Tracking account usage for known compromised accounts.
Event IDs:
4624: An account was successfully logged on
4625: An account failed to log on
4634: An account was logged off
4647: User initiated logoff
4648: A logon was attempted using explicit credentials (Runas)
4672: Account logon with superuser right (Administrator)
4720: A user account was created
4778: A session was reconnected to a Window Station
4779: A session was disconnected from a Window Station
No comments:
Post a Comment