Value Universal well-known SID

S-1-0-0 Null SID

S-1-1-0 World
S-1-2-0 Local
S-1-2-1 Console Logon
S-1-3-0 Creator Owner ID
S-1-3-1 Creator Group ID
S-1-3-2 Owner Server
S-1-3-3 Group Server
S-1-3-4 Owner Rights
S-1-4 Non-unique Authority
S-1-5 NT Authority
S-1-5-80-0 All Services

Identifier authority Value

SECURITY_NULL_SID_AUTHORITY 0
SECURITY_WORLD_SID_AUTHORITY 1
SECURITY_LOCAL_SID_AUTHORITY 2
SECURITY_CREATOR_SID_AUTHORIT 3
SECURITY_NT_AUTHORITY 5
SECURITY_AUTHENTICATION_AUTH 18
 Identifies
A group with no members. This is often used when a SID value isn't known.
A group that includes all users.
Users who sign in to terminals that are locally (physically) connected to the system.
A group that includes users who are signed in to the physical console.
A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritab
A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable
A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object's own
A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object's gro
A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ig
A SID that represents an identifier authority.
A SID that represents an identifier authority.
A group that includes all service processes configured on the system. Membership is controlled by the operating system.

SID string prefix

S-1-0
S-1-1
S-1-2
S-1-3
S-1-5
S-1-18
th the object.
object owner.
 SID
S-1-5-1
S-1-5-113
S-1-5-114
S-1-5-2
S-1-5-3
S-1-5-4
S-1-5-5- X-Y
S-1-5-6
S-1-5-7
S-1-5-8
S-1-5-9
S-1-5-10
S-1-5-11

S-1-5-12

S-1-5-13
S-1-5-14
S-1-5-15
S-1-5-17

S-1-5-18

S-1-5-19
S-1-5-20

S-1-5-domain-500

S-1-5-domain-501

S-1-5-domain-502
S-1-5-domain-512
S-1-5-domain-513
S-1-5-domain-514
S-1-5-domain-515
S-1-5-domain-516
S-1-5-domain-517
S-1-5-root domain-518

S-1-5-root domain-519
S-1-5-root domain-519

S-1-5-domain-520
S-1-5-domain-521
S-1-5-domain-522
S-1-5-domain-525
S-1-5-root domain-526
S-1-5-domain-527
S-1-5-32-544
S-1-5-32-545
S-1-5-32-546
S-1-5-32-547
S-1-5-32-548
S-1-5-32-549
S-1-5-32-550
S-1-5-32-551
S-1-5-32-552
S-1-5-domain-553
S-1-5-32-554
S-1-5-32-555
S-1-5-32-556
S-1-5-32-557
S-1-5-32-558
S-1-5-32-559
S-1-5-32-560
S-1-5-32-561
S-1-5-32-562
S-1-5-32-568
S-1-5-32-569
S-1-5-domain-571
S-1-5-domain-572
S-1-5-32-573
S-1-5-32-574
S-1-5-32-575
S-1-5-32-576
S-1-5-32-577
S-1-5-32-578
S-1-5-32-579
S-1-5-32-580
S-1-5-64-10
S-1-5-64-14
S-1-5-64-21
S-1-5-80
S-1-5-80-0
S-1-5-83-0

The following RIDs are relative to each domain:

 RID
DOMAIN_USER_RID_ADMIN
DOMAIN_USER_RID_GUEST
DOMAIN_GROUP_RID_USERS
DOMAIN_GROUP_RID_GUESTS
DOMAIN_GROUP_RID_COMPUTERS
DOMAIN_GROUP_RID_CONTROLLERS
DOMAIN_GROUP_RID_CERT_ADMINS
DOMAIN_GROUP_RID_SCHEMA_ADMINS
DOMAIN_GROUP_RID_ENTERPRISE_ADMINS
DOMAIN_GROUP_RID_POLICY_ADMINS

Examples of domain-relative RIDs that are used to form well-known SIDs for local groups are listed in the following table:

RID
DOMAIN_ALIAS_RID_ADMINS
DOMAIN_ALIAS_RID_USERS
DOMAIN_ALIAS_RID_GUESTS
DOMAIN_ALIAS_RID_POWER_USERS
DOMAIN_ALIAS_RID_BACKUP_OPS
DOMAIN_ALIAS_RID_REPLICATOR
DOMAIN_ALIAS_RID_RAS_SERVERS
 Display name Description
Dialup A group that includes all users who are signed in to the system via dial-up
Local account You can use this SID when you're restricting network sign-in to local acco
Local account and member of Administrators group You can use this SID when you're restricting network sign-in to local acco
Network A group that includes all users who are signed in via a network connection
Batch A group that includes all users who have signed in via batch queue facility
Interactive A group that includes all users who sign in interactively. A user can start a
Logon Session The X and Y values for these SIDs uniquely identify a particular sign-in se
Service A group that includes all security principals that have signed in as a servic
A user who has connected to the computer without supplying a user name
Anonymous Logon
The Anonymous Logon identity is different from the identity that's used by
Proxy Doesn't currently apply: this SID isn't used.
Enterprise Domain Controllers A group that includes all domain controllers in a forest of domains.
Self A placeholder in an ACE for a user, group, or computer object in Active D
A group that includes all users and computers with identities that have bee
Authenticated Users
This group includes authenticated security principals from any trusted dom
An identity that's used by a process that's running in a restricted security co
Unrestricted
Restricted Code Restricted
Disallowed
When code runs at the restricted security level, the Restricted SID is added
Terminal Server User A group that includes all users who sign in to a server with Remote Deskto
Remote Interactive Logon A group that includes all users who sign in to the computer by using a rem
This Organization A group that includes all users from the same organization. Included only
IUSR An account that's used by the default Internet Information Services (IIS) u
An identity that's used locally by the operating system and by services that
System (or LocalSystem) System is a hidden member of Administrators. That is, any process runnin
When a process that's running locally as System accesses network resource
NT Authority (LocalService) An identity that's used by services that are local to the computer, have no n
Network Service An identity that's used by services that have no need for extensive local ac
A user account for the system administrator. Every computer has a local A
Administrator The Administrator account is the first account created during operating sys
By default, the Administrator account is a member of the Administrators g
A user account for people who don't have individual accounts. Every comp
Guest By default, Guest is a member of the Everyone and the Guests groups. The
Unlike Anonymous Logon, Guest is a real account, and it can be used to si
KRBTGT A user account that's used by the Key Distribution Center (KDC) service. T
A global group with members that are authorized to administer the domain
Domain Admins
Domain Admins is the default owner of any object that's created in the dom
Domain Users A global group that includes all users in a domain. When you create a new
Domain Guests A global group that, by default, has only one member: the domain's built-i
Domain Computers A global group that includes all computers that have joined the domain, ex
Domain Controllers A global group that includes all domain controllers in the domain. New do
A global group that includes all computers that host an enterprise certifica
Cert Publishers
Cert Publishers are authorized to publish certificates for User objects in Ac
Schema Admins A group that exists only in the forest root domain. It's a universal group if
A group that exists only in the forest root domain. It's a universal group if
Enterprise Admins The Enterprise Admins group is authorized to make changes to the forest i
Enterprise Admins
Group Policy Creator Owners
Read-only Domain Controllers
Clonable Controllers
Protected Users
Key Admins
Enterprise Key Admins
Administrators
Users
Guests
Power Users
Account Operators
Server Operators
Print Operators
Backup Operators
Replicators
RAS and IAS Servers
Builtin\Pre-Windows 2000 Compatible Access
Builtin\Remote Desktop Users
Builtin\Network Configuration Operators
Builtin\Incoming Forest Trust Builders
Builtin\Performance Monitor Users
Builtin\Performance Log Users
Builtin\Windows Authorization Access Group
Builtin\Terminal Server License Servers
Builtin\Distributed COM Users
Builtin\IIS_IUSRS
Builtin\Cryptographic Operators
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Builtin\Event Log Readers
Builtin\Certificate Service DCOM Access
Builtin\RDS Remote Access Servers
Builtin\RDS Endpoint Servers
Builtin\RDS Management Servers
Builtin\Hyper-V Administrators
Builtin\Access Control Assistance Operators
Builtin\Remote Management Users
NTLM Authentication
SChannel Authentication
Digest Authentication
NT Service
All Services
NT VIRTUAL MACHINE\Virtual Machines
By default, the only member of Enterprise Admins is the Administrator ac
A global group that's authorized to create new Group Policy Objects in Ac
Objects that are created by members of Group Policy Creator Owners are o
A global group that includes all read-only domain controllers.
A global group that includes all domain controllers in the domain that can
A global group that is afforded additional protections against authenticatio
This group is intended for use in scenarios where trusted external authoriti
This group is intended for use in scenarios where trusted external authoriti
A built-in group. After the initial installation of the operating system, the o
A built-in group. After the initial installation of the operating system, the o
A built-in group. By default, the only member is the Guest account. The G
A built-in group. By default, the group has no members. Power users can c
A built-in group that exists only on domain controllers. By default, the gro
Description: A built-in group that exists only on domain controllers. By de
A built-in group that exists only on domain controllers. By default, the onl
A built-in group. By default, the group has no members. Backup Operators
A built-in group that's used by the File Replication service on domain cont
A local domain group. By default, this group has no members. Computers
Members of this group have access to certain properties of User objects, su
An alias added by Windows 2000. A backward compatibility group that al
An alias. Members of this group are granted the right to sign in remotely.
An alias. Members of this group can have some administrative privileges t
An alias. Members of this group can create incoming, one-way trusts to th
An alias. Members of this group have remote access to monitor this compu
An alias. Members of this group have remote access to schedule logging o
An alias. Members of this group have access to the computed tokenGroups
An alias. A group for Terminal Server License Servers. When Windows S
An alias. A group for COM to provide computer-wide access controls that
An alias. A built-in group account for IIS users.
A built-in local group. Members are authorized to perform cryptographic o
Members in this group can have their passwords replicated to all read-only
Members in this group can't have their passwords replicated to all read-onl
A built-in local group. Members of this group can read event logs from a l
A built-in local group. Members of this group are allowed to connect to Ce
A built-in local group. Servers in this group enable users of RemoteApp pr
A built-in local group. Servers in this group run virtual machines and host
A built-in local group. Servers in this group can perform routine administr
A built-in local group. Members of this group have complete and unrestric
A built-in local group. Members of this group can remotely query authoriz
A built-in local group. Members of this group can access Windows Manag
A SID that's used when the NTLM authentication package authenticates th
A SID that's used when the SChannel authentication package authenticates
A SID that's used when the Digest authentication package authenticates th
A SID that's used as an NT Service account prefix.
A group that includes all service processes that are configured on the syste
A built-in group. The group is created when the Hyper-V role is installed.
 Decimal value Identifies
500 The administrative user account in a domain.
501 The guest-user account in a domain. Users who don't have an account can
513 A group that contains all user accounts in a domain. All users are automati
514 The group Guest account in a domain.
515 The Domain Computer group. All computers in the domain are members o
516 The Domain Controller group. All domain controllers in the domain are m
517 The certificate publishers group. Computers running Active Directory Cer
518 The schema administrators group. Members of this group can modify the A
519 The enterprise administrators group. Members of this group have full acce
520 The policy administrators group.

llowing table:

Decimal value Identifies

544 Administrators of the domain.
545 All users in the domain.
546 Guests of the domain.
547 A user or a set of users who expect to treat a system as if it were their pers
551 A local group that's used to control the assignment of file backup-and-resto
552 A local group that's responsible for copying security databases from the pr
553 A local group that represents remote access and servers that are running In
n to the system via dial-up connection.
twork sign-in to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network sign-in for local use
twork sign-in to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network sign-in for local use
n via a network connection. Access tokens for interactive users don't contain the Network SID.
in via batch queue facility, such as task scheduler jobs.
ractively. A user can start an interactive sign-in session by opening a Remote Desktop Services connection from a remote computer, or by u
ntify a particular sign-in session.
t have signed in as a service.
out supplying a user name and password.
m the identity that's used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ C

a forest of domains.
omputer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that's represented by the o
with identities that have been authenticated. Authenticated Users doesn't include Guest even if the Guest account has a password.
cipals from any trusted domain, not only the current domain.
ng in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three

the Restricted SID is added to the user's access token.

server with Remote Desktop Services enabled.
e computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote In
rganization. Included only with Active Directory accounts and added only by a domain controller.
nformation Services (IIS) user.
system and by services that are configured to sign in as LocalSystem.
That is, any process running as System has the SID for the built-in Administrators group in its access token.
m accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID
to the computer, have no need for extensive local access, and don't need authenticated network access. Services that run as LocalService ac
need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ord
ery computer has a local Administrator account and every domain has a domain Administrator account.
reated during operating system installation. The account can't be deleted, disabled, or locked out, but it can be renamed.
ber of the Administrators group, and it can't be removed from that group.
idual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
unt, and it can be used to sign in interactively. The Guest account doesn't require a password, but it can have one.
on Center (KDC) service. The account exists only on domain controllers.
ed to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have join
ect that's created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files,
in. When you create a new User object in Active Directory, the user is automatically added to this group.
ember: the domain's built-in Guest account.
have joined the domain, excluding domain controllers.
lers in the domain. New domain controllers are added to this group automatically.
host an enterprise certification authority.
cates for User objects in Active Directory.
in. It's a universal group if the domain is in native mode, and it's a global group if the domain is in mixed mode. The Schema Admins group
in. It's a universal group if the domain is in native mode, and it's a global group if the domain is in mixed mode.
make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterpri
 ins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest.
Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike oth
ain controllers.
lers in the domain that can be cloned.
ctions against authentication security threats.
re trusted external authorities are responsible for modifying this attribute. Only trusted administrators should be made a member of this grou
re trusted external authorities are responsible for modifying this attribute. Only trusted enterprise administrators should be made a member o
the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins g
the operating system, the only member is the Authenticated Users group.
s the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer's built-in Guest a
members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Pow
trollers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for u
n domain controllers. By default, the group has no members. Server Operators can sign in to a server interactively; create and delete network
trollers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup O
ion service on domain controllers. By default, the group has no members. Don't add users to this group.
s no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
operties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
compatibility group that allows read access on all users and groups in the domain.
right to sign in remotely.
administrative privileges to manage configuration of networking features.
oming, one-way trusts to this forest.
ccess to monitor this computer.
ccess to schedule logging of performance counters on this computer.
the computed tokenGroupsGlobalAndUniversal attribute on User objects.
Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.
r-wide access controls that govern access to all call, activation, or launch requests on the computer.

to perform cryptographic operations.

s replicated to all read-only domain controllers in the domain.
ds replicated to all read-only domain controllers in the domain.
an read event logs from a local computer.
re allowed to connect to Certification Authorities in the enterprise.
ble users of RemoteApp programs and personal virtual desktops access to these resources. In internet-facing deployments, these servers are
virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated
perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a R
ave complete and unrestricted access to all features of Hyper-V.
an remotely query authorization attributes and permissions for resources on this computer.
an access Windows Management Instrumentation (WMI) resources over management protocols (such as WS-Management via the Window
on package authenticates the client.
ation package authenticates the client.
n package authenticates the client.

are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES.
Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the
 don't have an account can automatically sign in to this account.
main. All users are automatically added to this group.

the domain are members of this group.

rollers in the domain are members of this group.
nning Active Directory Certificate Services are members of this group.
this group can modify the Active Directory schema.
of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operatio

stem as if it were their personal computer rather than as a workstation for multiple users.
ent of file backup-and-restore user rights.
urity databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.
servers that are running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.
g network sign-in for local users and groups by account type regardless of what they're named.
g network sign-in for local users and groups by account type regardless of what they're named.

om a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the us

l account—by default, IUSR_ ComputerName, for anonymous access to resources on a website. Strictly speaking, such access isn't anonym

cipal that's represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security pr
unt has a password.

policy can assign one of three security levels to code:

kens that contain the Remote Interactive Logon SID also contain the Interactive SID.

ote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such
ces that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a
ce access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as

on all computers that have joined the domain, including domain controllers.
ate other objects, such as files, the default owner is the Administrators group.

de. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the

servers, and installing enterprise certification authorities.

 Admins group in the forest.

ator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by member

be made a member of this group.

ors should be made a member of this group.
domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admin

to a computer's built-in Guest account.

nd remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local p
dify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin c
vely; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut dow
ocument queues.
t protect those files. Backup Operators also can sign in to the computer and shut it down.

utomatically.
cess Information.

deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers that are running RD Co
s group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used
populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be inc

-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.
MMS). This group requires the Create Symbolic Links right (SeCreateSymbolicLinkPrivilege) and the Log on as a Service right (SeServiceL
onsible for forest-level operations such as adding or removing new domains.

d only by the system.

es of User objects.
ns the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote

king, such access isn't anonymous, because the security principal is known even though unidentified people are using the account. IUSR_ C

with the SID for the security principal that's represented by the object.

computer is a member of, such as Domain Computers and Authenticated Users.

nonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem loca
a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly re

nly member of the group is the Administrator account for the forest root domain.
cts that are created by members of these groups are owned by the group rather than by the individual.

ontroller, the Enterprise Admins group also is added to the Administrators group.

ate, manage, and delete local printers; and create and delete file shares.
e Directory except the Builtin container and the Domain Controllers OU. Account Operators don't have permission to modify the Administr
of the computer; and shut down the computer.

ervers that are running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this
Virtualization Host servers used in the deployment need to be in this group.
anagement service must be included in this group.

ant access to the user.

n as a Service right (SeServiceLogonRight).

token also contains the Remote Interactive Logon SID.

are using the account. IUSR_ ComputerName (or whatever you name the account) has a password, and IIS signs in to the account when the

e that runs as LocalSystem locally and on the network.

ystem, but it has significantly reduced local access.
ission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those

deployment need to be in this group.

gns in to the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Log
accounts for members of those groups.
ated Users but Anonymous Logon isn't.
Attacks

Access Token Manipulation: SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows
security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows
security in both security descriptors and access tokens. [1] An account can hold additional SIDs in the SID-
History Active Directory attribute [2], allowing inter-operable account migration between domains (e.g., all
values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values [3] may be inserted into
SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This
manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains
via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote
Management.

S0002 Mimikatz

Mimikatz's MISC::AddSid module can append any SID or user/group account to a user's SID-History. Mimikatz
also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden
Tickets and DCSync beyond a single domain.
S0363 Empire

Empire can add a SID-History to a user if on a domain controller.

Detection

DS0026 Active Directory Active Directory Object Modification

Monitor for changes to account management events on Domain Controllers for successful and failed changes to
SID-History. [10] [11]
DS0009 Process OS API Execution

Monitor for API calls, such as PowerShell's Get-ADUser cmdlet or Windows API DsAddSidHistory function, to
examine data in user’s SID-History attributes, especially users who have SID-History values from the same
domain.
DS0002 User Account User Account Metadata

Examine data in user’s SID-History attributes

njection
Download XpoLog for Windows Server and Active Directory monitoring – out-of-the-box.

Event ID What it means

4624 Successful account log on

4625 Failed account log on

4634 An account logged off

A logon attempt was made with

4648
explicit credentials

System audit policy was

4719
changed.

A special group has been

4964
assigned to a new log on

Audit log was cleared. This can

1102
relate to a potential attack

4720 A user account was created

4722 A user account was enabled

An attempt was made to change

4723
the password of an account

4725 A user account was disabled

A user was added to a privileged

4728
global group

A user was added to a privileged

4732
local group

A user was added to a privileged

4756
universal group

4738 A user account was changed

4740 A user account was locked out

4767 A user account was unlocked

A privileged local group was

4735
modified

A privileged global group was

4737
modified

A privileged universal group

4755
was modified

A Kerberos authentication ticket

4772
request failed

The domain controller failed to

4777 validate the credentials of an
account.

Password hash an account was

4782
accessed

4616 System time was changed

 4657 A registry value was changed

An attempt was made to install a

4697
service

Events related to Windows

4698, 4699,
scheduled tasks being created,
4700, 4701,
modified, deleted, enabled or
4702
disabled

A rule was added to the

4946
Windows Firewall exception list

A rule was modified in the

4947
Windows Firewall exception list

A setting was changed in

4950
Windows Firewall
 Group Policy settings for
4954
Windows Firewall has changed

The Windows Firewall service

5025
has been stopped

Windows Firewall blocked an

5031 application from accepting
incoming traffic

A network packet was blocked

5152, 5153
by Windows Filtering Platform

Windows Filtering Platform

5155 blocked an application or
service from listening on a port
 Windows Filtering Platform
5157
blocked a connection

A Windows Filtering Platform

5447
filter was changed