This is such a good Event ID. One more thing I monitor for this is Elevation Token Type '%%1936' or '%%1937' where the account name doesn't contain an $ symbol (ie a real account) which means the UAC is disabled or the account ran the process with Administrator privileges.
We just covered this last night in my Cybersecurity course. Thank you for the additional explanation regarding event ID
Awesome! Hopefully you are learning lots from the course 😃
Do you mind sharing the course that you are taking?
This is such a good Event ID. One more thing I monitor for this is Elevation Token Type '%%1936' or '%%1937' where the account name doesn't contain an $ symbol (ie a real account) which means the UAC is disabled or the account ran the process with Administrator privileges.
Awesome! Thanks for the input
Always on point
You have mentioned in the future you show us a tool which is better for These logs.which will be that tool?
This Thursday ill be showing you one tool we can use to view these event logs. But another tool i like to use is called Event Log Explorer.
@@MyDFIR thanks 🙏 great News
thank you, my friend. Good to know this.
Anytime! Event IDs is something easy to get overwhelmed. But fear not, Google is your friend when you need more info on Event IDs😜
Great information, thanks.
Glad it was helpful!
Thank you 👍
You are welcome
Excellent 😁
very informative👍
Thanks! Hopefully learned something new 😀
Perfection level🎉🎉🎉
Thanks for watching ❤️
i use windows home
how to filter log eventid:4625 with logon type=3
You can filter using powershell or push the logs over to Splunk
I appreciate your channel so much, Thank you
You are so welcome!
Kool👍
Thanks for watching!
Great Job
5061 pls no
Whew. It was just some system integrity audit failure oh well
LOL 4624 type 10 service account pls no
Great information, thank you very much
Glad it was helpful!