1. Account Logon & Authentication

• 4624 – Successful logon
• 4625 – Failed logon attempts (brute force attempts)
• 4648 – Logon with explicit credentials (Pass-the-Hash attacks)
• 4776 – NTLM authentication attempt
• 4768 – Kerberos TGT request
• 4769 – Kerberos service ticket request
• 4771 – Kerberos pre-authentication failed

2. Privilege Escalation & User Management

• 4672 – Special privileges assigned (Admin logon)
• 4673 – Privileged service called
• 4674 – Sensitive privilege use
• 4720 – User account created
• 4722 – User account enabled
• 4724 – Attempted password reset
• 4725 – User account disabled
• 4726 – User account deleted
• 4732 – User added to a privileged group (e.g., Administrators)
• 4756 – User added to a security-enabled group

3. Process Creation & Execution