JPCERT published a very thorough document, Detecting Lateral Movement through Tracking Event Logs, which is well worth a read itself to learn more about attacker tools and its movement through Windows environments.
They also have a much better and interactive resource at Github where you can click through each of the tools
The research they conducted provides basic information which for log collection and further log analysis. They investigated the evidence of tools used by many attackers.
They made the research more accessible to those outside the incident response industry and also to easily list out the following activities of note by the malware:
• Event log • Execution history • Registry entry
Important to note Before applying these EventIDs to your log collection, the amount of logs that can be acquired in a default system is typically not enough to emit the requirements events. Therefore, additional settings need to be made (ie enabling Windows audit policy) as well as installing Sysmong.
Security 4624, 4634, 4648, 4656, 4658, 4660, 4663, 4672, 4673, 4688, 4689, 4698, 4720, 4768, 4769, 4946, 5140, 5142, 5144, 5145, 5154, 5156, 5447, 8222 Event Log - Sysmon 1, 2, 5, 8, 9 Event Log - System 7036, 7045, 20001 Event Log - Application and Service Microsoft\Windows\Windows Remote Management 80, 132, 143, 166 Event Log - Application and Service - Microsoft\Windows\Windows Remote Management\Operational 80 Event Log - Application and Service - \Microsoft\Windows\Windows Remote 81 Event Log - Application and Service Log - \Microsoft\Windows\TaskScheduler\Operational 106, 129, 200, 201 Event Log - Application and Service Log - \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational 21, 24 Event Log - Application and Service Log - \Microsoft\Windows\Bits-Client 60 Event Log - Each Target Log Event ID : 104 (The System log file was cleared)