Top Exploited Windows Events
These are the most critical and frequently exploited Windows Security and Sysmon events that attackers leverage during cyber attacks. Security Operations Centers (SOCs) and threat hunters should prioritize monitoring these events for effective threat detection and incident response.
Priority Monitoring: These events are commonly associated with credential theft, privilege escalation, persistence mechanisms, lateral movement, and defense evasion techniques mapped to MITRE ATT&CK framework.
Credential Access
Events 4624, 4625, and Sysmon 10 help detect credential dumping, brute force, and authentication abuse.
Execution & Persistence
Events 4688, 4698, 4697 and Sysmon 1, 11 track malicious process execution and persistence.
Network & C2
Sysmon events 3 and 22 are essential for detecting command-and-control communications.
Critical Events to Monitor (16)
An account was successfully logged on.
An account was successfully logged on.
Common Attack Scenarios:
Logon Type 2 (Interactive) & 10 (RemoteInteractive) indicate user console/RDP logins.
An account failed to log on.
An account failed to log on.
Common Attack Scenarios:
High volume of failures from a single source IP may indicate brute force.
A new process has been created.
A new process has been created.
Common Attack Scenarios:
Key Fields: NewProcessName/Image, CommandLine, ParentProcessName.
Special privileges assigned to new logon.
Special privileges (e.g., SeDebugPrivilege) were assigned to a new logon session.
A scheduled task was created.
A scheduled task was created.
A user account was created.
A user account was created.
Common Attack Scenarios:
Monitor creations outside of standard procedures or by non-admin users.
A member was added to a security-enabled local group.
A member was added to a security-enabled local group.
System audit policy was changed.
System audit policy was changed.
An attempt was made to access an object.
An attempt was made to access an object (e.g., File System, Registry).
A service was installed in the system.
A service was installed in the system.
Process Create
Process creation provides extended information about a newly created process.
Common Attack Scenarios:
Crucial Fields: Image, CommandLine, ParentImage, ParentCommandLine, User, Hashes, ProcessGuid, ParentProcessGuid.
Network Connection
Logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields.
Common Attack Scenarios:
Crucial Fields: Image, User, Protocol, SourceIp, DestinationIp, DestinationPort, Initiated.
Image Loaded
Logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the –l option. It indicates the process in which the module is loaded, hashes and ...
Process Accessed
Reports when a process opens another process memory. This is often required for reading and writing memory sections, and is used by tools like Mimikatz to access LSASS process memory.
File Create
Logs when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places mal...
DNS Query
Logs when a process executes a DNS query, whether the result is successful or fails, cached or not.
Common Attack Scenarios:
Crucial Fields: QueryName, QueryStatus, QueryResults, Image.
Why These Events Matter
Event 4624 & 4625: Track successful and failed logon attempts. Essential for detecting brute force attacks, credential stuffing, and unauthorized access attempts.
Event 4688 & Sysmon 1: Monitor process creation events. Critical for identifying malware execution, living-off-the-land binaries (LOLBins), and suspicious command-line activity.
Event 4672, 4720, 4732: Detect privilege escalation and account manipulation. Key indicators of attackers gaining administrative access or creating backdoor accounts.
Sysmon 3, 7, 10, 22: Advanced threat detection covering network connections, DLL injection, process memory access, and DNS queries - essential for detecting advanced persistent threats (APTs).