60001,60017 ^Security$ ^4662$ no_full_log Directory Service Access. Possible Secret Dump DCSync attack 60103 ^4769$ pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3, no_full_log Possible Keberoasting attack 60103 ^4624$ {00000000-0000-0000-0000-000000000000} 3 no_full_log Possible Golden Ticket attack 61600 17|18 \\PSEXESVC no_full_log PsExec service launched for possible lateral movement within the domain sysmon_event1 NTDSUTIL Possible NTDS.dit file extraction using ntdsutil.exe 60103 ^4624$ seclogo 9 Negotiate {00000000-0000-0000-0000-000000000000} no_full_log Possible Pass the hash attack 61612 (?i)\\\\system32\\\\lsass.exe (?i)0x1010 Possible credential dumping using mimikatz 60020,60021 ^Directory Service$ ^Microsoft-Windows-ActiveDirectory_DomainService$ ^1644$ T1087 Possible malicious DC enumeration (Certipy find -dc-ip) - LDAP Event ID 1644 triggered. ldap,windows 60001,60017 ^Security$ ^4886$ .*\\Administrator$ SAN:upn=Administrator@[^ ]+ Possible malicious certificate request in DC no_full_log 60001,60017 ^Security$ ^4887$ .*\\Administrator$ SAN:upn=Administrator@[^ ]+ Possible Keberoasting attack.ID 4887 .Certificate Services approved a certificate request and issued a certificate. no_full_log 60001,60017 ^Security$ ^4887$ .*\\Administrator$ CN=Administrator Suspicious certificate issuance: non-Administrator requesting Administrator subject 60001,60017 ^Security$ ^4898$ T1601 T1078 Possible Keberoasting attack.Certificate Services loaded a template. no_full_log 60001,60017 ^Security$ ^5136$ A directory service object was modified. Possible Dumping Administrator no_full_log 60020,60021 ^Microsoft-Windows-ActiveDirectory_DomainService$ ^1138$|^1139$ who-am-i T1078 T1550 Possible using Ldap-shell to connect to the server windows,ldap,noise 60001,60017 ^Security$ ^4769$ ^(?!::1$).* Suspicious Kerberos service ticket request from remote source for non-machine account