Windows Security Event ID cheat sheet for DFIR
The Windows event IDs that matter in an investigation, grouped by attack phase — with the log they live in, a one-line meaning, and a link to the deep-dive for each. A reference for incident response and threat hunting.
Windows logs thousands of distinct event IDs; only a few dozen carry most investigations. This is the working subset, grouped by attack phase, with the channel each lives in, what it means in one line, and a link to the deep-dive where there is one. Keep it open next to the browser parser while you triage.
A note on prerequisites: many Security events require the relevant audit subcategory to be enabled, and some require command-line process auditing or Sysmon. An empty result often means "not logged," not "didn't happen" — see Sysmon configuration and the per-event posts.
Authentication & logon
| ID | Channel | Meaning |
|---|---|---|
| 4624 | Security | An account successfully logged on — read the logon type |
| 4625 | Security | A logon failed — read the sub-status code |
| 4634 / 4647 | Security | Logoff / user-initiated logoff (join by LogonId) |
| 4648 | Security | Logon with explicit credentials (runas) |
| 4768 | Security (DC) | Kerberos TGT requested |
| 4769 | Security (DC) | Kerberos service ticket requested (Kerberoasting) |
| 4771 | Security (DC) | Kerberos pre-authentication failed |
| 4776 | Security (DC) | NTLM credential validation |
The whole picture, and how the DC and host halves correlate: reading Windows logons end to end.
Remote access (RDP)
| ID | Channel | Meaning |
|---|---|---|
| 1149 | RemoteConnectionManager/Operational | RDP network auth succeeded — carries source IP |
| 21 / 22 | LocalSessionManager/Operational | RDP session logon / shell start |
| 24 / 25 | LocalSessionManager/Operational | RDP session disconnected / reconnected |
| 4778 / 4779 | Security | Session reconnected / disconnected (client name + address) |
| 1024 | RDPClient/Operational | Outbound RDP attempt — names the destination |
Full constellation: RDP forensics · investigation: did someone RDP in? · hunting: RDP lateral movement.
Execution
| ID | Channel | Meaning |
|---|---|---|
| 4688 | Security | Process created (command line if auditing on) |
| 1 | Sysmon/Operational | Process create (hashes, parent, command line) |
| 4104 | PowerShell/Operational | Script-block logging — the actual code |
| 4103 | PowerShell/Operational | Module/pipeline logging |
| 400 / 600 | Windows PowerShell | Engine start / provider lifecycle (classic) |
Background: PowerShell logging for forensics.
Privilege & account management
| ID | Channel | Meaning |
|---|---|---|
| 4672 | Security | Special privileges assigned to a logon |
| 4720 | Security | User account created |
| 4722 / 4725 / 4726 | Security | Account enabled / disabled / deleted |
| 4723 / 4724 | Security | Password change vs admin reset |
| 4740 / 4767 | Security (DC) | Account locked out / unlocked |
| 4728 / 4732 / 4756 | Security | Member added to global / local / universal security group |
| 4729 / 4733 / 4757 | Security | Member removed from those groups |
Persistence
| ID | Channel | Meaning |
|---|---|---|
| 4698 | Security | Scheduled task created (full task XML) |
| 4699 / 4700 / 4701 / 4702 | Security | Task deleted / enabled / disabled / updated |
| 106 / 140 / 141 | TaskScheduler/Operational | Task registered / updated / deleted |
| 200 / 201 | TaskScheduler/Operational | Task action ran / completed |
| 7045 | System | Service installed |
| 7034 / 7036 | System | Service crashed / changed state |
| 5861 | WMI-Activity/Operational | WMI permanent event consumer registered |
| 5858 / 5860 | WMI-Activity/Operational | WMI operation error / temporary consumer |
Lateral movement & access to resources
| ID | Channel | Meaning |
|---|---|---|
| 4624 type 3 | Security | Network logon (SMB, etc.) — fan-out = lateral movement |
| 4648 | Security | Explicit-credential logon (often pivoting) |
| 4663 | Security | Object access attempt |
| 5140 / 5145 | Security | Network share accessed / detailed file share access |
Defense evasion & anti-forensics
| ID | Channel | Meaning |
|---|---|---|
| 1102 | Security | Security audit log cleared — who & when |
| 104 | System | A different log was cleared |
| 1100 | Security | Event Log service shut down |
Reading what survives tampering: tampered logs and what survives · log clearing as evidence · carving deleted records.
The format underneath
| Topic | Reference |
|---|---|
| What an EVTX file is | what is an EVTX file |
| Byte-level format | complete format reference · decoded · chunks |
| The binary XML encoding | how BinXML works |
| Collecting & opening | collect from a live host · open an EVTX file |
How to use this
- Scope the question (subject + window), then pull the right channels.
- Filter to the IDs for the phase you're chasing — with PowerShell, Sigma tooling, or the browser parser.
- Correlate by
LogonId, source IP, account, and time; bring in the DC, not just the victim. - Assemble the confirmed events into a UTC timeline, and annotate the gaps.
Every bolded ID above has a deep-dive — follow the link for the fields, the false positives, and the hunting patterns.