This chapter dives into the most critical Windows Event IDs that every security analyst must know for the CS0-003 exam. Understanding these event IDs is essential for detecting attacks like brute-force logons, privilege escalation, and service abuse. Approximately 15-20% of Security Operations questions involve interpreting Windows event logs to identify malicious activity. Mastering these IDs will help you quickly pinpoint anomalies in log reviews and incident response scenarios.
Jump to a section
Think of a corporate building with security cameras everywhere. Each camera records continuously, but only certain events trigger a review: a door opening after hours (Event ID 4624 with unusual time), a badge swipe that fails repeatedly (Event ID 4625), or a system alarm sounding (Event ID 4688 for a suspicious process). The security team doesn't watch every frame; they rely on the camera system to flag incidents. In Windows, the Security log is that camera system. Event IDs are like camera channel numbers—each ID tells you what type of action occurred: a logon (4624), a logoff (4634), a privilege escalation (4672), or a service crash (7034). Just as a security guard checks the timestamp, camera ID, and person’s face, an analyst examines the Event ID, timestamp, source IP, and process name. If a camera is misconfigured (e.g., Event ID 4776 for NTLM authentication is not logged), you miss the break-in. The analogy is mechanistic: each event is a discrete record with structured fields, just like each camera clip has metadata. You don't need to watch all footage—you query the database for specific IDs. This is exactly how a SIEM works: it ingests these event IDs and correlates them to detect attacks.
What Are Windows Event IDs and Why Do They Exist?
Windows Event IDs are unique numeric identifiers assigned to specific events recorded in the Windows Event Log. The operating system generates these events to track actions such as user logins, process starts, object access, and security policy changes. For security analysts, these IDs are the primary source of forensic evidence. The CS0-003 exam tests your ability to recognize which events indicate an attack and which are benign.
How Windows Event Logging Works Internally
Windows uses a publishing-subscription model. When an event occurs (e.g., a user logs on), the Local Security Authority Subsystem Service (LSASS) writes an event to the Security log using the Event Tracing for Windows (ETW) framework. Each event contains: - Event ID: The numeric identifier (e.g., 4624) - Level: Severity (Information, Warning, Error, Critical) - Task Category: Subtype (e.g., Logon, Logoff, Account Management) - Keywords: Flags like Audit Success or Audit Failure - Data: Detailed fields (username, workstation name, process ID, etc.)
The Security log is stored in %SystemRoot%\System32\winevt\Logs\Security.evtx. By default, the log size is 20 MB, but it can be increased via Group Policy. Events are written sequentially; when the log is full, older events are overwritten unless configured to archive.
Key Event IDs for Security Monitoring
Below are the most critical Event IDs organized by category. Memorize these for the exam.
#### Logon/Logoff Events (4624, 4625, 4634, 4648, 4776)
4624 (Logon Success): Generated every time a user logs on locally or remotely. Key fields: Logon Type (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). For example, Logon Type 10 indicates a Remote Desktop logon.
4625 (Logon Failure): Indicates a failed logon attempt. Key field: Sub Status codes (0xC0000064=user name does not exist, 0xC000006A=wrong password, 0xC0000072=account disabled). Multiple 4625 events from a single IP in a short time suggest a brute-force attack.
4634 (Logoff): Generated when a user logs off. Useful for session duration analysis.
4648 (Explicit Credential Logon): Logged when a user runs a program with different credentials (RunAs). Attackers often use this to move laterally.
4776 (Credential Validation): Generated when NTLM authentication is attempted against a domain controller. Failed 4776 events with Status 0xC000006A indicate a bad password.
#### Process Creation (4688, 4689)
4688 (A New Process Has Been Created): Critical for detecting malware execution. Includes the command line (if auditing is enabled). For example, powershell.exe -EncodedCommand ... is a red flag. Also logs the creator process ID and name.
4689 (A Process Has Exited): Useful for tracking process lifetime.
#### Privilege Use (4672, 4673, 4674)
4672 (Special Logon): Logged when a user logs on with administrative privileges (e.g., as Administrator or with UAC elevation). Often seen alongside Event ID 4624.
4673 (A Privileged Service Was Called): Indicates a process called a privileged service like SeTcbPrivilege. Attackers may use this to escalate privileges.
4674 (An Operation Was Attempted on a Privileged Object): Logged when an operation on a privileged object (e.g., a service or registry key) is attempted.
#### Account Management (4720-4756)
4720 (User Account Created): Attackers creating backdoor accounts.
4722 (User Account Enabled): After disabling a compromised account, re-enabling it is suspicious.
4728 (Member Added to Security-Enabled Global Group): Adding a user to the Domain Admins group is a major red flag.
4732 (Member Added to Security-Enabled Local Group): Similar but for local groups.
4740 (User Account Locked Out): Can indicate a brute-force attack.
#### Object Access (4656, 4663)
4656 (A Handle to an Object Was Requested): Logged when a process requests access to a file, registry key, or other object (if SACL auditing is enabled).
4663 (An Attempt Was Made to Access an Object): Indicates actual access (read, write, delete). Useful for detecting unauthorized access to sensitive files.
#### Service Events (7034, 7036, 7045)
7034 (Service Crashed Unexpectedly): Attackers may crash a service to cover their tracks or bypass security controls.
7036 (Service Started or Stopped): Unusual service stops (e.g., stopping Windows Defender) are suspicious.
7045 (A New Service Was Installed): Attackers often install malicious services for persistence. Check the Image Path and Account Name.
#### Scheduled Tasks (4698, 4699, 4700, 4701, 4702)
4698 (A Scheduled Task Was Created): Attackers use scheduled tasks for persistence. Examine the Task Content for malicious commands.
4699 (A Scheduled Task Was Deleted): May be used to clean up after execution.
4700 (A Scheduled Task Was Enabled)
4701 (A Scheduled Task Was Disabled)
4702 (A Scheduled Task Was Updated)
#### Kerberos Events (4768, 4769, 4771)
4768 (A Kerberos Authentication Ticket (TGT) Was Requested): Generated on domain controllers when a TGT is requested. Failed requests (with Failure Code) indicate issues.
4769 (A Kerberos Service Ticket Was Requested): Useful for detecting Kerberoasting attacks where attackers request service tickets for offline cracking.
4771 (Kerberos Pre-Authentication Failed): Indicates a failed Kerberos logon.
#### Other Critical Events
1102 (The Audit Log Was Cleared): A clear sign of an attacker covering tracks. Always investigate.
5156 (The Windows Filtering Platform Has Allowed a Connection): Logged when a firewall rule allows a connection. Useful for network anomaly detection.
5157 (The Windows Filtering Platform Has Blocked a Connection): Indicates blocked traffic, which could be a misconfigured application or an attack.
5140 (A Network Share Object Was Accessed): Detects lateral movement via SMB.
5145 (A Network Share Object Was Checked to See Whether Client Can Be Granted Desired Access): Often precedes 5140.
Configuration and Verification Commands
To enable detailed logging, especially command-line auditing for Event ID 4688, use Group Policy:
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking.
Enable Audit Process Creation with Success and Failure.
Enable Include command line in process creation events.
To verify current audit policy:
auditpol /list /subcategory:*To query event logs using PowerShell:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Select-Object TimeCreated, MessageFor exporting logs:
wevtutil epl Security C:\logs\security.evtxInteraction with SIEM and Detection Rules
SIEM platforms like Splunk, QRadar, or Azure Sentinel ingest these event IDs and correlate them. For example, a detection rule for brute-force might look for:
More than 10 Event ID 4625 (Failure) from the same source IP within 5 minutes.
Followed by a successful logon (4624) from that IP.
Understanding the event IDs allows you to write precise detection logic. On the exam, you may be given a log snippet and asked to identify the attack type based on the Event ID and fields.
Identify the Event ID
When reviewing a log entry, the first step is to note the Event ID. This tells you the type of activity (e.g., 4624=logon, 4688=process creation). The exam often presents a log excerpt and asks what happened. If you see Event ID 4625, you know it's a failed logon. Do not confuse with 4624 (success) or 4634 (logoff).
Examine the Level and Keywords
The Level indicates severity: Information (0), Warning (1), Error (2), Critical (3). For security events, most are Information, but failure events (4625) have Level=0 but Keywords=Audit Failure. On the exam, if you see Keywords=Audit Failure, it's a failed action. This helps distinguish success vs failure even if the Event ID is ambiguous.
Analyze the Data Fields
Each Event ID has specific fields. For 4624, check Logon Type (2,3,10, etc.), Account Name, Source IP (for network logons). For 4688, examine the CommandLine field—encoded PowerShell commands or use of wmic are suspicious. The exam may ask you to identify a specific attack (e.g., pass-the-hash) based on fields like LogonType=3 and WorkstationName.
Correlate with Other Events
A single event is rarely conclusive. Look for patterns: multiple 4625 failures followed by a 4624 suggests a successful brute-force. A 4672 (special logon) after a 4624 indicates privilege escalation. The exam often requires correlating events over time. For example, a 4698 (task creation) followed by a 4688 (process start) with the same command line indicates persistence.
Determine the Timeline
The TimeCreated field shows when the event occurred. Attacks often happen outside business hours or in rapid succession. The exam may ask you to identify an anomaly based on time. For instance, a 4624 at 3:00 AM with a privileged account is suspicious. Also, check for Event ID 1102 (log cleared) immediately after suspicious events—this indicates cover-up.
Scenario 1: Detecting Brute-Force Attacks on RDP
A large enterprise allows Remote Desktop (RDP) access to jump servers. The security team monitors Event ID 4625 (logon failure) with Logon Type 10 (RemoteInteractive). They set up a SIEM rule that triggers when more than 20 failures occur from the same source IP within 10 minutes. In production, they saw a spike from an external IP: 50 failures in 2 minutes, with usernames like 'admin', 'user', 'test'. The SIEM alerted, and the incident response team blocked the IP at the firewall. They also observed a successful 4624 from the same IP after 3 minutes, indicating the attacker guessed the password. The team then forced a password reset for the compromised account. Common misconfiguration: not auditing Logon Type 10 separately, so failures from RDP are mixed with other types.
Scenario 2: Identifying Malicious Service Installation
A threat actor gains access to a server and installs a backdoor as a service. The security team detects Event ID 7045 (new service installed) with Image Path pointing to C:\Users\Public\svchost.exe (a common masquerade). The Service Name is 'UpdateService'. The event shows the account running the service as 'SYSTEM'. The team correlates this with a 4688 event showing sc.exe create UpdateService binPath= ... from a PowerShell process. They immediately isolate the server and remove the service. In production, services with names similar to legitimate ones (e.g., 'WindowsUpdate') are often missed. The exam tests that you recognize 7045 as a persistence indicator.
Scenario 3: Investigating Lateral Movement via SMB
During an incident, an analyst sees Event ID 5140 (network share object accessed) on a file server from an unusual workstation. The Share Name is 'ADMIN$' and the Access Mask is 0x1 (ReadData). This indicates an attacker enumerating shares. Combined with a 4624 (network logon) from the same workstation, it suggests lateral movement. The team then checks for 4688 events on the target server for tools like psexec.exe or wmic.exe. In production, enabling auditing for object access (SACL) is critical; without it, 5140 is not generated. The exam loves to test that 5140 requires a SACL on the share.
What CS0-003 Tests on Windows Event IDs
CS0-003 Objective 1.2 (Given a scenario, analyze indicators of compromise and determine the type of malware or attack) heavily relies on interpreting Windows Event IDs. Specifically, you must:
Differentiate between successful and failed logon events (4624 vs 4625).
Identify privilege escalation via 4672 (special logon) and 4673 (privileged service called).
Detect persistence mechanisms: 7045 (service installation), 4698 (scheduled task creation).
Recognize credential theft techniques like Kerberoasting (4769 with unusual service names) and pass-the-hash (4624 with LogonType 3 and NTLM authentication).
Spot log tampering via Event ID 1102 (log cleared).
Common Wrong Answers and Why Candidates Choose Them
Confusing 4624 and 4625: Candidates see a logon event and assume it's a failure because the user is 'SYSTEM' or 'ANONYMOUS LOGON'. But 4624 always means success. The wrong answer often says 'failed logon' when the Event ID is 4624. Always check the Event ID first.
Misinterpreting Logon Type 3 as Remote Desktop: Logon Type 3 is network logon (e.g., accessing a share). Remote Desktop is Logon Type 10. Candidates see a remote IP and assume RDP, but the Logon Type field clarifies.
Ignoring Sub Status Codes: For 4625, Sub Status 0xC0000064 means the user does not exist. Candidates may think it's a wrong password (0xC000006A). The exam may ask which accounts are being targeted—non-existent users indicate enumeration.
Overlooking 4672: A 4672 event always accompanies a privileged logon. If a 4624 is followed by 4672, the user has admin rights. Candidates may miss this and think the account is standard.
Specific Numbers, Values, and Terms That Appear Verbatin on the Exam
Logon Types: 2 (Interactive), 3 (Network), 10 (RemoteInteractive).
Sub Status for 4625: 0xC000006A (wrong password), 0xC0000064 (user does not exist), 0xC0000072 (account disabled).
Event IDs for service persistence: 7045 (new service), 7036 (service start/stop).
Event ID for log clear: 1102.
Kerberos events: 4768 (TGT request), 4769 (service ticket request), 4771 (pre-auth failure).
Edge Cases and Exceptions
Event ID 4624 with Logon Type 5 (Service): This is normal for services running as SYSTEM. Do not flag as suspicious unless the service account is unusual.
Event ID 4776 (NTLM): This is generated on domain controllers. If you see many 4776 failures from a single IP, it's a brute-force, but the exam may use this to confuse you with 4625.
Event ID 4648 (Explicit Credentials): This is normal when using RunAs. But if it's from a compromised account, it indicates lateral movement.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When given a log snippet, follow this process: 1. Identify the Event ID. If it's 4624, the answer cannot be 'failed logon'. 2. Check the Logon Type. If it's 10, it's RDP; if 3, it's network. 3. Look for associated events: 4672 means admin privileges; 4648 means credential delegation. 4. If the question mentions 'brute-force', look for multiple 4625 events. If it says 'persistence', look for 7045 or 4698. By understanding the mechanism (what each ID represents), you can eliminate answers that don't match the specific event fields.
Event ID 4624 = successful logon; 4625 = failed logon. Always check the Logon Type field.
Event ID 4672 (special logon) indicates a user logged on with administrative privileges.
Event ID 4688 (process creation) requires enabling command-line auditing to capture full details.
Event ID 7045 (new service) and 4698 (scheduled task) are common persistence mechanisms.
Event ID 1102 (audit log cleared) is a red flag for cover-up activity.
Event ID 4769 (Kerberos service ticket) can indicate Kerberoasting attacks.
Multiple 4625 events from the same source IP within a short time suggest a brute-force attack.
Event ID 4776 (NTLM credential validation) on domain controllers is used for NTLM brute-force detection.
These come up on the exam all the time. Here's how to tell them apart.
Event ID 4624 (Logon Success)
Indicates a successful authentication.
Key fields: Logon Type, Account Name, Source IP.
Used to track user sessions and detect lateral movement.
Alone, not suspicious unless combined with other events.
Often paired with 4672 for privileged logons.
Event ID 4625 (Logon Failure)
Indicates a failed authentication attempt.
Key fields: Sub Status code (reason for failure).
Multiple events from same IP indicate brute-force.
Sub Status 0xC0000064 means user does not exist.
Sub Status 0xC000006A means wrong password.
Event ID 4688 (Process Creation)
Logged every time any process starts.
Includes Creator Process ID and CommandLine (if enabled).
Useful for detecting malware execution.
May generate many events; requires filtering.
Standard for process monitoring.
Event ID 7045 (Service Installation)
Logged only when a new service is installed.
Includes Service Name, Image Path, and Account Name.
Key indicator of persistence.
Less frequent; easier to spot anomalies.
Often used by attackers to install backdoors.
Mistake
Event ID 4624 always indicates a local logon.
Correct
Event ID 4624 can be local (Logon Type 2) or remote (Logon Type 3 for network, Type 10 for RDP). The Logon Type field must be examined to determine the origin.
Mistake
Event ID 4672 means a user escalated privileges via UAC.
Correct
Event ID 4672 is logged when a user logs on with administrative privileges, but it does not indicate UAC elevation specifically. UAC elevation triggers Event ID 4688 with a different process token. 4672 is just a special logon.
Mistake
Event ID 1102 is a normal maintenance event and can be ignored.
Correct
Event ID 1102 indicates the audit log was cleared. While it can be done legitimately, it is a common attacker technique to cover tracks. Always investigate the context around this event.
Mistake
Event ID 4688 always includes command-line arguments.
Correct
By default, command-line arguments are not logged. You must enable 'Include command line in process creation events' via Group Policy. Without it, the CommandLine field is empty.
Mistake
Event ID 4769 (Kerberos service ticket request) is only generated for domain users.
Correct
Event ID 4769 is generated on domain controllers for any Kerberos service ticket request, including for computer accounts. Attackers may request tickets for service accounts to crack offline (Kerberoasting).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Event ID 4624 indicates a successful logon, while 4625 indicates a failed logon. The exam will test your ability to distinguish these. Always check the Event ID first. For 4625, also check the Sub Status code to determine the reason for failure (e.g., wrong password vs. account disabled).
Look for multiple Event ID 4625 (logon failure) events from the same source IP within a short time window. For RDP brute-force, filter on Logon Type 10. You can also check 4776 for NTLM failures on domain controllers. A successful 4624 after many failures indicates the attack succeeded.
Event ID 7045 is logged when a new service is installed. It includes the service name, image path, and account under which the service runs. Attackers often use this for persistence. Correlate with 4688 to see if the service was created via `sc.exe` or PowerShell.
Look for Event ID 4672 (special logon) immediately after a 4624. This indicates the user logged on with administrative privileges. Also, Event ID 4673 (privileged service called) and 4674 (privileged object access) can indicate attempts to escalate privileges.
Event ID 1102 indicates that the security event log was cleared. This is a strong indicator of an attacker covering their tracks. If you see this event, investigate the surrounding log entries for suspicious activity before the clear.
Monitor Event ID 4769 on domain controllers for service ticket requests. Look for multiple requests for the same service principal name (SPN) from a single user, especially if the user is not an administrator. Kerberoasting involves requesting TGS tickets for service accounts to crack offline.
Logon Type 3 indicates a network logon, such as accessing a shared folder or using PsExec. It does not mean RDP (which is Type 10). Attackers use network logons for lateral movement. If you see a 4624 with Logon Type 3 from an unusual source, investigate.
You've just covered Critical Windows Event IDs for Security — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?