SIEM Query Reference + Event ID Guide

User logged on. Check LogonType: 2=Interactive, 3=Network, 7=Unlock, 10=RDP, 4=Batch, 5=Service. Type 3 with NTLM may be Pass-the-Hash.

Login attempt failed. High count from one IP = brute force. SubStatus: 0xC000006A=wrong password, 0xC0000064=unknown user, 0xC0000234=account locked.

Logon with explicit credentials (runas / network logon with supplied creds). Common in lateral movement when attacker uses alternate credentials to pivot.

Sensitive privileges (SeDebugPrivilege, SeTcbPrivilege etc.) assigned to new session. Correlate with 4624 to detect privileged admin logins.

Account logged off. Pair with 4624 to calculate session duration. Useful for timeline building and spotting very short sessions (automated tools).

A disconnected RDP session was reconnected. Pair with 4779 to track full RDP session lifecycle. May indicate an attacker resuming an existing session.

RDP session disconnected (not logged off). Attacker may disconnect instead of logoff to leave session alive for later re-use.

New user account created. May indicate attacker backdoor account. Check who created it and at what time. Common in post-exploitation persistence.

Disabled account was re-enabled. Attackers re-enable dormant accounts to avoid alerts triggered by new account creation.

An attempt to reset an account password. Combined with 4672 may indicate privilege escalation or admin-level account takeover.

User account deleted. May indicate an attacker removing a backdoor account after completing their objective (covering tracks).

Member added to a security-enabled global group. If that group is Domain Admins — this is critical privilege escalation via group membership.

Member added to a local security group. Adding any user to the Administrators group is a major privilege escalation indicator. Alert immediately.

Account was locked out after repeated failures. Multiple lockouts across accounts from one source = password spray. Multiple from many sources = distributed attack.

New process created. Requires "Audit Process Creation" GPO + command line auditing. Check NewProcessName, CommandLine, and ParentProcessName for suspicious chains.

Process ended. Correlate with 4688 to measure runtime. Very short-lived processes running commands (loaders, stagers) are highly suspicious.

Logs individual PowerShell pipeline execution. Records every command even in interactive sessions. Requires Module Logging Group Policy. Good for catching PS abuse without script blocks.

Captures full PowerShell script content as it executes, AFTER deobfuscation by the PS engine. Best event to catch encoded/obfuscated payloads. Requires Script Block Logging GPO.

New service installed on the system. Malware uses services for persistence. Check ServiceFileName — suspicious paths include Temp, AppData, or randomly named binaries.

New scheduled task created. Heavily abused for persistence and lateral execution. Inspect TaskContent for encoded commands, suspicious executables, or unusual user contexts.

Existing task modified. Attackers modify legitimate existing tasks instead of creating new ones to stay under the radar of new-task creation alerts.

Registry value was changed. Requires Object Access auditing. Monitor Run/RunOnce keys for persistence changes. Also watch SAM, LSA Secrets, and AppInit_DLLs.

Attempt to access an audited object (file, key, etc.). Use to detect access to SAM hive, NTDS.dit, lsass memory dumps, or sensitive documents.

User right adjusted on a token. Indicates token manipulation/impersonation — technique used to steal or elevate privileges without creating a new visible logon session.

Richer than 4688. Includes full CommandLine, MD5/SHA256 hash, ParentImage, ParentCommandLine, and ProcessGUID. Primary source for detecting malicious execution chains like Office → PowerShell or Explorer → mshta.

Process exited. Correlate with ID 1 using ProcessGUID to calculate runtime. Short-lived processes executing commands (stagers, loaders) indicate automation.

Process opened another process. Critical for catching credential dumpers — Mimikatz opens lsass.exe with GrantedAccess 0x1010 or 0x1fffff. Alert on any non-system process accessing lsass.exe.

Process hollowing or process herpaderping detected — malicious image replaces a legitimate process in memory. Indicates advanced loader technique used by sophisticated malware.

Process made a network connection. Logs SourceIP, DestIP, DestPort, Protocol, and initiating process name+hash. Best event for catching C2 beaconing — suspicious when Office/Notepad makes outbound connections.

DNS query made by a process. Logs the process name, query, and resolved IP. Use to detect DGA domains, DNS tunneling (long query strings), or C2 beaconing to suspicious TLDs like .xyz .tk .pw.

Timestomping detected — file's creation timestamp was modified. Attackers do this to make malicious files look like old legitimate system files, evading timeline-based analysis.

New file written to disk. Alert on .exe/.ps1/.bat/.vbs dropped in Temp, AppData, or Downloads especially by Office or browser processes — this is the dropper writing its payload.

Registry key or value created/deleted. Monitor persistence paths: Run, RunOnce, Services, Winlogon, AppInit_DLLs. Deletion may indicate post-exploitation cleanup.

Registry value was written. Primary event for detecting RunKey persistence, COM hijacking, AppInit_DLLs abuse, and DebuggerValue injection. Always correlate with the writing process.

File was deleted (Sysmon can archive copies). Attackers delete tools, scripts, and droppers after use. This catches that cleanup activity, especially in the minutes after execution completes.

DLL loaded into a process. Detect DLL injection and DLL hijacking. Alert on unsigned DLLs loaded by system processes, or DLLs loaded from user-writable paths like Temp or AppData.

Process created a thread in another process — the primary mechanism for classic DLL injection and shellcode injection. Non-system process injecting into lsass, svchost, or explorer is critical.

Process read disk using raw I/O, bypassing the file system. Used by credential dumpers to read SAM hive or NTDS.dit directly, and by some evasion tools to read locked files.

Named pipe created. Cobalt Strike uses pipes for C2 communication (e.g. \\.\pipe\msagent_*). Metasploit uses meterpreter pipes. Alert on pipes with random-looking or unusual names.

Process connected to a named pipe. PsExec uses \\pipe\PSEXECSVC. Lateral movement via SMB named pipes shows as ID 18 followed by ID 3 to the remote host.

Kernel driver loaded into the system. Rootkits and kernel exploits load drivers for ring-0 access. Alert on unsigned drivers or drivers loaded from user-writable paths.

WMI event filter registered — defines the TRIGGER for WMI persistence (e.g. on logon, on process start). Part 1 of the WMI subscription trio (19→20→21).

WMI consumer registered — defines WHAT TO RUN when the filter triggers (typically executes a command or script). Part 2 of WMI subscription trio.

Consumer bound to filter — persistence is now fully installed. Alert on any new WMI subscription. Legitimate software almost never uses WMI subscriptions this way.

ID 10 (lsass access, GrantedAccess 0x1fffff) → ID 11 (file with .dmp extension created in Temp) → ID 7 (suspicious DLL loaded in lsass). Three events together = credential dump in progress.

ID 1 (ParentImage=winword.exe/excel.exe, NewProcess=powershell.exe/cmd.exe/wscript.exe) → ID 3 or ID 22 (outbound network connection or DNS query). Classic malicious document execution flow.

ID 1 (process created, usually a legitimate binary like svchost) → ID 8 (CreateRemoteThread into that process) → ID 25 (process tampering). Parent is typically a dropper or loader binary.

ID 11 (payload file dropped to disk) → ID 13 (Run key written pointing to that file) → ID 1 (process spawned from that Run key on next logon). Full persistence chain in 3 Sysmon events.

ID 22 (periodic DNS queries to same domain at regular intervals) + ID 3 (outbound connection to resolved IP on non-standard port). Regular interval = automated beacon. Check process name — should NOT be a browser or OS process.