60105, 60122 (?i)admin A4-01 [PROD] Windows: privileged account name auth failure (4625) soc_prod,a4,auth_fail, T1110.001 60105, 60122 (?i)svc|service|\$$ A4-02 [PROD] Windows: service account auth failure (4625) soc_prod,a4,auth_fail, T1110.001 60105, 60122 A4-19 [PROD] Windows: authentication failure (4625) soc_prod,a4,spray, T1110.003 67027 (?i)adfind\.exe A4-03 [PROD] Windows AD: adfind enumeration tool executed (4688) soc_prod,a4,ad_enum, T1087.002 60106 ^10$ A4-06 [PROD] Windows: remote interactive auth success logon type 10 (4624) soc_prod,a4,auth_success,remote, T1021.001 T1078 60106 NTLM ^3$ A4-08 [PROD] Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) soc_prod,a4,pth, T1550.002 60106 (?i)^guest$ A4-09 [PROD] Windows: guest account auth success (4624) soc_prod,a4,auth_success,guest, T1078.001 60106 ^2$ (?i)svc|service|\$$ A4-10 [PROD] Windows: service account interactive logon type 2 (4624) soc_prod,a4,service_account, T1078.003 60113 ^4728$ A4-12 [PROD] Windows: account added to privileged domain group (4728) soc_prod,a4,privilege_escalation, T1098.007 60113 ^4732$ A4-11 [PROD] Windows: account added to privileged local group (4732) soc_prod,a4,privilege_escalation, T1098.007 60103 A4-13 [PROD] Windows DC: DSRM account password set (4794) soc_prod,a4,persistence, T1098 60109 ^4720$ A4-21/23 [PROD] Windows: new user account created (4720) soc_prod,a4,account_create, T1136 60109 ^4722$ A4-22/24 [PROD] Windows: user account re-enabled (4722) soc_prod,a4,account_lifecycle, T1078