4657: Audit creating/Change of HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehaviour
Malcious SSP
4657: Audit/creation of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages
Kerberoast
There are no mitigations for kerberoasting so make sure the service accounts that have an spn associated have strong passwords and are changed regularly.
4769: A Kerberos ticket as requested, Filter: Name != krbtgt, does not end with $, not [email protected], Failure code is 0x0 (success), ticket encryption is 0x17 (rc4-hmac)
ACL Scan
4662: Operation was performed on an object
5136: directory service object was modified
4670: permissions on an object were changed
Forest Trust Attacks
Enable SID Filtering
Enable Selective Authentication (access between forests not automated)
Advanced Threat Analytics
Traffic for DCs is mirrored to ATA Sensors (or installed on dc as service), activity profile is build
Collects 4776 (credential validation of a user) to detect replay attacks, detects behavioral anomalies