Determine which accounts have been used for attempted logons. Track account usage for known compromised accounts.
Win7/8/10:
%SYSTEM ROOT%\System32\winevt\logs\Security.evtx
4624 – Successful Logon4625 – Failed Logon4634 | 4647 – Successful Logoff4648 – Logon using explicit credentials (Runas)4672 – Account logon with superuser rights (Administrator)4720 – An account was created