This article demonstrates how EVENmonitor exposes the most common Active Directory attacks the moment they occur. Each attack is paired with the specific Windows Event ID that betrays it, walking the reader through detection of DCSync, AS-REP Roasting, Password Spraying, Pass-the-Hash, account creation and deletion, Kerberoasting, and privileged group manipulation.

Table of Contents

• Introdution
• Installation
• Detecting DCSync Attacks — Event ID 4662
• Detecting AS-REP Roasting — Event ID 4768
• Detecting Password Spraying — Event ID 4625
• Detecting Pass-the-Hash — Event IDs 4624 and 4776
• Detecting User Account Creation — Event ID 4720
• Detecting User Account Deletion — Event ID 4726
• Detecting Kerberoasting — Event ID 4769
• Detecting Privilege Escalation via Group Addition — Event ID 4728
• Detecting Group Membership Removal — Event ID 4729
• Detecting Account Disable Operations — Event ID 4725
• Detecting Account Enable Operations — Event ID 4722
• Detecting Pass-the-Ticket Attacks — Event ID 4769
• Detecting Password Resets by Other Users — Event ID 4724
• Detecting Rogue Computer Account Creation — Event ID 4741
• Detecting Computer Account Deletion — Event ID 4743
• Authenticating EVENmonitor with an NTLM Hash
• Conclusion

Introdution

Active Directory (AD) is central to enterprise networks, yet offensive operations generate detectable artifacts in Windows Security event logs. Traditional analysis via Event Viewer or SIEM introduces critical delays during active intrusions. EVENmonitor, an open-source tool by NeffIsBack, streams Domain Controller (DC) Security logs in real-time to analysts’ terminals.

EVENmonitor connects via the MS-EVEN6 RPC interface on modern Windows DCs, subscribing to relevant events using agentless, lightweight monitoring. It requires only domain credentials with Security log read access. Upon connection, it decodes raw events into readable formats, displaying actor, target, source IP, privileges, and forensic fields as they occur.

This guide maps common AD attacks—DCSync, AS-REP Roasting, password spraying, Pass-the-Hash, Pass-the-Ticket, Kerberoasting, account lifecycle abuse, password resets, computer account abuse, and privileged group manipulation—to specific Windows Event IDs. Each section demonstrates the attack from Kali Linux alongside real-time EVENmonitor output, highlighting distinguishing indicators.

Installation

EVENmonitor installs cleanly on Kali Linux through pipx, which isolates it inside its own virtual environment and exposes the executable globally.

The following command pulls the project from GitHub:

pipx install git+https://github.com/NeffIsBack/EVENmonitor

Detecting DCSync Attacks — Event ID 4662

A DCSync attack abuses the Directory Replication Service to request password hashes for every account in the domain, including the krbtgt account. EVENmonitor catches this behaviour by filtering Event ID 4662, which records access to Active Directory objects, with the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4662

Once bound to MS-EVEN6, EVENmonitor begins watching for any Directory Service object access in real time.

To trigger detection, an attacker simulates a DCSync attack from a compromised low-privileged user. NetExec performs the synchronisation through the SMB protocol and dumps the entire NTDS.dit hash database.

nxc smb 192.168.1.7 -u 'shivangi' -p 'Password@1' --ntds

The attacker authenticates as the user shivangi and successfully extracts hashes for Administrator, krbtgt, and every other domain principal. The instant this happens, EVENmonitor registers a flood of 4662 events on the analyst console.

The decoded event reveals everything a defender needs: the SubjectUserName field identifies shivangi as the actor, while the Properties GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 corresponds to the DS-Replication-Get-Changes-All extended right. Any non-Domain-Controller account exercising this right indicates a DCSync attack in progress.

Detecting AS-REP Roasting — Event ID 4768

AS-REP Roasting targets accounts configured with the “Do not require Kerberos pre-authentication” flag. The attacker requests a Ticket Granting Ticket for such accounts and receives an encrypted blob that can be cracked offline. NetExec automates the technique through its asreproast module which is shown in the following command:

nxc ldap 192.168.1.7 -u yashika -p '' --asreproast

On the Domain Controller side, every TGT request generates Event ID 4768. The definitive indicator of an AS-REP Roastable account is a PreAuthType value of 0, which indicates that pre-authentication was bypassed. So, using EVENmonitor’s following command we can see which user has bypassed authentication:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4768

The output isolates the TargetUserName as yashika and confirms PreAuthType: 0, transforming what would otherwise be normal Kerberos noise into an unambiguous attack signal.

Detecting Password Spraying — Event ID 4625

Password spraying attempts a single weak password against many usernames to evade lockout policies. We will use netexec to mimic a perfect password spraying attack with the following command:

nxc smb 192.168.1.7 -u user.txt -p Password@1 –continue-on-success

This password-spraying technique generates a high volume of failed logon events captured under Event ID 4625. While only a handful of accounts authenticate successfully, the dozens of failures are precisely what EVENmonitor surfaces when filtered for 4625 after using the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4625

The signature is unmistakable: multiple distinct TargetUserName values, identical Status code 0xC000006D (bad username or password), Logon Type 3 (network), and a single shared IpAddress. That clustering pattern marks a textbook password spray and triggers immediate investigation.

Detecting Pass-the-Hash — Event IDs 4624 and 4776

Pass-the-Hash bypasses the need for a cleartext password by authenticating directly with an NTLM hash. NetExec accepts the hash through its -H flag using the following command:

nxc smb 192.168.1.7 -u administrator -H 32196B56FFE6F45E294117B91A83BF38

The defender combines two event IDs to spot the technique. EVENmonitor accepts a comma-separated list to monitor 4624 (successful logon) and 4776 (NTLM credential validation) at the same time with the help of the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4624,4776

Two telltale fields stand out. First, the LmPackageName field reports NTLM V1 instead of the Kerberos package expected for legitimate domain authentication. Second, the LogonType is 3 (network) with a remote IpAddress of 192.168.1.17. Together these indicators confirm an NTLM hash was replayed across the network.

Detecting User Account Creation — Event ID 4720

Attackers who gain Domain Admin privileges frequently create persistence accounts. The bloodyAD utility provisions a new account remotely without ever touching the Domain Controller console by using the following command:

bloodyAD -d ignite.local -u administrator -p Ignite@987 --host 192.168.1.7 add user geet Password@1

Every new domain account writes an Event ID 4720 to the Security log. EVENmonitor exposes the creation as it happens with the help of the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4720

The event identifies both the new account (TargetUserName: geet) and the actor responsible (SubjectUserName: Administrator). Defenders can pivot on the SubjectLogonId to trace the entire attacker session that led to the account creation.

Detecting User Account Deletion — Event ID 4726

Adversaries also delete accounts to cover their tracks or remove legitimate administrators. The following net rpc command performs the deletion remotely against the Domain Controller.

net rpc user delete geet -U ignite.local/administrator%'Ignite@987' -S 192.168.1.7

Account deletion writes Event ID 4726, which EVENmonitor captures the moment the SAM database commits the change and displays it by using the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4726

The TargetUserName field names the deleted account and the SubjectUserName identifies the deleter, providing the defender with a complete audit trail of the destructive action.

Detecting Kerberoasting — Event ID 4769

Kerberoasting requests Kerberos service tickets for accounts with a Service Principal Name and cracks the encrypted ticket portion offline to recover the service account password.

NetExec ships a dedicated kerberoasting module which can be activated by using the following command:

nxc ldap 192.168.1.7 -u sushant -p Password@1 --kerberoasting hash.txt

Each TGS request emits an Event ID 4769. Although service ticket requests are normal, the encryption type 0x17 (RC4-HMAC) on a privileged or service account is a strong indicator of Kerberoasting. And EVENmonitor can find this and display it for you by using the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4769

The combination of TicketEncryptionType 0x17 and a TargetUserName that was authenticated from a workstation rather than a server hardens the case for active Kerberoasting. Modern domains should use AES (type 0x12) for service tickets, so RC4 traffic is itself anomalous.

Detecting Privilege Escalation via Group Addition — Event ID 4728

Adding a controlled account to a privileged group is the fastest path to domain dominance. bloodyAD performs the modification with a single command.

bloodyAD --host "192.168.1.7" -d "ignite.local" -u "administrator" -p "Ignite@987" add groupMember "Domain Admins" "geet"

Membership changes against security-enabled global groups generate Event ID 4728. EVENmonitor surfaces the event the moment Active Directory replicates the change.

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4728

The MemberName field carries the full distinguished name of the elevated account, while TargetUserName names the group and SubjectUserName identifies the operator. Any 4728 event referencing Domain Admins, Enterprise Admins, or Schema Admins demands an immediate response.

Detecting Group Membership Removal — Event ID 4729

Attackers also remove users from privileged groups to lock out incident responders. The reverse bloodyAD command strips the account back out.

bloodyAD --host "192.168.1.7" -d "ignite.local" -u "administrator" -p "Ignite@987" remove groupMember "Domain Admins" "geet"

The corresponding Event ID 4729 records the removal and EVENmonitor displays the full context with the help of the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4729

Pairing 4728 and 4729 monitoring lets a defender reconstruct every elevation and de-elevation against sensitive groups.

Detecting Account Disable Operations — Event ID 4725

Adversaries who hold Domain Admin rights frequently disable legitimate accounts to obstruct incident responders or to neutralise security personnel. The bloodyAD utility flips the ACCOUNTDISABLE flag inside the userAccountControl attribute with a single remote call.

bloodyAD --host 192.168.1.11 -d ignite.local -u Administrator -p 'Ignite@987' add uac sanjeet -f ACCOUNTDISABLE

Every disable operation triggers Event ID 4725 inside the Security log. EVENmonitor captures the event in real time, exposing both the affected account and the operator responsible by using the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4725

The TargetUserName field identifies the disabled account as sanjeet, while SubjectUserName confirms Administrator as the actor. Defenders can pivot on the SubjectLogonId 0x37e800 to correlate this action with other operations performed during the same attacker session.

Detecting Account Enable Operations — Event ID 4722

Attackers also re-enable previously disabled accounts to revive dormant credentials or backdoor identities. Removing the ACCOUNTDISABLE flag through bloodyAD reverses the previous action.

bloodyAD --host 192.168.1.7 -d ignite.local -u Administrator -p 'Ignite@987' remove uac sanjeet -f ACCOUNTDISABLE

The Security log records account re-enablement under Event ID 4722. EVENmonitor surfaces the change instantly using the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4722

Watching 4725 and 4722 together gives defenders complete visibility into account state lifecycle changes. A sudden burst of disable-and-enable operations on dormant accounts is a classic indicator of an attacker preparing persistence or manipulating identities mid-engagement.

Detecting Pass-the-Ticket Attacks — Event ID 4769

Pass-the-Ticket replays a stolen Kerberos ticket to authenticate as another principal without ever knowing the underlying password. Impacket’s getTGT requests a Ticket Granting Ticket using only an NTLM hash, after which psexec consumes the cached ticket through the -k -no-pass flags and for all this, we will use the combination of the following commands:

impacket-getTGT -dc-ip 192.168.1.7 -hashes :32196b56ffe6f45e294117b91a83bf38 ignite.local/Administrator

export KRB5CCNAME=Administrator.ccache

impacket-psexec ignite.local/administrator@dc.ignite.local -k -no-pass

On the Domain Controller, the resulting service ticket request is logged as Event ID 4769. EVENmonitor isolates the event and exposes the artefacts that distinguish ticket reuse from normal Kerberos traffic with the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4769

Two indicators stand out. First, the TicketEncryptionType is 0x12 (AES256), which is consistent with modern Kerberos but the request originates from 192.168.1.17, a non-administrative workstation. Second, the LogonGuid does not correlate with any preceding interactive logon for that account, hinting that the ticket was obtained out-of-band. Correlating 4769 events against the source workstation’s recent 4624 logons quickly reveals replayed tickets.

Detecting Password Resets by Other Users — Event ID 4724

An attacker with delegated rights can reset another user’s password and seize the account without needing the original credentials. The net rpc command performs a remote password reset against the Domain Controller, which is as follows:

net rpc user password ankur Password@987 -U ignite.local/raj%'Password@1' -S 192.168.1.7

Password resets executed against another principal generate Event ID 4724, which is functionally distinct from a self-service password change (Event 4723). EVENmonitor displays the full chain of attribution with the following command:

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4724

The combination of TargetUserName ankur and SubjectUserName raj instantly answers the two most important forensic questions: whose password changed, and who changed it. Any 4724 event where the subject is not a Help Desk operator or a service account warrants immediate review, since unsanctioned password resets are a hallmark of account takeover.

Detecting Rogue Computer Account Creation — Event ID 4741

Active Directory permits any authenticated domain user to create up to ten computer accounts by default through the MachineAccountQuota attribute. Attackers exploit this for techniques such as Resource-Based Constrained Delegation abuse and noPac. bloodyAD provisions a rogue computer account in a single command.

bloodyAD -u sanjeet -p 'Password@1' -d ignite.local --host 192.168.1.7 add computer fakecomp 'Password@123'

Computer account creation writes Event ID 4741 to the Security log. EVENmonitor exposes the new machine principal along with all its attributes.

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4741

The event reveals the SamAccountName fakecomp$, the creator sanjeet, and a set of pre-populated ServicePrincipalNames including HOST/fakecomp and RestrictedKrbHost entries. Computer accounts created by ordinary users — particularly those followed shortly by attribute modifications such as msDS-AllowedToActOnBehalfOfOtherIdentity — are a leading indicator of delegation abuse in progress.

Detecting Computer Account Deletion — Event ID 4743

Adversaries clean up rogue computer accounts to remove evidence of their attack chain. The ldap_shell utility provides a convenient interactive interface for the deletion.

ldap_shell ignite.local/administrator:Ignite@987 -dc-ip 192.168.1.7

del_computer fakecomp$

The deletion is recorded under Event ID 4743. EVENmonitor catches the event the moment the directory commits the change.

EVENmonitor --dc-ip 192.168.1.7 -u administrator -d ignite.local -p 'Ignite@987' --event-id 4743

Pairing 4741 with 4743 lets defenders reconstruct the entire lifecycle of any computer object. Short-lived computer accounts that appear and disappear within a single session almost always indicate offensive tooling rather than legitimate provisioning.

Authenticating EVENmonitor with an NTLM Hash

EVENmonitor itself supports hash-based authentication, which proves invaluable during incident response when the analyst possesses an NTLM hash from a credential dump but no cleartext password. The -H flag swaps the password for the hash and connects to MS-EVEN6 just as if a password had been supplied.

EVENmonitor –dc-ip 192.168.1.7 -u administrator -d ignite.local -H 32196B56FFE6F45E294117891A8BF38

The tool successfully binds to MS-EVEN6 and begins streaming events without ever requiring the cleartext credential. This capability lets blue teams and red teams operate seamlessly with the same artefacts already in their possession, and it makes EVENmonitor a practical choice for environments where Kerberos is preferred over NTLM-based logons.

Conclusion

EVENmonitor turns the often-neglected Windows Security log into a real-time intrusion detection feed without deploying a single agent on the Domain Controller. Across the techniques covered in this article, a clear pattern emerges: every meaningful action an adversary takes against Active Directory writes a deterministic Event ID, and tuning EVENmonitor’s –event-id filter to the right code instantly converts that record into an actionable alert.

The detection coverage demonstrated here spans the full Active Directory kill chain. Credential attacks surface through 4768 for AS-REP Roasting, 4625 for password spraying, 4769 for Kerberoasting and Pass-the-Ticket, and the 4624 plus 4776 pair for Pass-the-Hash. Privilege abuse and persistence emerge through 4720 and 4726 for user account creation and deletion, 4722 and 4725 for account state changes, 4724 for unauthorised password resets, 4728 and 4729 for privileged group manipulation, and 4741 plus 4743 for the rogue computer account lifecycle. Domain-wide credential theft signals itself through 4662 with the DS-Replication-Get-Changes-All GUID — the unmistakable fingerprint of DCSync.

Because EVENmonitor consumes events directly from MS-EVEN6, it operates without SIEM ingestion delays, without endpoint agents, and without alerting the attacker. That makes it an ideal companion for live incident response, purple-team validation exercises, lab-based learning, and any environment where defenders need surgical visibility into the Domain Controller without the overhead of enterprise tooling.

Mastering the event-to-attack mappings catalogued in this article transforms a passive log source into an active defensive instrument. Adversaries rely on the assumption that the Security log is too noisy to read in real time. EVENmonitor breaks that assumption — and with it, the attacker’s window of opportunity.