Windows & Active Directory quick reference
Security event IDs to know, the common credential attacks against a domain and the commands you reach for when investigating.
Key Windows Security event IDs
Logged to the Security event log. These are the ones that come up constantly in investigations.
| Event ID | What it records |
|---|---|
| 4624 | A successful account logon |
| 4625 | A failed account logon |
| 4688 | A new process was created |
| 4720 | A user account was created |
| 4768 | A Kerberos authentication ticket (TGT) was requested |
| 4776 | The domain controller attempted to validate credentials over NTLM |
The logon type field on 4624 and 4625 matters: type 2 is interactive, type 3 is network, type 10 is remote interactive (RDP).
Common AD credential attacks
| Attack | What the attacker does |
|---|---|
| Pass the Hash | Reuses a captured NTLM hash to authenticate without ever knowing the plaintext password. |
| Kerberoasting | Requests service tickets for accounts with an SPN, then cracks the ticket offline for the service password. |
| AS-REP Roasting | Targets accounts with Kerberos pre-authentication disabled, capturing a crackable AS-REP. |
| Golden Ticket | Forges a TGT using the stolen krbtgt account hash, minting access to anything in the domain. |
| Silver Ticket | Forges a service ticket using a single service account hash, granting access to that one service. |
| DCSync | Impersonates a domain controller and asks for password data through the replication protocol. |
Investigation commands
| Command | What it shows |
|---|---|
net user <name> |
Account details, group membership and last logon for a local or domain user |
net group "Domain Admins" /domain |
Members of a domain group |
whoami /all |
The current token: user, groups, privileges and SID |
Get-ADUser -Filter * -Properties * |
Detailed AD user objects via the ActiveDirectory PowerShell module |
nltest /dclist:<domain> |
Lists the domain controllers for a domain |