Problem Statement
You suspect malicious admin activity on a Windows server. Which logs and events would you review first and why?
Explanation
Start with Security logs for logon events and privilege use. Look at successful and failed logons, logon type, source IP, and correlated account changes. Pull PowerShell logs and, if enabled, script block logging to see exact commands, not just start events. Review Sysmon or equivalent for process creation with full command line, parent-child relationships, and network connections. This mix quickly answers who did what, from where, and how, which is the fastest route to confidence.
Code Solution
SolutionRead Only
Windows Event IDs to watch: 4624/4625 logon, 4672 special privileges, 4688 process creation (if enabled), 4720/4728 account changes
