Top Exploited Windows Events

These are the most critical and frequently exploited Windows Security and Sysmon events that attackers leverage during cyber attacks. Security Operations Centers (SOCs) and threat hunters should prioritize monitoring these events for effective threat detection and incident response.

Priority Monitoring: These events are commonly associated with credential theft, privilege escalation, persistence mechanisms, lateral movement, and defense evasion techniques mapped to MITRE ATT&CK framework.

Credential Access

Events 4624, 4625, and Sysmon 10 help detect credential dumping, brute force, and authentication abuse.

Execution & Persistence

Events 4688, 4698, 4697 and Sysmon 1, 11 track malicious process execution and persistence.

Network & C2

Sysmon events 3 and 22 are essential for detecting command-and-control communications.

Critical Events to Monitor (16)

1
Windows SecurityEvent 4624Authentication8 MITRE Techniques

An account was successfully logged on.

An account was successfully logged on.

Common Attack Scenarios:

Logon Type 2 (Interactive) & 10 (RemoteInteractive) indicate user console/RDP logins.

T1021Remote ServicesT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin Shares+5 more
2
Windows SecurityEvent 4625Authentication6 MITRE Techniques

An account failed to log on.

An account failed to log on.

Common Attack Scenarios:

High volume of failures from a single source IP may indicate brute force.

T1078Valid AccountsT1110Brute ForceT1110.001Password Guessing+3 more
3
Windows SecurityEvent 4688Process Execution20 MITRE Techniques

A new process has been created.

A new process has been created.

Common Attack Scenarios:

Key Fields: NewProcessName/Image, CommandLine, ParentProcessName.

T1021Remote ServicesT1053.002AtT1053.005Scheduled Task+17 more
4
Windows SecurityEvent 4672Privilege Use4 MITRE Techniques

Special privileges assigned to new logon.

Special privileges (e.g., SeDebugPrivilege) were assigned to a new logon session.

T1134Access Token ManipulationT1134.001Token Impersonation/TheftT1134.002Create Process with Token+1 more
5
Windows SecurityEvent 4698Process Execution1 MITRE Technique

A scheduled task was created.

A scheduled task was created.

T1053.005Scheduled Task
6
Windows SecurityEvent 4720Account Management3 MITRE Techniques

A user account was created.

A user account was created.

Common Attack Scenarios:

Monitor creations outside of standard procedures or by non-admin users.

T1136Create AccountT1136.001Local AccountT1136.002Domain Account
7
Windows SecurityEvent 4732Account Management2 MITRE Techniques

A member was added to a security-enabled local group.

A member was added to a security-enabled local group.

T1098Account ManipulationT1098.007Additional Local or Domain Groups
8
Windows SecurityEvent 4719Policy Change3 MITRE Techniques

System audit policy was changed.

System audit policy was changed.

T1562Impair DefensesT1562.002Disable Windows Event LoggingT1562.006Indicator Blocking
9
Windows SecurityEvent 4663Object Access11 MITRE Techniques

An attempt was made to access an object.

An attempt was made to access an object (e.g., File System, Registry).

T1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account Manager+8 more
10
Windows SecurityEvent 4697System Change2 MITRE Techniques

A service was installed in the system.

A service was installed in the system.

T1543.003Windows ServiceT1569.002Service Execution
11
SysmonEvent 1Process Execution23 MITRE Techniques

Process Create

Process creation provides extended information about a newly created process.

Common Attack Scenarios:

Crucial Fields: Image, CommandLine, ParentImage, ParentCommandLine, User, Hashes, ProcessGuid, ParentProcessGuid.

T1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1047Windows Management Instrumentation+20 more
12
SysmonEvent 3Network Activity23 MITRE Techniques

Network Connection

Logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields.

Common Attack Scenarios:

Crucial Fields: Image, User, Protocol, SourceIp, DestinationIp, DestinationPort, Initiated.

T1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1071Application Layer Protocol+20 more
13
SysmonEvent 7System Change28 MITRE Techniques

Image Loaded

Logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the –l option. It indicates the process in which the module is loaded, hashes and ...

T1129Shared ModulesT1218.010Regsvr32T1218.011Rundll32+25 more
14
SysmonEvent 10Process Access6 MITRE Techniques

Process Accessed

Reports when a process opens another process memory. This is often required for reading and writing memory sections, and is used by tools like Mimikatz to access LSASS process memory.

T1003OS Credential DumpingT1003.001LSASS MemoryT1055Process Injection+3 more
15
SysmonEvent 11Object Access8 MITRE Techniques

File Create

Logs when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places mal...

T1037.005Startup ItemsT1074Data StagedT1074.001Local Data Staging+5 more
16
SysmonEvent 22Network Activity4 MITRE Techniques

DNS Query

Logs when a process executes a DNS query, whether the result is successful or fails, cached or not.

Common Attack Scenarios:

Crucial Fields: QueryName, QueryStatus, QueryResults, Image.

T1071.004DNST1568.001Fast Flux DNST1568.002Domain Generation Algorithms+1 more

Why These Events Matter

Event 4624 & 4625: Track successful and failed logon attempts. Essential for detecting brute force attacks, credential stuffing, and unauthorized access attempts.

Event 4688 & Sysmon 1: Monitor process creation events. Critical for identifying malware execution, living-off-the-land binaries (LOLBins), and suspicious command-line activity.

Event 4672, 4720, 4732: Detect privilege escalation and account manipulation. Key indicators of attackers gaining administrative access or creating backdoor accounts.

Sysmon 3, 7, 10, 22: Advanced threat detection covering network connections, DLL injection, process memory access, and DNS queries - essential for detecting advanced persistent threats (APTs).