempted using explicit credentials)
EID 4656 (A handle to an object was requested)
EID 4672 (Special privileges assigned to new logon)
Logon Type 9 (NewCredentials)
GrantedAccess codes/permissions: 0x1010 & 0x1038
Splunk Use Case
Lateral Movement
Event ID 4732
Reveals an account was added to local admin group on a server
Event ID 4717
System security access was granted to an account
System Performance and Operations
Identify what is logging to the system
| tstats count by sourcetype
Sourcetype source host
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.