Windows Event Logs

Security event logs

4624

Successful logon - Tracks user/service logins, detect lateral movement.

4625

Failed logon - Indicates brute-force or credential stuffing.

4648

Explicit credential use - Flags privilege escalation attempts.

4672

Privileges assigned - Detects malware or admin abuse.

4688

Process creation - Identifies malicious executables/scripts.

4698

Scheduled task created - Spots malware persistence.

4702

Scheduled task updated - Tracks persistence/evasion.

4720

User account created - Detects insider threats/attacker persistence.

4740

Account lockout - Signals brute-force attacks.

5140

Network share accessed - Monitors data exfiltration/lateral movement.

1102

Windows Security Audit Log is cleared

• Indicates potential tampering or evasion of security monitoring.