| File monitoring |
drivers load |
driver |
loaded |
driver |
6 |
The driver loaded events provides information about a driver being loaded on the system |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Driver Loaded |
N/A |
Windows 7, Windows 2008 R2 |
N/A |
Sysmon64.exe -i -l /Sysmon64.exe -c -l / |
No auditing |
No auditing |
| File monitoring |
drive raw access |
process |
raw_access_read |
drive |
9 |
The RawAccessRead event detects when a process conducts reading operations from the drive using the .\ denotation |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Drive Access |
Raw Access Read |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| File monitoring |
file creation |
process |
created |
file |
11 |
File create operations are logged when a file is created or overwritten. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
File Monitoring |
File Created |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| File monitoring |
file timestamp modification |
process |
modified |
file |
2 |
A process changed a file creation time |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
File Creation Time Changed |
File Creation Time Changed |
Windows 7, Windows 2008 R2 |
N/A |
Sysmon64.exe -i -l / |
No auditing |
No auditing |
| File monitoring |
file modification |
process |
modified |
file |
11 |
File create operations are logged when a file is created or overwritten. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
File Monitoring |
File Modified |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| File monitoring |
file modification |
process |
renamed |
file |
11 |
File create operations are logged when a file is created or overwritten. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
File Monitoring |
File Renamed |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| File monitoring |
file download |
process |
downloaded |
file |
11 |
File create operations are logged when a file is created or overwritten. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
File Monitoring |
File Downloaded |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| File monitoring |
file access |
user |
accessed |
file |
5145 |
A network share object was checked to see whether client can be granted desired access |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Detailed File Share |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
auditpol.exe /set /subcategory:”Detailed File Share” /success:enable |
No auditing |
No auditing |
| File monitoring |
file access request |
user |
requested_a_handle |
file |
4656 |
A handle to an object was requested. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File System |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”File System” /success:enable |
No auditing |
No auditing |
| File monitoring |
file deletion request |
user |
requested_a_handle |
file |
4656 |
A handle to an object was requested. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File System |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”File System” /success:enable |
No auditing |
No auditing |
| File monitoring |
file access |
user |
accessed |
file |
4663 |
An attempt was made to access an object. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File System |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”File System” /success:enable |
No auditing |
No auditing |
| File monitoring |
file deletion |
user |
deleted |
file |
4663 |
An attempt was made to access an object. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File System |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”File System” /success:enable |
No auditing |
No auditing |
| File monitoring |
file permissions change |
user |
changed_permissions |
file |
4670 |
Permissions on an object were changed. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File System |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”File System” /success:enable |
No auditing |
No auditing |
| Loaded DLLs |
module load |
process |
loaded |
module |
7 |
The image loaded event logs when a module is loaded in a specific process . |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Image Loaded |
Module loaded in Process |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Named Pipes |
win pipe creation |
process |
created |
pipe |
17 |
This event generates when a named pipe is created. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Pipe Creation |
N/A |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Named Pipes |
win pipe connection |
process |
connected_to |
pipe |
18 |
This event logs when a named pipe connection is made between a client and a server. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Pipe Connection |
N/A |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Process monitoring |
process creation |
process |
created |
process |
4688 |
A new process has been created |
Microsoft-Windows-Security-Auditing |
Security |
Audit Detailed Tracking |
Audit Process Creation |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation |
auditpol.exe /set /subcategory:”Process Creation” /success:enable |
No auditing |
No auditing |
| Process monitoring |
process creation |
process |
created |
process |
1 |
Process creation |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Process Creation |
N/A |
Windows 7, Windows 2008 R2 |
N/A |
Sysmon64.exe -i /Sysmon64.exe -i -l /Sysmon64.exe -c -l / |
No auditing |
No auditing |
| Process monitoring |
process termination |
process |
terminated |
process |
4689 |
A process has exited |
Microsoft-Windows-Security-Auditing |
Security |
Audit Detailed Tracking |
Audit Process Termination |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Termination |
auditpol.exe /set /subcategory:”Process Termination” /success:enable |
No auditing |
No auditing |
| Process monitoring |
process termination |
process |
terminated |
process |
5 |
The process terminate event reports when a process terminates. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Process Terminiation |
N/A |
Windows 7, Windows 2008 R2 |
N/A |
Sysmon64.exe -i /Sysmon64.exe -i -l / Sysmon64.exe -c -l / |
No auditing |
No auditing |
| Process monitoring |
process write to process |
process |
wrote_to |
process |
8 |
The CreateRemoteThread event detects when a process creates a thread in another process. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Process Right to Process |
CreateRemoteThread |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Process monitoring |
process access |
process |
opened |
process |
10 |
The process accessed event reports when a process opens another process. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Process Access |
Process Opens Another Process |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Process use of network |
process network connection allow |
process |
connected_to |
ip |
3 |
The network connection event logs TCP/UDP connections on the machine. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Process Network Connection |
Process Connected To IP |
Windows 7, Windows 2008 R2 |
N/A |
Sysmon64.exe -i -n / Sysmon64.exe -c -n / |
No auditing |
No auditing |
| Process use of network |
process network connection allow |
process |
connected_to |
host |
3 |
The network connection event logs TCP/UDP connections on the machine. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Process Network Connection |
Process Connected To Host |
Windows 7, Windows 2008 R2 |
N/A |
Sysmon64.exe -i -n / Sysmon64.exe -c -n / |
No auditing |
No auditing |
| Process use of network |
process network connection allow |
user |
connected_to |
host |
3 |
The network connection event logs TCP/UDP connections on the machine. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Process Network Connection |
User Connected To Host |
Windows 7, Windows 2008 R2 |
N/A |
Sysmon64.exe -i -n / Sysmon64.exe -c -n / |
No auditing |
No auditing |
| Process use of network |
process network connection allow |
user |
connected_to |
ip |
3 |
The network connection event logs TCP/UDP connections on the machine. |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Proccess Network Connection |
User Connected To IP |
Windows 7, Windows 2008 R2 |
N/A |
Sysmon64.exe -i -n / Sysmon64.exe -c -n / |
No auditing |
No auditing |
| Process use of network |
process network service connection block |
host |
blocked_service_connection_to |
process |
5031 |
The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network listener allow |
host |
permitted_listener_on |
process |
5154 |
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network listener block |
host |
blocked_listener_on |
process |
5155 |
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network connection allow |
host |
permitted_inbound_connection_on |
process |
5156 |
The Windows Filtering Platform has permitted a connection. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network connection allow |
process |
connected_from |
ip |
5156 |
The Windows Filtering Platform has permitted a connection. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network connection allow |
host |
permitted_outbound_connection_on |
process |
5156 |
The Windows Filtering Platform has permitted a connection. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network connection allow |
process |
connected_to |
ip |
5156 |
The Windows Filtering Platform has permitted a connection. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network connection block |
host |
blocked_inbound_connection_on |
process |
5157 |
The Windows Filtering Platform has blocked a connection. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network connection block |
host |
blocked_outbound_connection_on |
process |
5157 |
The Windows Filtering Platform has blocked a connection. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network local port bind allow |
host |
permitted_local_port_bind_on |
process |
5158 |
The Windows Filtering Platform has permitted a bind to a local port. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network local port bind allow |
process |
bound _to |
port |
5158 |
The Windows Filtering Platform has permitted a bind to a local port. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Process use of network |
process network local port bind blocked |
host |
blocked_local_port_bind_on |
process |
5159 |
The Windows Filtering Platform has blocked a bind to a local port. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Filtering Platform Connection |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Filtering Platform Connection |
auditpol.exe /set /subcategory:”Filtering Platform Connection” /success:enable |
No auditing |
No auditing |
| Windows event logs |
kerberos TGT request |
user |
requested |
ticket granting ticket |
4768 |
A Kerberos authentication ticket (TGT) was requested |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Kerberos Authentication Service |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Authentication Service |
auditpol.exe /set /subcategory:”Kerberos Authentication Service” /success:enable |
No auditing |
Success |
| Windows event logs |
kerberos service ticket request |
user |
requested |
service ticket |
4769 |
A Kerberos service ticket was requested |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Kerberos Service Ticket Operations |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations |
auditpol.exe /set /subcategory:”Kerberos Service Ticket Operations” /success:enable |
No auditing |
Success |
| Windows event logs |
kerberos service ticket renewal |
user |
renewed |
service ticket |
4770 |
A Kerberos service ticket was renewed |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Kerberos Service Ticket Operations |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations |
auditpol.exe /set /subcategory:”Kerberos Service Ticket Operations” /success:enable |
No auditing |
Success |
| Windows event logs |
kerberos service ticket failure |
user |
requested |
service ticket |
4773 |
A Kerberos service ticket request failed |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Kerberos Service Ticket Operations |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Service Ticket Operations |
auditpol.exe /set /subcategory:”Kerberos Service Ticket Operations” /success:enable |
Success |
Success |
| Windows event logs |
user rdp session |
user |
disconnected_from |
host |
4779 |
A session was disconnected from a Window Station |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Other Logon/Logoff Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events |
auditpol.exe /set /subcategory:”Other Logon/Logoff Events” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
user rdp session |
user |
connected_to |
host |
4778 |
A session was reconnected to a Window Station |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Other Logon/Logoff Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events |
auditpol.exe /set /subcategory:”Other Logon/Logoff Events” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
user lock operation |
user |
locked |
host |
4800 |
The workstation was locked |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Other Logon/Logoff Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events |
auditpol.exe /set /subcategory:”Other Logon/Logoff Events” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
user unlock operation |
user |
unlocked |
host |
4801 |
The workstation was unlocked |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Other Logon/Logoff Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Other Logon/Logoff Events |
auditpol.exe /set /subcategory:”Other Logon/Logoff Events” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
computer account creation |
user |
created |
computer |
4741 |
A computer account was created |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Computer Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Computer Account Management |
auditpol.exe /set /subcategory:”Computer Account Management” /success:enable /failure:enable |
No auditing |
Success |
| Windows event logs |
computer account change |
user |
changed |
computer |
4742 |
A computer account was changed |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Computer Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Computer Account Management |
auditpol.exe /set /subcategory:”Computer Account Management” /success:enable /failure:enable |
No auditing |
Success |
| Windows event logs |
computer account deletion |
user |
deleted |
computer |
4743 |
A computer account was deleted |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Computer Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Computer Account Management |
auditpol.exe /set /subcategory:”Computer Account Management” /success:enable /failure:enable |
No auditing |
Success |
| Windows event logs |
distribution group creation |
user |
created |
group |
4749 |
A security-disabled global group was created |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Distribution Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management |
auditpol.exe /set /subcategory:”Distribution Group Management” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
distribution group change |
user |
changed |
group |
4750 |
A security-disabled global group was changed |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Distribution Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management |
auditpol.exe /set /subcategory:”Distribution Group Management” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
distribution group member addition |
user |
added |
user |
4751 |
A member was added to a security-disabled global group |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Distribution Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management |
auditpol.exe /set /subcategory:”Distribution Group Management” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
distribution group member removal |
user |
removed |
user |
4752 |
A member was removed from a security-disabled global group |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Distribution Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management |
auditpol.exe /set /subcategory:”Distribution Group Management” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
distribution group deletion |
user |
deleted |
group |
4753 |
A security-disabled global group was deleted |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Distribution Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Distribution Group Management |
auditpol.exe /set /subcategory:”Distribution Group Management” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
security group creation |
user |
created |
group |
4731 |
A security-enabled local group was created |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Security Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management |
auditpol.exe /set /subcategory:”Security Group Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
security group member addition |
user |
added |
user |
4732 |
A member was added to a security-enabled local group. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Security Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management |
auditpol.exe /set /subcategory:”Security Group Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
security group member removal |
user |
removed |
user |
4733 |
A member was removed from a security-enabled local group. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Security Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management |
auditpol.exe /set /subcategory:”Security Group Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
security group deletion |
user |
deleted |
group |
4734 |
A security-enabled local group was deleted. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Security Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management |
auditpol.exe /set /subcategory:”Security Group Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
security group change |
user |
changed |
group |
4735 |
A security-enabled local group was changed. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Security Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management |
auditpol.exe /set /subcategory:”Security Group Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
security group type change |
user |
changed_type |
group |
4764 |
A group’s type was changed |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Security Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management |
auditpol.exe /set /subcategory:”Security Group Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
security group enumeration |
user |
enumerated |
group members |
4799 |
A security-enabled local group membership was enumerated |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Security Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit Security Group Management |
auditpol.exe /set /subcategory:”Security Group Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account creation |
user |
created |
user |
4720 |
A user account was created. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account enable |
user |
enabled |
user |
4722 |
A user account was enabled. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account password change |
user |
changed_password |
user |
4723 |
An attempt was made to change an account’s password. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account password reset |
user |
reset_password |
user |
4724 |
An attempt was made to reset an account’s password. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account disable |
user |
disabled |
user |
4725 |
A user account was disabled. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account deletion |
user |
deleted |
user |
4726 |
A user account was deleted. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account change |
user |
changed |
user |
4738 |
A user account was changed. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account lock |
user |
locked |
user |
4740 |
A user account was locked out. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account unlock |
user |
unlocked |
user |
4767 |
A user account was unlocked. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account name change |
user |
changed_name |
user |
4781 |
The name of an account was changed: |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
No auditing |
Success |
| Windows event logs |
user account group enumeration |
user |
enumerated |
user |
4798 |
A user’s local group membership was enumerated. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit User Account Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”User Account Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
user account group enumeration |
user |
enumerated |
group |
4799 |
A security-enabled local group membership was enumerated |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Management |
Audit Security Group Management |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management |
auditpol.exe /set /subcategory:”Security Group Management” /success:enable /failure:enable |
Success |
Success |
| Windows event logs |
directory service object access |
user |
accessed |
ad object |
4662 |
An operation was performed on an object |
Microsoft-Windows-Security-Auditing |
Security |
Audit DS Access |
Audit Directory Service Access |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access |
auditpol.exe /set /subcategory:”Directory Service Access” /success:enable /failure:enable |
No auditing |
Success |
| Windows event logs |
directory service object handle request |
user |
requested_a_handle |
ad object |
4661 |
A handle to an object was requested |
Microsoft-Windows-Security-Auditing |
Security |
Audit DS Access |
Audit Directory Service Access |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access |
auditpol.exe /set /subcategory:”Directory Service Access” /success:enable /failure:enable |
No auditing |
Success |
| Windows event logs |
directory service object modification |
user |
modified |
ad object |
5136 |
A directory service object was modified |
Microsoft-Windows-Security-Auditing |
Security |
Audit DS Access |
Audit Directory Service Changes |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access |
auditpol.exe /set /subcategory:”Directory Service Changes” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
directory service object creation |
user |
created |
ad object |
5137 |
A directory service object was created |
Microsoft-Windows-Security-Auditing |
Security |
Audit DS Access |
Audit Directory Service Changes |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access |
auditpol.exe /set /subcategory:”Directory Service Changes” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
directory service object restoration |
user |
restored |
ad object |
5138 |
A directory service object was undeleted |
Microsoft-Windows-Security-Auditing |
Security |
Audit DS Access |
Audit Directory Service Changes |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access |
auditpol.exe /set /subcategory:”Directory Service Changes” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
directory service object move |
user |
moved |
ad object |
5139 |
A directory service object was moved |
Microsoft-Windows-Security-Auditing |
Security |
Audit DS Access |
Audit Directory Service Changes |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access |
auditpol.exe /set /subcategory:”Directory Service Changes” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
directory service object deletion |
user |
deleted |
ad object |
5141 |
A directory service object was deleted |
Microsoft-Windows-Security-Auditing |
Security |
Audit DS Access |
Audit Directory Service Changes |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> Directory Service Access |
auditpol.exe /set /subcategory:”Directory Service Changes” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
user account lockout |
user |
failed |
host |
4625 |
An account failed to log on |
Microsoft-Windows-Security-Auditing |
Security |
Audit Logon/Logoff |
Audit Account Lockout |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout |
auditpol.exe /set /subcategory:”Account Lockout” /success:enable |
Success |
Success |
| Windows event logs |
network share access |
user |
accessed |
network share |
5140 |
A network share object was accessed. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File Share |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
auditpol.exe /set /subcategory:”File Share” /success:enable |
No auditing |
No auditing |
| Windows event logs |
network share addition |
user |
added |
network share |
5142 |
A network share object was added. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File Share |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
auditpol.exe /set /subcategory:”File Share” /success:enable |
No auditing |
No auditing |
| Windows event logs |
network share modification |
user |
modified |
network share |
5143 |
A network share object was modified. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File Share |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
auditpol.exe /set /subcategory:”File Share” /success:enable |
No auditing |
No auditing |
| Windows event logs |
network share deletion |
user |
deleted |
network share |
5144 |
A network share object was deleted. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File Share |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit File Share |
auditpol.exe /set /subcategory:”File Share” /success:enable |
No auditing |
No auditing |
| Windows event logs |
win registry access request |
process |
requested_a_handle |
win registry key |
4656 |
A handle to an object was requested. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”Registry” /success:enable |
No auditing |
No auditing |
| Windows event logs |
win registry access request |
user |
requested_a_handle |
win registry key |
4656 |
A handle to an object was requested. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”Registry” /success:enable |
No auditing |
No auditing |
| Windows event logs |
win registry deletion request |
process |
requested_a_handle |
win registry key |
4656 |
A handle to an object was requested. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”Registry” /success:enable |
No auditing |
No auditing |
| Windows event logs |
win registry deletion request |
user |
requested_a_handle |
win registry key |
4656 |
A handle to an object was requested. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”Registry” /success:enable |
No auditing |
No auditing |
| Windows event logs |
symbolic link creation |
user |
created |
symbolic link |
4664 |
An attempt was made to create a hard link. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File System |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Handle Manipulation |
auditpol.exe /set /subcategory:”File System” /success:enable |
No auditing |
No auditing |
| Windows event logs |
scheduled task creation |
user |
created |
scheduled task |
4698 |
A scheduled task was created. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Other Object Access Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
auditpol.exe /set /subcategory:”Other Object Access Events” /success:enable |
No auditing |
No auditing |
| Windows event logs |
scheduled task deletion |
user |
deleted |
scheduled task |
4699 |
A scheduled task was deleted. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Other Object Access Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
auditpol.exe /set /subcategory:”Other Object Access Events” /success:enable |
No auditing |
No auditing |
| Windows event logs |
scheduled task enable |
user |
enabled |
scheduled task |
4700 |
A scheduled task was enabled. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Other Object Access Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
auditpol.exe /set /subcategory:”Other Object Access Events” /success:enable |
No auditing |
No auditing |
| Windows event logs |
scheduled tast disable |
user |
disabled |
scheduled task |
4701 |
A scheduled task was disabled. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Other Object Access Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
auditpol.exe /set /subcategory:”Other Object Access Events” /success:enable |
No auditing |
No auditing |
| Windows event logs |
scheduled task update |
user |
updated |
scheduled task |
4702 |
A scheduled task was updated. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Other Object Access Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> Audit Other Object Access Events |
auditpol.exe /set /subcategory:”Other Object Access Events” /success:enable |
No auditing |
No auditing |
| Windows event logs |
win registry key deletion |
process |
deleted |
|
4660 |
An object was deleted |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| File monitoring |
file deletion |
process |
deleted |
|
4660 |
An object was deleted |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File System |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit File System |
auditpol.exe /set /subcategory:”File System” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
win registry key access |
process |
accessed |
win registry key |
4663 |
An attempt was made to access an object. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
win registry key access |
user |
accessed |
win registry key |
4663 |
An attempt was made to access an object. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
win registry key deletion |
process |
deleted |
win registry key |
4663 |
An attempt was made to access an object. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
win registry key deletion |
user |
deleted |
win registry key |
4663 |
An attempt was made to access an object. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
win registry key handle closed |
process |
closed_a_handle |
handle |
4658 |
The handle to an object was closed |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| File monitoring |
win registry key handle closed |
process |
closed_a_handle |
handle |
4658 |
The handle to an object was closed |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit File System |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit File System |
auditpol.exe /set /subcategory:”File System” /success:enable /failure:anable |
No auditing |
No auditing |
| Windows event logs |
win registry key permissions change |
process |
changed_permissions |
win registry key |
4670 |
Permissions on an object were changed. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
win registry key permissions change |
user |
changed_permissions |
win registry key |
4670 |
Permissions on an object were changed. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs, Windows Registry |
win registry key value modification |
user |
modified |
win registry key value |
4657 |
A registry value was modified. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs, Windows Registry |
win registry key value modification |
process |
modified |
win registry key value |
4657 |
A registry value was modified. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit Registry |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit Registry |
auditpol.exe /set /subcategory:”Registry” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs |
sam service object handle request |
user |
requested_a_handle |
sam object |
4661 |
A handle to an object was requested |
Microsoft-Windows-Security-Auditing |
Security |
Audit Object Access |
Audit SAM |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Object Access -> Audit SAM |
auditpol.exe /set /subcategory:”SAM” /success:enable |
No auditing |
No auditing |
| Windows event logs |
user account access addition |
user |
granted_access |
user |
4717 |
System security access was granted to an account. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Policy Change |
Audit Authentication Policy Change |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change |
auditpol.exe /set /subcategory:”Authentication Policy Change” /success:enable /failure:enable |
Success |
No auditing |
| Windows event logs |
user account access removal |
user |
removed_access |
user |
4718 |
System security access was removed from an account. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Policy Change |
Audit Authentication Policy Change |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> Audit Authentication Policy Change |
auditpol.exe /set /subcategory:”Authentication Policy Change” /success:enable /failure:enable |
Success |
No auditing |
| Windows event logs |
non-sensitive privileged operation |
process |
attempted |
object |
4674 |
An operation was attempted on a privileged object. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Privilege Use |
Audit Non Sensitive Privilege Use |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Audit Non Sensitive Privilege Use |
auditpol.exe /set /subcategory:”Non Sensitive Privilege Use” /success:enable |
No auditing |
No auditing |
| Windows event logs |
sensitive privileged service operation |
process |
called |
privileged service |
4673 |
A privileged service was called. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Privilege Use |
Audit Sensitive Privilege Use |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Audit Sensitive Privilege Use |
auditpol.exe /set /subcategory:”Sensitive Privilege Use” /success:enable |
No auditing |
No auditing |
| Windows event logs |
sensitive privileged operation |
process |
attempted |
privileged object |
4674 |
An operation was attempted on a privileged object. |
Microsoft-Windows-Security-Auditing |
Security |
Audit Privilege Use |
Audit Sensitive Privilege Use |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Audit Sensitive Privilege Use |
auditpol.exe /set /subcategory:”Sensitive Privilege Use” /success:enable |
No auditing |
No auditing |
| Windows event logs |
win firewall service stop |
process |
stopped |
Firewall Service |
5025 |
The Windows Firewall Service has been stopped. |
Microsoft-Windows-Security-Auditing |
Security |
Audit System |
Audit Other System Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events |
auditpol.exe /set /subcategory:”Other System Events” /success:enable |
No auditing |
Success and Failure |
| Windows event logs |
win firewall service stop |
user |
stopped |
Firewall Service |
5025 |
The Windows Firewall Service has been stopped. |
Microsoft-Windows-Security-Auditing |
Security |
Audit System |
Audit Other System Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events |
auditpol.exe /set /subcategory:”Other System Events” /success:enable |
No auditing |
Success and Failure |
| Windows event logs |
win firewall driver stop |
process |
stopped |
Firewall Driver |
5034 |
The Windows Firewall Driver was stopped. |
Microsoft-Windows-Security-Auditing |
Security |
Audit System |
Audit Other System Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events |
auditpol.exe /set /subcategory:”Other System Events” /success:enable |
No auditing |
Success and Failure |
| Windows event logs |
win firewall driver stop |
user |
stopped |
Firewall Driver |
5034 |
The Windows Firewall Driver was stopped. |
Microsoft-Windows-Security-Auditing |
Security |
Audit System |
Audit Other System Events |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Other System Events |
auditpol.exe /set /subcategory:”Other System Events” /success:enable /failure:enable |
No auditing |
Success and Failure |
| Windows event logs |
win service installation |
user |
installed |
service |
4697 |
A service was installed in the system. |
Microsoft-Windows-Security-Auditing |
Security |
Audit System |
Audit Security System Extension |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> Audit Security System Extension |
auditpol.exe /set /subcategory:”Security System Extension” /success:enable /failure:enable |
No auditing |
No auditing |
| Windows event logs, Authentication logs |
NTLM Credentials Validation |
host |
authenticated |
user |
4776 |
The computer attempted to validate the credentials for an account |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Credential Validation |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Credential Validation |
auditpol.exe /set /subcategory:”Credential Validation” /success:enable /failure:enable |
No auditing |
Success |
| Windows event logs, Authentication logs |
kerberos TGT authentication failure |
user |
authenticated_with |
ticket granting ticket |
4771 |
Kerberos pre-authentication failed |
Microsoft-Windows-Security-Auditing |
Security |
Audit Account Logon |
Audit Kerberos Authentication Service |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> Audit Kerberos Authentication Service |
auditpol.exe /set /subcategory:”Kerberos Authentication Service” /success:enable |
No auditing |
Success |
| Windows event logs, Authentication logs |
user account successful authentication |
user |
authenticated |
host |
4624 |
An account was successfully logged on |
Microsoft-Windows-Security-Auditing |
Security |
Audit Logon/Logoff |
Audit Logon |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
auditpol.exe /set /subcategory:”Logon” /success:enable /failure:enable |
Success |
Success, Failure |
| Windows event logs, Authentication logs |
user account authentication with explicit credential |
user |
authenticated |
host |
4648 |
A logon was attempted using explicit credentials |
Microsoft-Windows-Security-Auditing |
Security |
Audit Logon/Logoff |
Audit Logon |
Windows Vista, Windows 2008 |
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Logon |
auditpol.exe /set /subcategory:”Logon” /success:enable /failure:enable |
Success |
Success, Failure |
| Windows Registry |
win registry key creation |
process |
created |
win registry key |
12 |
Registry key and value create and delete operations map to this event type. (Object create and delete) |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Registry Key |
Registry Key Created |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Windows Registry |
win registry key deletion |
process |
deleted |
win registry key |
12 |
Registry key and value create and delete operations map to this event type. (Object create and delete) |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Registry Key |
Registry Key Deleted |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Windows Registry |
win registry key modification |
process |
renamed |
win registry key |
14 |
Registry key and value rename operations map to this event type. (Key and Value Rename) |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Registry Key |
Registry Key Renamed |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Windows Registry |
win registry key value modification |
process |
renamed |
win registry key value |
14 |
Registry key and value rename operations map to this event type. (Key and Value Rename) |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Registry Key |
Registry Key Value Renamed |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |
| Windows Registry |
win registry key value modification |
process |
modified |
win registry key value |
13 |
This Registry event type identifies Registry value modifications. (Value Set) |
Microsoft-Windows-Sysmon |
Microsoft-windows-sysmon/operational |
Registry Key |
Registry Value Set |
Windows 7, Windows 2008 R2 |
N/A |
|
No auditing |
No auditing |