Lateral Movement Detection with Windows Event Logs


Lateral movement refers to the behaviors of cyber attackers after gaining initial access to the assets and moves around the compromised network for sensitive data. The attacker will use different tools and techniques allowing them to move laterally through a network to map the system, Improve insights on such events to track the attacker. Below is the list of event IDs to monitor and hunt for.

Event ID ListThreat Actor Behavior
4624An account was successfully logged on
4634An account was logged off
4648A logon was attempted using explicit credentials
4656A handle to an object was requested
4658The handle to an object was closed
4660An object was deleted
4663An attempt was made to access an object
4672Special privileges assigned to new logon
4673A privileged service was called
4688A new process has been created
4689A process has exited
4698A scheduled task was created
4720A user account was created
4768A Kerberos authentication ticket (TGT) was requested
4769A Kerberos service ticket was requested
4946A change has been made to Windows Firewall exception list. A rule was added
5140A network share object was accessed
5142A network share object was added
5144A network share object was deleted
5145A network share object was checked to see whether client can be granted desired access
5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
5156The Windows Filtering Platform has allowed a connection
5447A Windows Filtering Platform filter has been changed
8222Shadow copy has been created
7036Service Control Manager started a running
7045A new service was installed in the system.
20001New hardware is connected to the your computer.
0 (0x00000000) Installation Successful
2 (0x00000002) File Not Found
2147942402 (0x80070002) File Not Found
2147942403 (0x80070003) Path Not Found
2147942405 (0x80070005) Access Denied
2148467251 (0x800F0233) Invalid Target
2150105198 (0x8028006E) Invalid Source Path
1459 (0x000005B3) Requires Interactive Workstation
1460 (0x000005B4) Timeout
3758096948 (0xE0000234) Driver Non-native
3758096966 (0xE0000246) Deice Installer Not Ready
80Event logging for applications & services under Windows Remote Management
132Event logging for applications & services under Windows Remote Management
143Event logging for applications & services under Windows Remote Management
166Event logging for applications & services under Windows Remote Management
81Event logging for applications & services under Windows Remote Management
106Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
129Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
200Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
201Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational
21Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational
24Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational
60Application and Service Log under \Microsoft\Windows\Bits-Client
104System log files was cleared
Lateral Movement Detection with Windows Event ID’s

Also Read: Cyber Threat Hunting – Proactive Intrusion Detection


As a soc analyst, Monitor such events with high priority as this is the critical indicator of attackers living inside your organization for a period of time.

Previous articleAdvanced Hunting to Find the Ransomware
Next articlePersistence Remote Password Reset – Event IDs to Monitor
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here