Threat Hunting Windows Event Logs


Event logs are a fantastic way to spot potential attacks on a Windows Machine and be able to explain what and how it occurred. However, not all event logs are useful, even if there are lot of them. It can be intimidating and requires good eyes to read through these logs.

This blog will explain why some event logs are more useful than others and how to use them.

Event log structure in windows

The Windows event log captures hardware and software events that take place on a Windows operating system. It helps network administrators in keeping an eye out for threats and issues that could harm performance. Windows maintains event logs in a standardized format that makes it possible to understand the data. The following are an event log's primary components:

·       Log name: Name of the event log to which events from different logging components will be written. Events are commonly logged for system, security, and applications.

·       Event date/time: Includes the date and time when the event occurred.

·       Task category: Identifies the type of recorded event log. Application developers can also define task categories to serve as extra information about the event.

·       Event ID: This Windows identification number helps network administrators uniquely identify a specific logged event.

·       Source: Name of the program or software causing the event log.

·       Level: Event level represents the severity of the recorded event log. These include information, error, verbose, warning, and critical.

·       User: Name of the user who logged onto the windows computer when the event occurred.

·       Computer: Name of the computer logging the event.


Windows event logs are stored under:




Each event has an event ID and is written on the channels of the event log. Common channels include:

·       Application

·       Security

·       Application


There are 4 different types of channels:

·       Analytic

·       Debug

·       Operational

·       Administrative


About Tools

Considering tools, Microsoft has an event viewer for static analysis of event logs, but I don't suggest using it because it makes it difficult to develop sophisticated filters. You have two wonderful options: PowerShell, which offers simpler filtering, and out-grid view, which provides a GUI. Additionally, there is a for-profit product called Event Log Explorer.

You must use your SIEM to produce visualizations for each of these and add them to a dashboard for dynamic analysis in an enterprise.

Logon Activity

Your login information will be stolen and used by adversaries. We can see successful authentication and logoff, event IDs 4624 and 4634. A field named logon ID is present in these events. When a logon and logoff event have the same logon ID, the session length can be determined. It is important to whitelist built-in DWM and UMFD (Desktop Windows Manager & User mode Font Driver) logons while analyzing 4624 events as this would greatly reduce noise.

A significant number of failed logon attempts—4625—indicate brute force activity. Successful logons in great numbers indicate lateral movement activity. Event 4648 records other credentials when they are used for various tasks like process creation, network sharing, RDP, etc. However, we also need to be aware that this event may possibly generate false positives that need to be whitelisted. We can identify user logons with admin-level access by using the 4672 and 4624 commands. We should whitelist default Windows accounts like SYSTEM when watching these events. Event 4720 will identify any new accounts that adversaries create. The field labelled "logon type" in the logon event contains information on how the logon took place.



Accounts may be added by adversaries to groups with administrative authority. These events can be used to keep an eye on the groupings. The important event id to be monitored for such events are as follows:

4728: A member was added to a security-enabled global group

4732: A member was added to a security-enabled local group

4756: A member was added to a security-enabled universal group

Account Logon

Previously, I have already explained about logon, but account logon and logon are two different things. Account Logon refers to third-party authentication, whereas Logon refers to local login activity that takes place on the local system and the log is generated there. Users must authenticate to the domain controller in an enterprise domain, and as a result, both the domain controller and the local system generate logs. Account Logon events is generated on the local system if we log in with a local account.


NTLM and Kerberos are the two methods of authentication available in a corporate environment. Adversaries often use the pass-the-hash (PtH) method, which makes advantage of NTLM. In this scenario, 4624 event id and logon type 9 or 3, Event ids 4648, and 4672 will also be observed along with 4776.

Important Event Id:

4776: The computer attempted to validate the credentials for an account

4768: A Kerberos authentication ticket (TGT) was requested

4769: A Kerberos service ticket was requested

4771: Kerberos pre-authentication failed


These events can allow us to detect reconnaissance activity in the network. We need to whitelist mmc, services, taskhostw, and explorer.


Powerview and Bloodhound are tools that adversaries use to enumerate privileged users and groups. We can use these events to detect who is running what process to enumerate the privileged users and groups.

Important Event Id:

4798: A user’s local group membership was enumerated

4799: A security-enabled local group membership was enumerated


Remote Desktop Connection (RDP)

RDP is one of the many ways adversaries might roam in our environment. RDP generates the events 4778 for session reconnect and 4779 for session disconnect. Not only that, but RDP is also related to standard logon 4624 types 7 and 10. It must be emphasized that 4778 only records reconnections; fresh connections are not recorded. 

Important Event Id:

4778: A session was reconnected to a Window Station

4779: A session was disconnected from a Window Station


Network Share

To move throughout the environment laterally, network shares can be mounted to share types such as C$, ADMIN$, and IPC$. A share's access event 5140 is recorded, but it might not contain all the details we need; therefore, we can also use the considerably verbose event 5145.

Important Event Id:

5140: Network share was accessed

5145: Shared object accessed


Schedule Tasks

Persistence is very important to adversaries and scheduled tasks are one way they maintain persistence. When an adversary creates a new scheduled tasks 4698 and 106 are triggered.

Important Event Id:

4698: Scheduled Task Created

4699: Scheduled Task Deleted

4700: Scheduled Task Enabled

4701: Scheduled Task Disabled

4702: Scheduled Task Updated


We can also investigate the Task Scheduler channel through the event given below:


106: Scheduled Task Created

140: Scheduled Task Updated

141: Scheduled Task Deleted

200: Scheduled Task Executed

201: Scheduled Task Completed




Services can be heavily targeted by adversaries for different purposes. If an adversary breaks a service when exploiting it, event 7034 is triggered. If adversaries use services for persistence and install a new service, events 7045 and 4697 will record it.

Important Event Id:

7034: Service crashed

4697: A new service was installed on the system

7045: A new service was installed on the system

7040: Start type changed

7036: Service started or stopped


Note: PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. Hackers have been using PsExec in their attacks for a long time. Ransomware gangs adopted it to deploy file-encrypting malware. In an attack that lasted just one hour, NetWalker ransomware used PsExec to run their payload on all systems in a domain.



We are unable to prevent the usage of PowerShell by adversaries in our networks, as PowerShell v5 has a variety of logging features. Obfuscation with PowerShell is a common technique used by adversaries to get around security systems. Script block logging will record it and it might automatically decode it as well.

Important Event Id:

4103: Module Logging

4104: Script block Logging


Like PowerShell, which gives you access to various functions, WMI does the same. The Consumer Filter binding will be used by adversaries to achieve their goal.   Various event logs are used to record their actions as they proceed through these processes, but in conclusion, 5861 will provide the best view of what happened.

Important Event Id:

5857: WMI Activity was detected

5858: WMI errors detected

5859,5860: WMI Filter/Consumer activity was detected.

5861: WMI FilterConsumer Binding was detected


Removable Devices

These events let us track malicious BYODs, internal users exfiltrating sensitive information and intruders physically attacking the environment.

Important Event Id:

4663: An attempt was made to access an object

4656: A handle to an object was requested

6416: A new external device was recognized by the System

Log Clearing

Log clearing that really is legitimate may occur, but it may also be a part of your baseline. Log clearing that appears to be occurring at random times should be investigated using 112 and 104.

Important Event Id:

1102: The audit log was cleared

Under the System channel look for

104: The audit log was cleared