EventCode
Here is a table of interesting EventCode to collect and how to activate in GPO
Eventcode
| EventCode | Description | Advanced Audit Location | How to Activate | Category |
|---|---|---|---|---|
| 800 | Pipeline Execution Details | Go to Administrative Templates -> Windows Components -> Windows PowerShell | Select Turn on Module Logging -> Select Enabled. In the Options pane click on Show > In the Module Names window and enter '*' to record all modules > OK. | pipeline execution |
| 4104 | Microsoft-Windows-PowerShell/Operational | Go to Administrative Templates -> Windows Components -> Windows PowerShell | Select Turn on PowerShell Script Block Logging -> Select Enabled . | Script Block Logging |
| 4104 | Saved in text | Go to Administrative Templates -> Windows Components -> Windows PowerShell and Select Turn on PowerShell Transcription | Select Enabled and choose a directory to save powershell transcripts otherwise it will be stored in user's Documents folder. | Optional: Powershell transcription |
| 4624 | An account was successfully logged on | Select Logon/Logoff | Select Audit Logon and check both success and failure audit events | Logon |
| 4625 | An account failed to log on | Select Logon/Logoff | Select Audit Account Lockout and check both success and failure audit events | Audit Account Lockout |
| 4627 | Group membership information | Select Logon/Logoff | Select Audit Group Membership and check both success and failure audit events | Group Membership |
| 4634 | An account was logged off | Select Logon/Logoff | Select Audit Logoff and check both success and failure audit events | Logoff |
| 4648 | A logon was attempted using explicit credentials | Select Logon/Logoff | Select Audit Logon and check both success and failure audit events | Logon |
| 4649 | A replay attack was detected | Select Logon/Logoff | Select Audit Other Logon/Logoff Events and check both success and failure audit events | Other Logon/Logoff Events |
| 4670 | Permissions on an object were changed | Select Policy Change | Select Authentication Policy Change and check both success and failure audit events | Authentication Policy Change |
| 4672 | Special privileges assigned to new logon | Select Logon/Logoff | Select Audit Special Logon and check both success and failure audit events | Special Logon |
| 4674 | An operation was attempted on a privileged object | Select Privilege Use | Select Audit Sensitive Privilege Use and check both success and failure audit events | Sensitive Privilege Use |
| 4675 | SIDs were filtered | Select Logon/Logoff | Select Audit Logon and check both success and failure audit events | Logon |
| 4688 | A new process has been created | Select Detailed Tracking | Select Audit Process Creation and check both success and failure audit events | Process Creation |
| 4697 | A service was installed in the system | Select System | Select Audit Security System Extension and check both success and failure audit events | Security System Extension |
| 4698 | A scheduled task was created | Select Object Access | Select Audit Other Object Access Events and check both success and failure audit events | Other Object Access Events |
| 4702 | A scheduled task was updated | Select Object Access | Select Audit Other Object Access Events and check both success and failure audit events | Other Object Access Events |
| 4703 | A user right was adjusted | Select Policy Change | Select Authorization Policy Change and check both success and failure audit events | Authorization Policy Change |
| 4704 | A user right was assigned | Select Policy Change | Select Authorization Policy Change and check both success and failure audit events | Authorization Policy Change |
| 4705 | A user right was removed | Select Policy Change | Select Authorization Policy Change and check both success and failure audit events | Authorization Policy Change |
| 4706 | A new trust was created to a domain | Select Policy Change | Select Authentication Policy Change and check both success and failure audit events | Authentication Policy Change |
| 4719 | System audit policy was changed | Select Policy Change | Select Audit Policy Change and check both success and failure audit events | Audit Policy Change |
| 4720 | A user account was created. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4722 | A user account was enabled. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4723 | An attempt was made to change an account's password. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4724 | An attempt was made to reset an account's password. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4725 | A user account was disabled. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4726 | A user account was deleted. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4727 | A security-enabled global group was created | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4728 | A member was added to a security-enabled global group | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4729 | A member was removed from a security-enabled global group | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4730 | A security-enabled global group was deleted | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4731 | A security-enabled local group was created. | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4732 | A member was added to a security-enabled local group. | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4733 | A member was removed from a security-enabled local group. | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4734 | A security-enabled local group was deleted. | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4735 | A security-enabled local group was changed. | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4737 | A security-enabled global group was changed | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4738 | A user account was changed. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4739 | Domain Policy was changed | Select Policy Change | Select Authentication Policy Change and check both success and failure audit events | Authentication Policy Change |
| 4740 | A user account was locked out. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4741 | A computer account was created | Select Account Management | Select Computer Account Management and check both success and failure audit events | Computer Account Management |
| 4742 | A computer account was changed | Select Account Management | Select Computer Account Management and check both success and failure audit events | Computer Account Management |
| 4754 | A security-enabled universal group was created | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4755 | A security-enabled universal group was changed | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4756 | A member was added to a security-enabled universal group | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4757 | A member was removed from a security-enabled universal group | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4758 | A security-enabled universal group was deleted | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4765 | SID History was added to an account. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4766 | An attempt to add SID History to an account failed. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4767 | A user account was unlocked. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4768 | A Kerberos authentication ticket (TGT) was requested | Select Account Logon | Select Audit Kerberos Authentication Service and check both success and failure audit events | Kerberos Authentication Service |
| 4769 | A Kerberos service ticket was requested | Select Account Logon | Select Audit Kerberos Service Ticket Operations and check both success and failure audit events | Kerberos Service Ticket Operations |
| 4770 | A Kerberos service ticket was renewed | Select Account Logon | Select Audit Kerberos Service Ticket Operations and check both success and failure audit events | Kerberos Service Ticket Operations |
| 4771 | Kerberos pre-authentication failed | Select Account Logon | Select Audit Kerberos Authentication Service and check both success and failure audit events | Kerberos Authentication Service |
| 4776 | The computer attempted to validate the credentials for an account | Select Account Logon | Select Security Group Management and check both success and failure audit events | Credential Validation |
| 4778 | A session was reconnected to a Window Station | Select Logon/Logoff | Select Audit Other Logon/Logoff Events and check both success and failure audit events | Other Logon/Logoff Events |
| 4779 | A session was disconnected from a Window Station | Select Logon/Logoff | Select Audit Other Logon/Logoff Events and check both success and failure audit events | Other Logon/Logoff Events |
| 4780 | The ACL was set on accounts which are members of administrators groups. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4781 | The name of an account was changed. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4794 | An attempt was made to set the Directory Services Restore Mode administrator password. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4798 | A user's local group membership was enumerated. | Select Account Management | Select User Account Management and check both success and failure audit events | User Account Management |
| 4799 | A security-enabled local group membership was enumerated. | Select Account Management | Select Security Group Management and check both success and failure audit events | Security Group Management |
| 4865 | A trusted forest information entry was added | Select Policy Change | Select Authentication Policy Change and check both success and failure audit events | Authentication Policy Change |
| 4886 | Certificate Services received a certificate request | Select Object Access | Select Audit Certification Services and check both success and failure audit events | Audit Certification Services |
| 4887 | Certificate Services approved a certificate request and issued a certificate. | Select Object Access | Select Audit Certification Services and check both success and failure audit events | Audit Certification Services |
| 4906 | The CrashOnAuditFail value has changed | Select Policy Change | Select Audit Policy Change and check both success and failure audit events | Audit Policy Change |
| 4908 | Special Groups Logon table modified | Select Policy Change | Select Audit Policy Change and check both success and failure audit events | Audit Policy Change |
| 4911 | Resource attributes of the object were changed | Select Policy Change | Select Authorization Policy Change and check both success and failure audit events | Authorization Policy Change |
| 4913 | Central Access Policy on the object was changed | Select Policy Change | Select Authorization Policy Change and check both success and failure audit events | Authorization Policy Change |
| 4964 | Special groups have been assigned to a new logon | Select Logon/Logoff | Select Audit Special Logon and check both success and failure audit events | Special Logon |
| 5140 | A network share object was accessed | Select Object Access | Select Audit File Share and check both success and failure audit events | Audit File Share |
| 5142 | A network share object was added | Select Object Access | Select Audit File Share and check both success and failure audit events | Audit File Share |
| 5145 | A network share object was checked to see whether client can be granted desired access. | Select Object Access | Select Audit Detailed File Share and check both success and failure audit events | Audit Detailed File Share |
Considerations
Activate Command Line Auditing for EventCode 4688 :
- Administrative Templates\System\Audit Process Creation -> Include command line in process creation events
- Powershell version 5 minimum mandatory (for script block logging and enhanced logging)
- Activate ADCS Logs for your ADCS considering the rise of ESC attacks
- Consider applying many different GPO considering your devices (Windows, Windows Server, SQL Server, AD)