🟦
LSWSec-Defensive
  • LSWSec - Defensive Security Notes
  • General
    • Tool List
  • Threat Intelligence
    • Introduction
    • Threat Actors and APTs
    • Operational Threat Intelligence
    • Tactical Threat Intelligence
    • Strategic Threat Intelligence
    • Malware and Global Campaigns
  • Phishing
    • Introduction
    • Investigating a Phishing Email
    • Analysing
    • Defensive Action
    • Reactive Measures
    • Report Writing
  • Digital Forensics
    • Introduction
    • Digital Evidence and Handling
    • Memory, Pagefile and Hibernation file
    • Digital Evidence Collection
    • Windows Investigation
    • Linux Investigations
    • Volatility
    • Autopsy
    • Windows Commands
      • Network Discovery
      • DHCP
      • DNS
  • SIEM
    • Introduction
    • Logging
    • Correlation
  • Incident Response
    • Introduction
    • Preperation
    • Detection & Analysis
    • Containment, Eradication and Recovery
    • reporting
    • MITRE Att&ck
  • Event Viewer
    • event Summary
    • Event ID: 4648
    • Event ID: 4776
    • Event ID: 4673
    • Event ID: 4625
Powered by GitBook
On this page
  1. Event Viewer

event Summary

• 4608: Windows is starting up.

• 4609: Windows is shutting down.

• 4610: An authentication package has been loaded by the Local Security Authority.

• 4611: A trusted logon process has been registered with the Local Security Authority.

• 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

• 4614: A notification package has been loaded by the Security Account Manager.

• 4615 : Invalid use of LPC port.

• 4616: The system time was changed.

• 4618 : A monitored security event pattern has occurred.

• 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some audit-able activity might not have been recorded.

• 4622: A security package has been loaded by the Local Security Authority.

• 4624: An account was successfully logged on.

• 4625: An account failed to log on.

• 4634: An account was logged off.

• 4647: User initiated logoff.

• 4648: A logon was attempted using explicit credentials.

• 4649: A replay attack was detected.

• 4670: Permissions on an object were changed.

• 4672: Special privileges assigned to new logon.

• 4673: A privileged service was called.

• 4674: An operation was attempted on a privileged object.

• 4675: SIDs were filtered.

• 4688: A new process has been created.

• 4697: A service was installed in the system.

• 4696: A primary token was assigned to process.

• 4703: A user right was adjusted.

• 4704: A user right was assigned.

• 4705: A user right was removed.

• 4706: A new trust was created to a domain.

• 4707: A trust to a domain was removed.

• 4713: Kerberos policy was changed.

• 4715: The audit policy (SACL) on an object was changed.

• 4716: Trusted domain information was modified.

• 4717: System security access was granted to an account.

• 4718: System security access was removed from an account.

• 4719: System audit policy was changed.

• 4720: A user account was created.

• 4722: A user account was enabled.

• 4723: An attempt was made to change an account's password.

• 4724: An attempt was made to reset an account's password.

• 4725: A user account was disabled.

• 4726: A user account was deleted.

• 4727: A security-enabled global group was created.

• 4728: A member was added to a security-enabled global group.

• 4729: A member was removed from a security-enabled global group.

• 4730: A security-enabled global group was deleted.

• 4731: A security-enabled local group was created.

• 4732: A member was added to a security-enabled local group.

• 4733: A member was removed from a security-enabled local group.

• 4734: A security-enabled local group was deleted.

• 4735: A security-enabled local group was changed.

• 4737: A security-enabled global group was changed.

• 4738: A user account was changed.

• 4739: Domain Policy was changed.

• 4740: A user account was locked out.

• 4754: A security-enabled universal group was created.

• 4755: A security-enabled universal group was changed.

• 4756: A member was added to a security-enabled universal group.

• 4757: A member was removed from a security-enabled universal group.

• 4758: A security-enabled universal group was deleted.

• 4764: A group's type was changed.

• 4765: SID History was added to an account.

• 4766: An attempt to add SID History to an account failed.

• 4767: A user account was unlocked.

• 4778: A session was reconnected to a Window Station.

• 4779: A session was disconnected from a Window Station.

• 4780: The ACL was set on accounts which are members of administrator's groups.

• 4781: The name of an account was changed:

• 4794: An attempt was made to set the Directory Services Restore Mode.

• 4800: The workstation was locked.

• 4801: The workstation was unlocked.

• 4802: The screen saver was invoked.

• 4803: The screen saver was dismissed.

• 4816 : RPC detected an integrity violation while decrypting an incoming message.

• 4864: A namespace collision was detected.

• 4865: A trusted forest information entry was added.

• 4866: A trusted forest information entry was removed.

• 4867: A trusted forest information entry was modified.

• 4902: The Per-user audit policy table was created.

• 4904: An attempt was made to register a security event source.

• 4905: An attempt was made to unregister a security event source.

• 4906: The CrashOnAuditFail value has changed.

• 4907: Auditing settings on object were changed.

• 4908: Special Groups Logon table modified.

• 4911: Resource attributes of the object were changed.

• 4912: Per User Audit Policy was changed.

• 4913: Central Access Policy on the object was changed.

• 4944: The following policy was active when the Windows Firewall started.

• 4945: A rule was listed when the Windows Firewall started.

• 4946: A change has been made to Windows Firewall exception list. A rule was added.

• 4947: A change has been made to Windows Firewall exception list. A rule was modified.

• 4948: A change has been made to Windows Firewall exception list. A rule was deleted.

• 4949: Windows Firewall settings were restored to the default values.

• 4950: A Windows Firewall setting has changed.

• 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.

• 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.

• 4953: A rule has been ignored by Windows Firewall because it could not parse the rule.

• 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.

• 4956: Windows Firewall has changed the active profile.

• 4957: Windows Firewall did not apply the following rule.

• 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.

• 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

• 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

• 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

• 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

• 4964: Special groups have been assigned to a new logon.

• 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

• 5024: The Windows Firewall Service has started successfully.

• 5025: The Windows Firewall Service has been stopped.

• 5027: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

• 5028: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.

• 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.

• 5030: The Windows Firewall Service failed to start.

• 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

• 5033: The Windows Firewall Driver has started successfully.

• 5034: The Windows Firewall Driver has been stopped.

• 5035: The Windows Firewall Driver failed to start.

• 5037: The Windows Firewall Driver detected critical runtime error. Terminating.

• 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification, or the invalid hash could indicate a potential disk device error.

• 5056: A cryptographic self-test was performed.

• 5057: A cryptographic primitive operation failed.

• 5058: Key file operation.

• 5059: Key migration operation.

• 5060: Verification operation failed.

• 5061: Cryptographic operation.

• 5062: A kernel-mode cryptographic self-test was performed.

• 5063: A cryptographic provider operation was attempted.

• 5064: A cryptographic context operation was attempted.

• 5065: A cryptographic context modification was attempted.

• 5066: A cryptographic function operation was attempted.

• 5067: A cryptographic function modification was attempted.

• 5068: A cryptographic function provider operation was attempted.

• 5069: A cryptographic function property operation was attempted.

• 5070: A cryptographic function property modification was attempted.

• 5145: network share object was checked to see whether client can be granted desired access.

• 5376: Credential Manager credentials were backed up.

• 5377: Credential Manager credentials were restored from a backup.

• 5478: IPsec Services has started successfully.

• 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

• 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

• 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.

• 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

• 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

• 5378: The requested credentials delegation was disallowed by policy.

• 5632: A request was made to authenticate to a wireless network.

• 5633: A request was made to authenticate to a wired network.

• 6145: One or more errors occurred while processing security policy in the group policy objects.

PreviousMITRE Att&ckNextEvent ID: 4648

Last updated 1 year ago