Suspected SID-History injection |
1106 |
High |
Privilege Escalation |
Suspected overpass-the-hash attack (Kerberos) |
2002 |
Medium |
Lateral movement |
Account enumeration reconnaissance |
2003 |
Medium |
Discovery |
Suspected Brute Force attack (LDAP) |
2004 |
Medium |
Credential access |
Suspected DCSync attack (replication of directory services) |
2006 |
High |
Credential access, Persistence |
Network mapping reconnaissance (DNS) |
2007 |
Medium |
Discovery |
Suspected over-pass-the-hash attack (forced encryption type) |
2008 |
Medium |
Lateral movement |
Suspected Golden Ticket usage (encryption downgrade) |
2009 |
Medium |
Persistence, Privilege Escalation, Lateral movement |
Suspected Skeleton Key attack (encryption downgrade) |
2010 |
Medium |
Persistence, Lateral movement |
User and IP address reconnaissance (SMB) |
2012 |
Medium |
Discovery |
Suspected Golden Ticket usage (forged authorization data) |
2013 |
High |
Credential access |
Honeytoken authentication activity |
2014 |
Medium |
Credential access, Discovery |
Suspected identity theft (pass-the-hash) |
2017 |
High |
Lateral movement |
Suspected identity theft (pass-the-ticket) |
2018 |
High or Medium |
Lateral movement |
Remote code execution attempt |
2019 |
Medium |
Execution, Persistence, Privilege escalation, Defense evasion, Lateral movement |
Malicious request of Data Protection API master key |
2020 |
High |
Credential access |
User and Group membership reconnaissance (SAMR) |
2021 |
Medium |
Discovery |
Suspected Golden Ticket usage (time anomaly) |
2022 |
High |
Persistence, Privilege Escalation, Lateral movement |
Suspected Brute Force attack (Kerberos, NTLM) |
2023 |
Medium |
Credential access |
Suspicious additions to sensitive groups |
2024 |
Medium |
Persistence, Credential access, |
Suspicious VPN connection |
2025 |
Medium |
Defense evasion, Persistence |
Suspicious service creation |
2026 |
Medium |
Execution, Persistence, Privilege Escalation, Defense evasion, Lateral movement |
Suspected Golden Ticket usage (nonexistent account) |
2027 |
High |
Persistence, Privilege Escalation, Lateral movement |
Suspected DCShadow attack (domain controller promotion) |
2028 |
High |
Defense evasion |
Suspected DCShadow attack (domain controller replication request) |
2029 |
High |
Defense evasion |
Data exfiltration over SMB |
2030 |
High |
Exfiltration, Lateral movement, Command and control |
Suspicious communication over DNS |
2031 |
Medium |
Exfiltration |
Suspected Golden Ticket usage (ticket anomaly) |
2032 |
High |
Persistence, Privilege Escalation, Lateral movement |
Suspected Brute Force attack (SMB) |
2033 |
Medium |
Lateral movement |
Suspected use of Metasploit hacking framework |
2034 |
Medium |
Lateral movement |
Suspected WannaCry ransomware attack |
2035 |
Medium |
Lateral movement |
Remote code execution over DNS |
2036 |
Medium |
Lateral movement, Privilege escalation |
Suspected NTLM relay attack |
2037 |
Medium or Low if observed using signed NTLM v2 protocol |
Lateral movement, Privilege escalation |
Security principal reconnaissance (LDAP) |
2038 |
High (in case resolutions issues or Specific Tool detected) and Medium |
Credential access |
Suspected NTLM authentication tampering |
2039 |
Medium |
Lateral movement, Privilege escalation |
Suspected Golden Ticket usage (ticket anomaly using RBCD) |
2040 |
High |
Persistence |
Suspected rogue Kerberos certificate usage |
2047 |
High |
Lateral movement |
Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation) |
2048 |
Medium |
Credential access |
Active Directory attributes reconnaissance (LDAP) |
2210 |
Medium |
Discovery |
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) |
2406 |
High |
Lateral movement |
Suspected Kerberos SPN exposure |
2410 |
High |
Credential access |
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) |
2411 |
High |
Privilege Escalation |
Suspected AS-REP Roasting attack |
2412 |
High |
Credential access |
Suspected AD FS DKM key read |
2413 |
High |
Credential access |
Exchange Server Remote Code Execution (CVE-2021-26855) |
2414 |
High |
Lateral movement |
Suspected exploitation attempt on Windows Print Spooler service |
2415 |
High or Medium |
Lateral movement |
Suspicious network connection over Encrypting File System Remote Protocol |
2416 |
High or Medium |
Lateral movement |
Suspected suspicious Kerberos ticket request |
2418 |
High |
Credential access |
Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation) |
2419 |
High |
Credential access |
Suspicious modification of the trust relationship of AD FS server |
2420 |
Medium |
Privilege Escalation |
Suspicious modification of a dNSHostName attribute (CVE-2022-26923) |
2421 |
High |
Privilege Escalation |
Suspicious Kerberos delegation attempt by a newly created computer |
2422 |
High |
Privilege Escalation |
Suspicious modification of the Resource Based Constrained Delegation attribute by a machine account |
2423 |
High |
Privilege Escalation |
Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate |
2424 |
High |
Credential access |
Suspicious certificate usage over Kerberos protocol (PKINIT) |
2425 |
High |
Lateral movement |
Suspected DFSCoerce attack using Distributed File System Protocol |
2426 |
High |
Credential access |
Honeytoken user attributes modified |
2427 |
High |
Persistence |
Honeytoken group membership changed |
2428 |
High |
Persistence |
Honeytoken was queried via LDAP |
2429 |
Low |
Discovery |
Suspicious modification of domain AdminSdHolder |
2430 |
High |
Persistence |
Suspected account takeover using shadow credentials |
2431 |
High |
Credential access |
Suspicious Domain Controller certificate request (ESC8) |
2432 |
High |
Privilege escalation |
Suspicious deletion of the certificate database entries |
2433 |
Medium |
Defense evasion |
Suspicious disable of audit filters of AD CS |
2434 |
Medium |
Defense evasion |
Suspicious modifications to the AD CS security permissions/settings |
2435 |
Medium |
Privilege escalation |
Account Enumeration reconnaissance (LDAP) (Preview) |
2437 |
Medium |
Account Discovery, Domain Account |
Directory Services Restore Mode Password Change |
2438 |
Medium |
Persistence, Account Manipulation |
Honeytoken was queried via SAM-R |
2439 |
Low |
Discovery |
Group Policy Tampering |
2440 |
Medium |
Defense evasion |