Windows Event ID caused from Attack

Attack	Event ID
Account and Group Enumeration	4798: A user's local group membership was enumerated 4799: A security-enabled local group membership was enumerated
AdminSDHolder	4780: The ACL was set on accounts which are members of administrators groups
Kekeo	4624: Account Logon 4672: Admin Logon 4768: Kerberos TGS Request
Silver Ticket	4624: Account Logon 4634: Account Logoff 4672: Admin Logon
Golden Ticket	4624: Account Logon 4672: Admin Logon
PowerShell	4103: Script Block Logging 400: Engine Lifecycle 403: Engine Lifecycle 4103: Module Logging 600: Provider Lifecycle
DCShadow	4742: A computer account was changed 5137: A directory service object was created 5141: A directory service object was deleted 4929: An Active Directory replica source naming context was removed
Skeleton Keys	4673: A privileged service was called 4611: A trusted logon process has been registered with the Local Security Authority 4688: A new process has been created 4689: A new process has exited
PYKEK MS14-068	4672: Admin Logon 4624: Account Logon 4768: Kerberos TGS Request
Kerberoasting	4769: A Kerberos ticket was requested
S4U2Proxy	4769: A Kerberos ticket was requested
Lateral Movement	4688: A new process has been created 4689: A process has exited 4624: An account was successfully logged on 4625: An account failed to log on
DNSAdmin	770: DNS Server plugin DLL has been loaded 541: The setting serverlevelplugindll on scope . has been set to <dll path> 150: DNS Server could not load or initialize the plug-in DLL
DCSync	4662: An operation was performed on an object
Password Spraying	4625: An account failed to log on 4771: Kerberos pre-authentication failed 4648: A logon was attempted using explicit credentials