Posts tagged "{tag}": #persistence

Privileged group changes: Event IDs 4732, 4728 and 4756

Detecting privilege escalation and persistence through group membership changes in the Security log — local (4732), global (4728) and universal (4756) group additions, what the fields mean, and the create-then-add pattern.

6/17/2026

evtxdfirpersistenceprivilege-escalation

Scheduled task persistence: Event ID 4698 and the Task Scheduler log

How attackers use scheduled tasks for persistence and what it leaves in the event logs — Security 4698/4699/4700/4701/4702 with the full task XML, and the Task Scheduler Operational log 106/140/141/200.

6/17/2026

evtxdfirpersistencescheduled-tasks

WMI event-subscription persistence in the event logs

How attackers persist with permanent WMI event subscriptions (__EventFilter + __EventConsumer + __FilterToConsumerBinding) and what the WMI-Activity Operational log records — Event ID 5861 and friends.

6/17/2026

evtxdfirpersistencewmi