The most important Windows 10 security event log IDs to monitor

Regular reviewing of these Windows event logs alone or in combination might be your best chance to identify malicious activity early.

A hacker attacks from within a Windows system.
AlphaSpirit / Getty Images

Monitoring Windows 10 event logs is one of the best ways to detect malicious activity on your network. Which event IDs should you watch? These are the most important types of log events to look for and what they can tell you.

Windows security event log ID 4688

Event 4688 documents each program a computer executes, its identifying data, and the process that started it. Several event 4688s occur on your system when you log into a system. For example, Session Manager Subsystem (SMSS.exe) launches at login and event 4688 is logged. In addition, the logged token elevation type shows what user rights are associated with the program. As noted in Randy Franklin Smith’s Windows security blog, these tokens showcase the account rights.

  • %%1936 - Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control (UAC) is disabled or if the user is the built-in administrator account or a service account.
  • %%1937 - Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when UAC is enabled and the user chooses to start the program using “Run as administrator”. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the administrators group.
  • %%1938 - Type 3 is the normal value when UAC is enabled and a user simply starts a program from the Start menu. It's a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when the application does not require administrative privilege and the user does not choose to start the program with “Run as administrator”.

Because event 4688 represents normal system activity task, it’s of limited use alone to track the source of an attack. However, this event is often associated with other events that occur when an attacker tries to take over a machine, such as those listed below.  Event 4688 is often happens first during an attack sequence, indicating that an attacker has launched an application before beginning another event.

Windows security event log ID 1102

Event 1102 relates to clearing the audit log. You should never see event 1102 in your audit logs unless you have cleared the log intentionally. Attackers often clear audit logs to cover their tracks. You’ll want to know what user cleared the log as this will be an indicator of account takeover. You may even want to set up an alert when this event occurs.

Windows security event log ID 4670

A user changing an object’s access control list triggers event 4670. Attackers often elevate privileges and change permissions to perform ransomware attacks or move laterally. Tracking who (or what) takes ownership is a key event to follow. You’ll also want to enable the object's audit policy, especially for "Write DAC"/"Change Permissions" or "Take Ownership" permissions.

Windows security event log ID 4672

Event 4672 indicates a possible pass-the-hash or other elevation of privilege attacks, such as using a tool like Mimikatz. Combined with event 4624, which shows a user has logged into an account, these two events may need additional review to ensure that such attack isn’t occurring in your network.

Event 4672 means “Special privileges assigned to new logon”. This event is aligned with a system account is typically normal. If the event is aligned with a standard user account, someone who is logging into a system, you may need to investigate to determine if the account was breached and is being used in a lateral attack.

As Microsoft notes, “monitor for this event where ‘Subject\Security ID’ is not one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “Subject\Security ID” is not an administrative account that is expected to have the listed Privileges.”

Several other events combined suggest a pass-the-hash attack. As noted in this blog, it’s wise to baseline your environment to know what events are normal for your network. The table below shows the events that occur during a pass-the-hash attack.

cso windows pass the hash attack chart CSO / IDG

Install Sysmon on all systems it will help you find the additional events associated with pass-the-hash attacks.

Windows Defender events

Review the events surrounding Windows Defender--for example, event ID 1006. This is triggered when Defender sees malware or other unwanted software. Also look for Event 1007 “The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.” Defender events are in a sub log. To review these events, open Event Viewer. Then in the console tree, expand “Applications and Services Logs”, then “Microsoft”, then “Windows”, then “Windows Defender Antivirus”. Double-click on “Operational”. Look for your event In the Details pane and click on it to see details.

bradley event log Susan Bradley

Reviewing WIndows Defender events

Take the time to baseline your computer systems and know what events are normal.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)